Slashdot Mirror

← Back to Stories (view on slashdot.org)

Updated Skimer Malware Infects ATMs Worldwide (thestack.com)

Posted by BeauHD on from the back-at-it-again dept.

An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.

2 of 121 comments (clear)

  1. Why is ATM malware possible? by h4ck7h3p14n37 · · Score: 3, Interesting

    How does this malware get installed on a target machine? Is it installed by a technician on-site, or is it delivered over the bank's network?

    Wouldn't cryptographically signed software distributed by hand on read-only media put a stop to this? And why would you run some version of Windows instead of using a stripped-down purpose-built operating system? Is it simply a matter of cost trumping security?

  2. Re: ATMs running Windows. by Anonymous Coward · · Score: 3, Interesting

    TiVo did solve this problem on Linux: custom kernel requires apps to be digitally signed. Custom chip on the mobo requires the kernel to be signed. If you want to hack a modern TiVo (series 3 or newer), you need to replace a custom chip soldered to the mobo.

    This is why there's an anti-TiVo clause in the GPLv3.

    If ATMs followed this model, it would prevent software hacks like this one. To compromise the ATM, you'd have to open it up and replace hardware. If you can do that, it's easier to just take the money.