Malware Steals ATM Data
One of the risks of using a commercial OS for embedded systems like ATMs: it's easier to write malware against it:
The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The machine is compromised by replacing the isadmin.exe file to infect the system.
The malicious isadmin.exe program then uses the Windows API to install the functional attack code by replacing a system file called lsass.exe in the C:\WINDOWS directory.
Once the malicious lsass.exe program is installed, it collects users account numbers and PIN codes and waits for a human controller to insert a specially crafted control card to take over the ATM.
After the ATM is put under control of a human attacker, they can perform various functions, including harvesting the purloined data or even ejecting the cash box.
EDITED TO ADD (6/14): Seems like the story I quoted was jumping to conclusions. The actual report says "the malware is installed and activated through a dropper file (a file that an attacker can use to deploy tools onto a compromised system) by the name of isadmin.exe," which doesn't really sound like it's referring to a buffer overflow attack carried out through a card emulator. Also, The Register says "[the] malicious programs can be installed only by people with physical access to the machines, making some level of insider cooperation necessary."
Posted on June 10, 2009 at 1:51 PM • 49 Comments