Updated Skimer Malware Infects ATMs Worldwide

An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.

Missing an M?

[BigU+03C0mpin]

What's a Skimer?

Re:Missing an M?

Nope, that's correct. It's a new technique based on a Russian word that means "gullible".

Re:Missing an M?

[BigU+03C0mpin]

Got it, the all knowing Google apparently isn't so hip to this.

Re:Missing an M?

[swd99999999]

A person who takes all their cloths off and jumps in a pile of money.

Re:Missing an M?

What's a Skimer?

Using the magical oracle known as "Google", we find the answer to that question is...
ATM malware
ATM malware
ATM malware
ATM malware
ATM malware
ATM malware
(you probably get the idea by now: "Skimer" is ATM malware)

Re: Missing an M?

[fizzup]

You probably didn't get the idea that it's spelled "skimmer" (two M's). You might also try reading your own subject line.

I am afraid it is you who is incorrect. A skimmer is a device, usually electromechanical, that you install in or on a legitimate card reader to illicitly read card numbers. This malware is a new version of "Backdoor.Win32.Skimer" (really, actually spelled with one "m"). While the malware can skim card numbers, it can do much more - including collecting PINs and telling the ATM to dispense cash. Given the capabilities of the malware, it's better to refer to it by it's proper name or as malware. If you read the summary, you will see that the author has done exactly that.

But don't get me started on ATM machine.

Re:Missing an M?

[jsepeta]

so not schemer

Re:Missing an M?

[cellocgw]

Got it, the all knowing Google apparently isn't so hip to this.

Most Wonderful He-Got-Whooshed message of the decade!

Re:Missing an M?

[doccus]

Indeed. I sooo hate "Replies returned for (Google corrected version)" "Choose the actual spelling you entered instead"
Great.. so if the great Mr G doesn't like my spelling I have to take three steps instead for every word or phrase...
Re: "Didn't you mean...?" Er, no, Mr Google sir.. if I had meant that I would have said so. And how long before they disable unapproved words or spellings altogether?
YaVol! Za! All bow down before ze mighty Alphabet.. Ya!

ATMs running Windows.

[EmagGeek]

This is just begging for it.

Re:ATMs running Windows.

[Jeremi]

And if [the ATMs] were running Linux, [the hackers] would exploit Linux

That's very true -- the real question is, why should an ATM (or any other security-critical dedicated device) be capable of running any off-the-shelf software at all?

If I was in charge of designing ATMs, I'd ask for an OS that only runs programs that are encrypted and signed with my company's super-secret private key. That way even if someone somehow got their malware loaded onto the box, the OS would be literally incapable of executing the malware's code. (ideally the CPU itself would be customized to use a randomized/proprietary opcode set that is also generated based on the private key, but that might get a bit expensive, so short of that trusting the OS's program loader/verifier not to be exploitable might have to suffice)

Re:ATMs running Windows.

[msauve]

The difference is, when Microsoft abandons support for a version of Windows, there's nothing a customer (ATM manufacturer and/or bank) can do about newly discovered security holes. If using an open source OS, they have the source and the opportunity to do patches themselves (which may only involve a backport).

Re:ATMs running Windows.

[dwywit]

In other words, use a Micro-channel architecture machine running OS/2.

Actually, why not ask IBM to make an ATM out of an AS/400 running OS400? Proprietary code on closed hardware, can't go wrong.

Re:ATMs running Windows.

[Z00L00K]

The ones to blame are the banks trying to get a cheap solution.

It's not too hard to code for Windows, but it's also the most targeted OS when it comes to malware. And it's not easy to figure out all possible attacks since Windows is very bloated - even the lighter versions usually have a lot of unnecessary stuff floating around.

Re:ATMs running Windows.

[Z00L00K]

I agree here - it's possible to exploit Linux as well, it would be necessary to use an operating system that's stripped down to the bare essentials of what's needed in an ATM to get rid of possible exploits.

The early ATMs were harder to hack from this perspective since they were running their own software. They probably had some other security issues instead, so everything wasn't better.

Re:ATMs running Windows.

[Z00L00K]

Legion of Grammar Nazis appearing!

Re:ATMs running Windows.

[Z00L00K]

Nah - I'd go for a solution built on an embedded kernel on a processor that isn't that common, like the Zilog Z8 family. (Not compatible with Z80)

Or use an FPGA solution.

If done right it's a lot harder to plant malicious functionality into the ATMs.

Re: ATMs running Windows.

[doragasu]

Security by obscurity. How could that go wrong?

Re:ATMs running Windows.

[eneville]

They would like to pay for support, but someone just emptied the ATMs.

Re: ATMs running Windows.

TiVo did solve this problem on Linux: custom kernel requires apps to be digitally signed. Custom chip on the mobo requires the kernel to be signed. If you want to hack a modern TiVo (series 3 or newer), you need to replace a custom chip soldered to the mobo.

This is why there's an anti-TiVo clause in the GPLv3.

If ATMs followed this model, it would prevent software hacks like this one. To compromise the ATM, you'd have to open it up and replace hardware. If you can do that, it's easier to just take the money.

Re:ATMs running Windows.

[AmiMoJo]

I do security for embedded systems, and you both misunderstand the problem,

An ATM is supposed to have physical security. It's full of money. If it isn't physically secure, you can just take the money out.

So it's reasonable to use an OS and not bother to update it (I guarantee, even if it was Linux it wouldn't get updates, because updates can break stuff and the manufacturer doesn't want the customer screaming at them to send an engineer to their Hawaii branch right away because their customers are screaming at them) Even if you do update it, there are always zero days, some flaws might be in things like firmware that can't or won't be updated anyway, someone will just rip the circuit board out and replace it with their own etc. So forget that, your main defence is physical security.

Same as on the outside actually. If you don't physically secure the customer facing part of the ATM, someone will install a skimmer and camera to capture PIN numbers.

It's nice to have a USB port for non-OS updates, because sometimes your customer will want to change the adverts being displayed or add a new feature. Like the money box, it needs to be physically protected. The mistake these guys made was to not protect the port properly. There was a lock, but staff often left it open because they didn't see the security risk, or they were the ones installing the malware.

Banks just accept this, because even with fraud it's cheaper than employing human tellers.

Re:ATMs running Windows.

[msauve]

How do you think that ATM checks an account balance? By physically sending an inquiry using pneumatic tubes? Nope, it uses a communications network, which makes it vulnerable to software flaws.

Re: ATMs running Windows.

[RabidReindeer]

And they were being exploited even before the Windows ATMs were.

Re: ATMs running Windows.

[Aruta]

To compromise the ATM, you'd have to open it up and replace hardware. If you can do that, it's easier to just take the money.

And this, essentially, is the answer to the article, end of story. I'd upvote if I had the points. However, this being /., the discussion below continues in the vein of "my OS is better than yours"

Re:ATMs running Windows.

[AmiMoJo]

ATMs use either a dedicated network or a VPN connection with hard coded IP addresses (to avoid DNS issues). All incoming connections should be firewalled, which even on XP is enough to secure it.

Re:ATMs running Windows.

[ComputerGeek01]

Don't blame Windows for incompetent banks you hacky sack kicking hipster. All they had to do is run a relatively current version of Windows and turn on AppLocker and this crap wouldn't even be possible without the kind of breech that would leave much more lucrative targets exposed. Meanwhile nobody has a week and a half to download then cross-their-fingers-and-compile all of the crap you would need to make an alternative Linux based ATM scheme secure. Most of these devices still use dial-up modems AND a wide range of hardware hence the choice to go with Windows.

The fact that these machines are less secure then most self-checkout lanes (which also use Windows) should be focus of this article. This is screaming that the banks don't actually give a damn about protecting our money because their butt-buddies in Washington will just reimburse them with no questions asked. Isn't it great when there is zero perceivable difference between centralized and decentralized banking? It's like we have the best of no worlds!

Re:ATMs running Windows.

[EmagGeek]

Nice strawman. Where in my post did I saw I wanted them running Linux?

Re:ATMs running Windows.

[EmagGeek]

"And if you sit there and say Linux is not exploitable, then your a fucking moron."

Did I say that in my post? Did I say in my post I wanted them running Linux? Did I say anything about another operating system? Did I say or even imply that there was an unhackable operating system in existence?

Please do enlighten me about what mental gymnastics you had to go through to arrive at your conclusions about my post.

Re: ATMs running Windows.

[Zorpheus]

Though you should not write your own is, because then only a hand full of people will be fixing security holes. While the number of people looking for holes will be much larger than that

Re: ATMs running Windows.

[Zorpheus]

Though you should not write your own OS, because then only a hand full of people will be fixing security holes. While the number of people looking for holes will be much larger than that

Re:ATMs running Windows.

[locotx]

Ooooo . .are any running Windows XP . . .didn't support for that OS stop?

Re: ATMs running Windows.

[invictusvoyd]

Kaspersky recommends that banks keep an eye out for âmagic cardâ(TM) information, which will show up on their processing logs and can help to detect potentially infected ATMs.

Kaspersky however did not choose to comment on the unprotected usb ports on these machines. And did not choose to disclose that they paid a bunch of school kids $5 to make that fake video .

Re:ATMs running Windows.

[toddestan]

There's a bunch of different versions of Windows XP embedded. Some of them were EOL with the regular version of Windows XP. A bunch were just EOL earlier this year. A few specialized versions are supported until sometime in 2019.

Windows is still legal?

[glomph]

Yow, you'd think it would be banned by now, it's such a shack of sit.

wait a sec

Just a sec here.

There are ATM's running a version of Windows?

I genuinely had no idea that was a thing. I always figured they would use some hardened, embedded OS or custom thing doing only what the ATM needed and nothing more.

Wow. Learned somethin' new.

Carry on then.

Re:wait a sec

[Darinbob]

Managers can be dumb sometimes. They think that if they use Windows on embedded systems that they'll save lots of time and money because they can hire cheap developers who don't need much training.

Re:wait a sec

[toonces33]

Most ATMs still run an embedded version of XP. This isn't the same as the XP that we all used to use, but a special version for embedded systems, but Microsoft has dropped support for it as well, and support ended this year on Jan 12th.

Re:wait a sec

[dbIII]

Some places cut corners and run the retail XP.
Insane on so many levels especially since dedicated lines to ATMs are mostly a thing of the past now. The funny thing is this stuff crept in because security issues of the software were dismissed due to dedicated lines and being able to treat the ATMs as if they were on a well firewalled private LAN.

Re:wait a sec

[Applehu+Akbar]

"There are ATM's running a version of Windows?"

There is an easy way to identify the less-than-major banks that would do this: look for the armored car to be a bicycle messenger carrying a cigar box.

Re:wait a sec

[Macdude]

If it didn't have windows how are the guys that service the machine supposed to play minesweeper?

Re:wait a sec

[serviscope_minor]

There are ATM's running a version of Windows?

Yes indeed! In fact one of the reasons it was popular is so they could run nice full colour advertisements on them written in flash.

Re:wait a sec

[jsepeta]

Prior to XP they ran NT, or OS2/Warp.

Why is ATM malware possible?

[h4ck7h3p14n37]

How does this malware get installed on a target machine? Is it installed by a technician on-site, or is it delivered over the bank's network?

Wouldn't cryptographically signed software distributed by hand on read-only media put a stop to this? And why would you run some version of Windows instead of using a stripped-down purpose-built operating system? Is it simply a matter of cost trumping security?

Re:Why is ATM malware possible?

[dbIII]

And why would you run some version of Windows instead of using a stripped-down purpose-built operating system?

MS marketing people were very active in the area a few years ago so they "won" the market. Add in place like Diebold with so many political and other connections that pull them in directions other than aiming for an effective product.

Re:Why is ATM malware possible?

[Joe_Dragon]

read only? that will stop the bank from pushing out new marketing ad's as part of the screen saver / slide show.

also read only will not stop from loading into ram.

Re:Why is ATM malware possible?

[khz6955]

Actually, once upon a time an ATM couldn't be programmed without the presence of a sealed hardware unit that couldn't be activated without entering two unique pass-codes entered by two bank officials, the codes being provided by a portable handheld device. Later on the banks 'upgraded' to Windows.

Re:Why is ATM malware possible?

[Locutus]

it has to be connected to the Internet so Microsoft can keep track of how many users there are and what they do on their OS. Haven't you read the EULA lately?

LoB

Re:Why is ATM malware possible?

[AmiMoJo]

Yes, it's down to cost. To build custom hardware and software is expensive, and it will have security flaws in it anyway. Since you have to spend money on physical security to protect the cash, you might as well use it to protect the USB port used for updates too.

Security costs money. khz6955 talks about needing two secure keys, bank officials and sealed hardware etc, but in practice the money generated by having lots of cheap ATMs displaying adverts and reducing staff numbers far outweighs any losses to fraud.

Re:Why is ATM malware possible?

[Sir_Eptishous]

Actually, once upon a time an ATM couldn't be programmed without the presence of a sealed hardware unit that couldn't be activated without entering two unique pass-codes entered by two bank officials, the codes being provided by a portable handheld device. Later on the banks 'upgraded' to Windows.

That sounds almost like a condensed version of computing in general.

Re:Why is ATM malware possible?

[The+Raven]

Either through breaking in to access a USB jack, or by bribing an ATM service tech.

Confused.

[jrq]

Why does the video show a fake(?) ATM dispensing the worst counterfeit $100 bill ever recorded?

Re:Confused.

[jrq]

Oh. RTFA. Video is a re-creation by Kaspersky.

Re:Confused.

[Fnord666]

Why does the video show a fake(?) ATM dispensing the worst counterfeit $100 bill ever recorded?

The must have done a bunch of takes. I think the person on the left has to pee.

Re:Wait...

[Joe_Dragon]

who ever killed OS/2 at IBM.

Department of redundancies department

[jenningsthecat]

ATM is an acronym for Automated Teller Machine, so 'ATM machine' is redundant.

Re:Department of redundancies department

[Mousit]

But it does go perfectly well with the Personal Identification Number number that follows in the very next sentence. :)

Re:Department of redundancies department

[cfc-12]

and the New Technology File System file system that follows that...

