ATM Virus

diabloo · 26th March 2009, 22:50

Guys BEWARE - Software labs warn of ATM virus that steals money from banks

"leading computer security labs have warned of a new software virus which infects Automatic Teller Machines (ATM) to steal money from bank accounts of their users."

Diebold ATMs suffer from Troj/Skimer-A, a malware affecting Windows-based Diebold cash machines and capable of intercepting credit card details and their associated PINs.

The malware is exclusively coded to target Russian, Ukranian and American currency transactions, with isolated incidents confirmed by Diebold in January, 2009. The ATM-based malware require an insider access to the machine compared to the mainstream external attack in the form of using an ATM skimming device.

The main executable is a dropper with the drop object stored in one of the PE resources, as often is the case with Trojan droppers. The code stops and modifies the Protected storage service to launch the dropped file lsass.exe from the Windows folder, not the original one in Windows System folder and attempts to replace some files belonging to the software used by ATMs.

The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code to ATM’s processes, parse transactions in Ukrainian, Russian and US currencies and use printer, probably for printing the stolen data. This also indicates that attackers require physical access to cash machines to install the Trojan. Overall, the malware seems to be a work of a programmer with a good knowldege of the internals of Diebold ATMs.

Diebold confirmed that hackers from Russia had attempted to plant the malicious software on ATMs in an audacious attempt to steal money. What isn't publicly known yet is how the hackers - who have been apprehended according to Diebold - managed to gain physical access to a number of ATMs in Russia. However such attacks on the ATMs of another leading manufacturer "Wincor Nixdorf" haven’t been recorded.

But sadly enough, there should be no surprise that some hackers might now be targeting the ATMs directly, rather than just the bank customers using the internet to manage their online finances.

26th March 2009, 22:50	#1
diabloo BANNED Join Date: Jun 2007 Location: Bengalooru Posts: 1,480 Thanked: 17 Times	ATM Virus Guys BEWARE - Software labs warn of ATM virus that steals money from banks and Russian ATMs were Attacked "leading computer security labs have warned of a new software virus which infects Automatic Teller Machines (ATM) to steal money from bank accounts of their users." Diebold ATMs suffer from Troj/Skimer-A, a malware affecting Windows-based Diebold cash machines and capable of intercepting credit card details and their associated PINs. The malware is exclusively coded to target Russian, Ukranian and American currency transactions, with isolated incidents confirmed by Diebold in January, 2009. The ATM-based malware require an insider access to the machine compared to the mainstream external attack in the form of using an ATM skimming device. The main executable is a dropper with the drop object stored in one of the PE resources, as often is the case with Trojan droppers. The code stops and modifies the Protected storage service to launch the dropped file lsass.exe from the Windows folder, not the original one in Windows System folder and attempts to replace some files belonging to the software used by ATMs. The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code to ATM’s processes, parse transactions in Ukrainian, Russian and US currencies and use printer, probably for printing the stolen data. This also indicates that attackers require physical access to cash machines to install the Trojan. Overall, the malware seems to be a work of a programmer with a good knowldege of the internals of Diebold ATMs. Diebold confirmed that hackers from Russia had attempted to plant the malicious software on ATMs in an audacious attempt to steal money. What isn't publicly known yet is how the hackers - who have been apprehended according to Diebold - managed to gain physical access to a number of ATMs in Russia. However such attacks on the ATMs of another leading manufacturer "Wincor Nixdorf" haven’t been recorded. But sadly enough, there should be no surprise that some hackers might now be targeting the ATMs directly, rather than just the bank customers using the internet to manage their online finances.
	() Thanks