Updated Skimer Malware Infects ATMs Worldwide

An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.

Re:wait a sec

[toonces33]

Most ATMs still run an embedded version of XP. This isn't the same as the XP that we all used to use, but a special version for embedded systems, but Microsoft has dropped support for it as well, and support ended this year on Jan 12th.

Re:Department of redundancies department

[Mousit]

But it does go perfectly well with the Personal Identification Number number that follows in the very next sentence. :)

Re:Why is ATM malware possible?

[khz6955]

Actually, once upon a time an ATM couldn't be programmed without the presence of a sealed hardware unit that couldn't be activated without entering two unique pass-codes entered by two bank officials, the codes being provided by a portable handheld device. Later on the banks 'upgraded' to Windows.

Re:ATMs running Windows.

[AmiMoJo]

I do security for embedded systems, and you both misunderstand the problem,

An ATM is supposed to have physical security. It's full of money. If it isn't physically secure, you can just take the money out.

So it's reasonable to use an OS and not bother to update it (I guarantee, even if it was Linux it wouldn't get updates, because updates can break stuff and the manufacturer doesn't want the customer screaming at them to send an engineer to their Hawaii branch right away because their customers are screaming at them) Even if you do update it, there are always zero days, some flaws might be in things like firmware that can't or won't be updated anyway, someone will just rip the circuit board out and replace it with their own etc. So forget that, your main defence is physical security.

Same as on the outside actually. If you don't physically secure the customer facing part of the ATM, someone will install a skimmer and camera to capture PIN numbers.

It's nice to have a USB port for non-OS updates, because sometimes your customer will want to change the adverts being displayed or add a new feature. Like the money box, it needs to be physically protected. The mistake these guys made was to not protect the port properly. There was a lock, but staff often left it open because they didn't see the security risk, or they were the ones installing the malware.

Banks just accept this, because even with fraud it's cheaper than employing human tellers.

Re: ATMs running Windows.

[Aruta]

To compromise the ATM, you'd have to open it up and replace hardware. If you can do that, it's easier to just take the money.

And this, essentially, is the answer to the article, end of story. I'd upvote if I had the points. However, this being /., the discussion below continues in the vein of "my OS is better than yours"