Hot water heater

[Latent+Heat]

. . . and I suppose you are going to tell me it is called a "water heater"?

Bosco! Bosco!

[Latent+Heat]

So you are telling me that a PIN has to be a number?

This article is missing a link

[liqu1d]

Where do I buy one of these magic cards?

Re:This article is missing a link

[Thelasko]

Where do I buy one of these magic cards?

You can buy an entire pack of them at any gaming store.

Re:This article is missing a link

[locotx]

*Giggty*

Original Post by Kaspersky Labs

[Fnord666]

Here is the original article on the Kaspersky Labs site in case anyone is interested.

The article at securelist.com has a few more technical details and includes a list of the special track 2 values used to activate the functionality.

Re:Original Post by Kaspersky Labs

[jbmartin6]

Thanks! I was trying to figure out what "If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream" meant. Which I now read means "The same file will be placed in the NTFS data stream corresponding to the XFS services executable file."

Re:Wait...

[khz6955]

IBM chief: Microsoft killed OS/2

The day Bill Gates screamed IBM's house down

Re:Grammar is hard? ATM machine? PIN Number?

To be fair to the anon submitter, that summary was copied from "thestack", where the person who wrote it was not anonymous.

Nicky Cappella https://thestack.com/author/nicky-cappella/ is the fucking moron in this instance.

The original kaspersky article does not contain either fuckup.
http://www.kaspersky.com/about/news/virus/2016/ATM-is-a-New-Skimmer

It's about time that slashdot stopped linking to fucking middle-men, and started linking to the actual source. (Although pointing out additional research from third-parties in the summary would obviously be fine.)

Similarly, in the recent article about SourceForge, whipslash linked to a third party article instead of just making his own newspost.

You would never see a CBS News report about "Fox News has run a story about something someone posted on a website", so why the fuck is it the norm here?

Give em a break, Windows is the most secure

[Locutus]

It's the most secure OS........ they've shipped.

And quite the brilliant choice to be used for ATM machines, air traffic voice control systems, train signal systems, on the same LAN as a power plant status/control system, etc. What could possibly go wrong?

LoB

Don't let them misdirect your attention!

This is much like "identity theft" where nobody actually steals your identity (an impossibility). What has actually happened is that a bank or credit card company has engaged in a sloppy transaction with a store or other vendor and with a criminal. All three parties to the crime (none of which is YOU) have agreed to the transaction in your name and agreed not to verify that it is you. Then, when the completely reckless unverified deal went sour, the bank and the store agreed that it's YOUR fault and that YOU are to blame.... even though you are the one person NOT involved in any way.

Here, the ATM gets compromised in a manner only possible by the installation of malware. In other words: the people who own the ATM and control the access to its guts install the malware themselves or allow somebody to install the malware. YOU have nothing to do with the compromising of the machine, but when things go wrong, it's YOUR problem!

In both these situations, YOU are the only truly innocent party, but YOU are the one all the guilty people point the finger of blame at, and they take YOUR money and then tisk-tisk about how you are the unfortunate victim of some nebulous global crime phenomena...

People need to stop automatically being conned into surrendering to these misdirected blame scams! When somebody compromises a machine and gets at cash from your accounts THE BANK has been robbed of THEIR money and you have no obligation to allow them to make themselves whole by taking the cash from your account and claiming YOU are the victim! WAKE UP!

Re:Grammar is hard? ATM machine? PIN Number?

[Sir_Eptishous]

I usually side with Grammar Nazis on /., but in this instance, phrases like "ATM Machine" and "PIN Number" have become colloquial American English "canon", so to speak.

People have been calling them "ATM Machines" and "PIN Numbers" since the 80s.
There are many commonly used phrases and acronyms(in American English) that don't follow a grammatically correct logic, yet are used constantly.
Deal with it.

not to mention PINs being on the magstripe

[cellocgw]

If we really want to try to install any kind of access security, at the very least the access code should not be on the card but at a (gosh) salted hashed dbase.

I'd suggest going to chipped ATM cards as well, but from what I hear those are not particularly foolproof either.

Pretty much any host computer is subject to a MITM attack vector here (the computer IS in the middle of the transaction)

"ATM Machines" "PIN numbers" *twitch*

[p0larity]

Redundant term is redundant.

access to the PIN?

[Toshito]

The PIN is entered on the pinpad, and checked by the chip on the card. The Windows machine behind all that never sees the PIN, the dialogue is only between those 2 components.

Even with magstripes, the PIN is encrypted by the pinpad, and again all the windows part of the ATM can see is this encrypted version.

I'm talking about ATMs from a big bank, maybe those small cash distributing machines (those who add 2$ fees to your 20$ withdrawal, yuck!) are much more vulnerable, but on our ATMs it's impossible for the windows machine to see or record the PIN.