The Next Frontier for Malware – ATMs!

According to a recent news story, Trustwave has announced that they have identified new malware running on ATMs within eastern Europe.  All of the infected ATMs are running the Windows XP operating system.  Although this version of the malware does not appear to be self-propagating, it is believed that this could easily be an added feature in the next version, and would allow the malware to spread across the ATM network.

It appears that the systems were originally affected through some kind of an insider (employee at the bank, the ATM vendor, or a company that services the machines).  The original infection seems to start with a dropper file (isadmin.exe – a Borland Delphi Rapid Application Development executable), and once executed produces the malware file lsass.exe within the C:\WINDOWS directory of the compromised system.  The malware then manipulates the Protected Storage Service to point to the malware instead of the legitimate lsass service.  The malware is also configured to automatically restart on a system crash to ensure it remains active.

Given that the ATMs were WinXP systems, I am not at all surprised that they were attacked by malware – it is not the first successful attack on an ATM and certainly won’t be the last.  What I find surprising though, is the level of sophistication the malware already has built into it for compromising the ATM machine itself.  The reports indicate that the malware is able to output the “harvested card data via the ATM’s receipt printer or by writing the data to an electronic storage device inserted into the ATM’s card reader. Analysts also discovered code enabling the malware to eject the cash dispensing cassette.”  If that’s not surprising enough, the malware also has a built in management interface that can be triggered by a controller card being inserted into the card reader. Once triggered, the interface allows for complete control of the device using the ATM’s keypad to execute 10 built-in command options.

A standard ATM can hold up to $600,000 in cash at a time, and that would be reason enough to make them a prime target for this kind of exploitation.  However, given the level of sophistication this malware already has developed, I would speculate that the prime motivation is to target the magnetic strip data and PIN number, which is also being captured.

Although it appears only about 20 devices in total have been infected to date, I would agree with the initial reports that this is only the beginning and it won’t be long before we start to see similar incidents here in the US.

More information can be found at cnet, Network World, and TG Daily.