New malware allows attacker to gain complete control over ATMs to obtain data, PINs and cash from each infected machine

(09/07/2009)

Trustwave's SpiderLabs has investigated a number of Automated Teller Machine (ATM) breaches over the past few months.

In all of these cases, their investigators found the same malware residing on the breached machines. This malware is unlike any they have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, PINs and cash from each infected machine.

This is currently an insider threat. The attacker needs to have physical access to the machine to execute the malware. We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems.

ATMs have been compromised, primarily located in Eastern Europe, and there is early indication it may be making its way to the U.S. and other regions of the world. If this malware evolves like other malware (e.g. Trustwave security alert for the lodging industry) there is concern this attack will be a catalyst for proliferation and propagation.

Method of Infection of the ATM
The malware is installed and activated through a dropper file (a file that an attacker can use to deploy tools onto a compromised system) by the name of isadmin.exe. It is a Borland Delphi Rapid Application Development (RAD) executable and is essentially a replacement for the original isadmin.exe utility written by Bill Stewart. The dropper binary contains a Data Resource (RCDATA) named PACKAGEINFO which in turn contains the actual malware. Executing the dropper file produces the malware file lsass.exe within the C:\WINDOWS directory of the compromised system and does so via functionality provided by a Windows API (Application Programming Interface).

Once the malware is extracted, the dropper proceeds to manipulate the 'Protected Storage' service—this normally handles the legitimate lsass.exe executable, located in the C:\WINDOWS\system32 directory—to point towards the newly created malware. The service is also configured to automatically restart in the event that it crashes, ensuring that the malware remains active.

Targeting Track Data
The malware itself is also a Borland Delphi Graphic User Interface (GUI)-compiled executable, launched as a Microsoft Windows service. It contains the ability to enumerate the available printing devices. Once active, the malware intercepts ATM transactions by injecting code into targeted processes through the binary modification of these processes in memory. The first process targeted by the malware appears to be a system-messaging utility, while the other is a form of ATM software service.

Once it resides in the memory, the malware polls the transaction message queue looking for track 2 data from the current transaction. It then performs a level of validation and manipulation against this track data to determine whether the transaction is the attacker’s trigger or controller card or a valid transaction involving track data that the malware collects by recording it in a file. The trigger cards (either a master function card or a single function card) allow an attacker to interact with and control both the malware and the ATM.

When the parsing routine fails to identify a trigger card, the malware stores the transaction information in a temporary file named tr12 in the C:\WINDOWS directory. The malware harvests transactions as well as balance enquiries provided the currency indicated is American Dollar (USD), Russian Rouble (RUR) or the Ukrainian Hryvnia (UAH). Additionally, the malware harvests what is believed to be key or PIN data, saving the information in a file C:\WINDOWS\kl.

Primary Command Options and Functionality
When a trigger card is detected, a small window appears giving the user 10 seconds to select one of 10 command options using the ATM’s keypad.

Secondary Command Menu Options
Command option 7 presents the user with a challenge window and allows the user 30 seconds to input a corresponding valid response using the ATM’s keypad. There is evidence that the malware is executing the ATM API call which is probably related to cassette dispensing when the ‘dispense cassette’ options are selected.

Given the impact this malware can have on an infected ATM environment, Trustwave highly recommends all financial institutions with ATMs under management perform analysis of their environment to identify if this malware or similar malware is present. Trustwave collected multiple version of this malware and therefore, feels that over time it will evolve. It will also begin to propagate to a more wide-spread population of ATMs, thus a proactive approach in prevention and identification will be necessary to prevent future attacks.

Related topics:  Crime and Fraud Prevention 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources