quote:

---

Flaw in XP lets malware steal PIN Numbers

There is a hack that has been put into place on ATM (Automated Teller Machines)using windows XP as an OS that allows for malicious persons to recover account and PIN numbers directly from the machine.

The hack is most likely inserted using a compromised card that when read by the ATM causes the infection to begin. Once the virus is in play it replaces the isadmin.exe file which then replaces the lass.exe file.

Once the infection has run its course another “control” card can be used to harvest the information gathered. According to the report the card can even eject the cash box on the ATM.

---

quote:

---

Windows XP-Based ATMs Targeted by Hackers

The malware contains advanced management functionality allowing the attacker to gain full control of the compromised ATM through a customized user interface built into the malware. This is accessible by inserting controller cards into the ATM’s card reader.

Analysts do not believe the malware includes networking functionality that would allow it to send harvested data to other, remote locations via the Internet, but does allow for the output of harvested card data via the ATM’s receipt printer or by writing the data to an electronic storage device inserted into the ATM’s card reader. Analysts also discovered code enabling the malware to eject the cash dispensing cassette.

"This malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, Pins and cash from each infected machine," said TrustWave.

"We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems."

The malware is installed and activated through a dropper file called isadmin.exe. It is a Borland Delphi Rapid Application Development (RAD) executable.

Executing the dropper file produces the malware file lsass.exe within the C:\WINDOWS directory of the compromised system and does so via functionality provided by a Windows API. Once the malware is extracted, the dropper proceeds to manipulate the Protected Storage service that normally handles the legitimate lsass.exe executable, located in the C:\WINDOWS\system32 directory to point at the newly created malware.

The service is also configured to automatically restart in the event that it crashes, ensuring that the malware remains active.

---

quote:

---

Malware allows criminals to control cash machines

Trustwave Report (pdf)
The company also said that it had collected multiple versions of the malware and felt that over time it could evolve and infect a more widespread number of ATMs.

---

quote:

---

ATM Fraud: 7 Growing Threats to Financial Institutions

#7. Malware -- That report from SpiderLabs isn't the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM's transaction application's private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.

---