Windows XP ATMs under malware attack

Chicago (IL) – The cash machine network may be open to a serious hacking attack, banks have been warned. Approximately 20 ATMs have been compromised, mostly in Eastern Europe. Security outfit TrustWave warns that the attack is merely a test and is very likely to spread to the US and other regions of the world.

Says the report: “Trustwave’s SpiderLabs performed the analysis of malware found installed on compromised ATMs in the Eastern European region. This malware captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on a compromised ATM. The compromised ATMs ran Microsoft’s Windows XP operating system.”

The malware contains advanced management functionality allowing the attacker to gain full control of the compromised ATM through a customized user interface built into the malware. This is accessible by inserting controller cards into the ATM’s card reader.

Analysts do not believe the malware includes networking functionality that would allow it to send harvested data to other, remote locations via the Internet, but does allow for the output of harvested card data via the ATM’s receipt printer or by writing the data to an electronic storage device inserted into the ATM’s card reader. Analysts also discovered code enabling the malware to eject the cash dispensing cassette.

“This malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, Pins and cash from each infected machine,” said TrustWave.

“We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems.”

The malware is installed and activated through a dropper file called isadmin.exe. It is a Borland Delphi Rapid Application Development (RAD) executable.

Executing the dropper file produces the malware file lsass.exe within the C:WINDOWS directory of the compromised system and does so via functionality provided by a Windows API. Once the malware is extracted, the dropper proceeds to manipulate the Protected Storage service that normally handles the legitimate lsass.exe executable, located in the C:WINDOWSsystem32 directory to point at the newly created malware.

The service is also configured to automatically restart in the event that it crashes, ensuring that the malware remains active.