Updated Skimer Malware Infects ATMs Worldwide

An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.

ATMs running Windows.

[EmagGeek]

This is just begging for it.

Re:ATMs running Windows.

[msauve]

The difference is, when Microsoft abandons support for a version of Windows, there's nothing a customer (ATM manufacturer and/or bank) can do about newly discovered security holes. If using an open source OS, they have the source and the opportunity to do patches themselves (which may only involve a backport).

Re:ATMs running Windows.

[Z00L00K]

I agree here - it's possible to exploit Linux as well, it would be necessary to use an operating system that's stripped down to the bare essentials of what's needed in an ATM to get rid of possible exploits.

The early ATMs were harder to hack from this perspective since they were running their own software. They probably had some other security issues instead, so everything wasn't better.

Re: ATMs running Windows.

TiVo did solve this problem on Linux: custom kernel requires apps to be digitally signed. Custom chip on the mobo requires the kernel to be signed. If you want to hack a modern TiVo (series 3 or newer), you need to replace a custom chip soldered to the mobo.

This is why there's an anti-TiVo clause in the GPLv3.

If ATMs followed this model, it would prevent software hacks like this one. To compromise the ATM, you'd have to open it up and replace hardware. If you can do that, it's easier to just take the money.

Re:ATMs running Windows.

[AmiMoJo]

I do security for embedded systems, and you both misunderstand the problem,

An ATM is supposed to have physical security. It's full of money. If it isn't physically secure, you can just take the money out.

So it's reasonable to use an OS and not bother to update it (I guarantee, even if it was Linux it wouldn't get updates, because updates can break stuff and the manufacturer doesn't want the customer screaming at them to send an engineer to their Hawaii branch right away because their customers are screaming at them) Even if you do update it, there are always zero days, some flaws might be in things like firmware that can't or won't be updated anyway, someone will just rip the circuit board out and replace it with their own etc. So forget that, your main defence is physical security.

Same as on the outside actually. If you don't physically secure the customer facing part of the ATM, someone will install a skimmer and camera to capture PIN numbers.

It's nice to have a USB port for non-OS updates, because sometimes your customer will want to change the adverts being displayed or add a new feature. Like the money box, it needs to be physically protected. The mistake these guys made was to not protect the port properly. There was a lock, but staff often left it open because they didn't see the security risk, or they were the ones installing the malware.

Banks just accept this, because even with fraud it's cheaper than employing human tellers.

Re: ATMs running Windows.

[Aruta]

To compromise the ATM, you'd have to open it up and replace hardware. If you can do that, it's easier to just take the money.

And this, essentially, is the answer to the article, end of story. I'd upvote if I had the points. However, this being /., the discussion below continues in the vein of "my OS is better than yours"

Re:ATMs running Windows.

[AmiMoJo]

ATMs use either a dedicated network or a VPN connection with hard coded IP addresses (to avoid DNS issues). All incoming connections should be firewalled, which even on XP is enough to secure it.

Re: ATMs running Windows.

[invictusvoyd]

Kaspersky recommends that banks keep an eye out for âmagic cardâ(TM) information, which will show up on their processing logs and can help to detect potentially infected ATMs.

Kaspersky however did not choose to comment on the unprotected usb ports on these machines. And did not choose to disclose that they paid a bunch of school kids $5 to make that fake video .

Re:wait a sec

[Darinbob]

Managers can be dumb sometimes. They think that if they use Windows on embedded systems that they'll save lots of time and money because they can hire cheap developers who don't need much training.

Re:wait a sec

[toonces33]

Most ATMs still run an embedded version of XP. This isn't the same as the XP that we all used to use, but a special version for embedded systems, but Microsoft has dropped support for it as well, and support ended this year on Jan 12th.

Why is ATM malware possible?

[h4ck7h3p14n37]

How does this malware get installed on a target machine? Is it installed by a technician on-site, or is it delivered over the bank's network?

Wouldn't cryptographically signed software distributed by hand on read-only media put a stop to this? And why would you run some version of Windows instead of using a stripped-down purpose-built operating system? Is it simply a matter of cost trumping security?

Re:Why is ATM malware possible?

[dbIII]

And why would you run some version of Windows instead of using a stripped-down purpose-built operating system?

MS marketing people were very active in the area a few years ago so they "won" the market. Add in place like Diebold with so many political and other connections that pull them in directions other than aiming for an effective product.

Re:Why is ATM malware possible?

[khz6955]

Actually, once upon a time an ATM couldn't be programmed without the presence of a sealed hardware unit that couldn't be activated without entering two unique pass-codes entered by two bank officials, the codes being provided by a portable handheld device. Later on the banks 'upgraded' to Windows.

Re:Missing an M?

[swd99999999]

A person who takes all their cloths off and jumps in a pile of money.

Confused.

[jrq]

Why does the video show a fake(?) ATM dispensing the worst counterfeit $100 bill ever recorded?

Re:Confused.

[Fnord666]

Why does the video show a fake(?) ATM dispensing the worst counterfeit $100 bill ever recorded?

The must have done a bunch of takes. I think the person on the left has to pee.

Department of redundancies department

[jenningsthecat]

ATM is an acronym for Automated Teller Machine, so 'ATM machine' is redundant.

Re:Department of redundancies department

[Mousit]

But it does go perfectly well with the Personal Identification Number number that follows in the very next sentence. :)

This article is missing a link

[liqu1d]

Where do I buy one of these magic cards?

Re:This article is missing a link

[Thelasko]

Where do I buy one of these magic cards?

You can buy an entire pack of them at any gaming store.

Original Post by Kaspersky Labs

[Fnord666]

Here is the original article on the Kaspersky Labs site in case anyone is interested.

The article at securelist.com has a few more technical details and includes a list of the special track 2 values used to activate the functionality.