quote:

---

Flaw in XP lets malware steal PIN Numbers

There is a hack that has been put into place on ATM (Automated Teller Machines)using windows XP as an OS that allows for malicious persons to recover account and PIN numbers directly from the machine.

The hack is most likely inserted using a compromised card that when read by the ATM causes the infection to begin. Once the virus is in play it replaces the isadmin.exe file which then replaces the lass.exe file.

Once the infection has run its course another “control” card can be used to harvest the information gathered. According to the report the card can even eject the cash box on the ATM.

---

quote:

---

Windows XP-Based ATMs Targeted by Hackers

The malware contains advanced management functionality allowing the attacker to gain full control of the compromised ATM through a customized user interface built into the malware. This is accessible by inserting controller cards into the ATM’s card reader.

Analysts do not believe the malware includes networking functionality that would allow it to send harvested data to other, remote locations via the Internet, but does allow for the output of harvested card data via the ATM’s receipt printer or by writing the data to an electronic storage device inserted into the ATM’s card reader. Analysts also discovered code enabling the malware to eject the cash dispensing cassette.

"This malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, Pins and cash from each infected machine," said TrustWave.

"We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems."

The malware is installed and activated through a dropper file called isadmin.exe. It is a Borland Delphi Rapid Application Development (RAD) executable.

Executing the dropper file produces the malware file lsass.exe within the C:\WINDOWS directory of the compromised system and does so via functionality provided by a Windows API. Once the malware is extracted, the dropper proceeds to manipulate the Protected Storage service that normally handles the legitimate lsass.exe executable, located in the C:\WINDOWS\system32 directory to point at the newly created malware.

The service is also configured to automatically restart in the event that it crashes, ensuring that the malware remains active.

---

quote:

---

Malware allows criminals to control cash machines

Trustwave Report (pdf)
The company also said that it had collected multiple versions of the malware and felt that over time it could evolve and infect a more widespread number of ATMs.

---

quote:

---

ATM Fraud: 7 Growing Threats to Financial Institutions

#7. Malware -- That report from SpiderLabs isn't the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM's transaction application's private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.

---

said by Steve :

said by JohnInSJ :

Better then worrying about Malware (ATMs running XP, anyone?)

Those ATMs were hacked with physical access to the insides — no OS could withstand that kind of attack, so this seems like a cheap shot.

quote:

---

Windows XP cash machines can steal your PIN

It is bad enough that the bad guys constantly try and phish your financial data via email and fake websites, now cash machines are getting in on the act.

The SpiderLabs team reports that it has been able to perform an analysis of the malware, which had been discovered on compromised East European cash machines running Windows XP.

The malware was able to capture the magnetic stripe data from the private memory space of transaction-processing applications that were installed on these compromised ATMs, along with PIN codes for good measure.

Courtesy of some advanced management functionality found within the malware code, the attackers are able to control the compromised cash machines via a customised interface which can be accessed by simply inserting a controller card into the ATM card slot.

The stolen data can then be printed using the receipt printer built into the ATM, or output via the card reader to a suitable storage device. SpiderLabs do not believe that there is any networking functionality built into the malware, however.

I understand that the malware can be installed, and activated, by way of a Borland Delphi Rapid Application Development executable that replaces the original isadmin.exe utility file. Executing this dropper produces the malware file within the C:\WINDOWS directory of the machine.

This is not the first time that ATM security has left customers vulnerable nor will it be the last.

Trustwave warns it "highly recommends ALL financial institutions with ATMs under management perform analysis of their environment to identify if this malware or similar malware is present. Trustwave collected multiple version of this malware and therefore, feels that over time it will
evolve."

---

quote:

---

ATM security leaves customers vulnerable to hackers

It has been estimated that something in the region of 70 percent of the ATMs in current use are based not on the proprietary hardware, software and communication protocol platforms of old but instead on PC/Intel hardware and commodity operating systems, the most popular being Windows XP embedded. In fact, it is not too much of a stretch of the imagination to think of these ATMs as being simple PCs running simple PC operating systems and using the standard Internet Protocol that we are all used to. Of course, all this is housed in a very secure vault-like box along with some additional peripherals, which makes it all OK. Or does it? According to Network Box, a managed security services company which has just published a white paper on the subject of IP-ATM security, banks and financial institutions are failing to properly secure their ATMs, leaving consumers' personal details vulnerable to hackers. The report itself actually cites three main threats to ATMs: internet protocol (IP) worms; disruption of the IP network and denial of service; and the harvesting of consumers' transaction data for malicious purposes. The latter could result in hackers being able to collect consumers' personal details, such as their card number, account balance and transaction history.

It doesn't take a genius to work out that all a determined hacker, and for determined read backed by a highly professional criminal organisation, needs to do is access some part of that IP network between the ATM and payment processor to be privy to the personal detail contained within the unencrypted data stream.

The ATM manufacturers do integrate firewall software on the devices but these do nothing to prevent unencrypted traffic from leaving the machine, just make it harder for the less professional hacker to get into the ATM itself.

Mark Webb-Johnson, CTO of Network Box, told us "Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack. We've already seen in August 2003 how the Nachi (aka Welchia) Internet worm crossed over into 'secure' networks and infected ATMs for two financial institutions; and we've witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. The chances are that if banks don't use technology that can actually provide an effective level of protection - technology that is already on the market - then it is very likely that more high-profile attacks are to follow."

---

quote:

---

Automotive telematics display firm Yazaki North America announced an instrument cluster display based on embedded Linux, designed for reconfigurable dashboard TFT/LCD displays. The instrument cluster prototype is built around a PowerPC-based Freescale MPC5121e system-on-chip (SoC), and offers 3D effects, says the company.

Like Ford's new SmartGauge cluster designed for its 2010 Ford Fusion Hybrid, the Yazaki design offers a dynamic GUI interface to simulate analog instrumentation and report on a variety of telematics and related information in a small space. Yakuzi offers a more three-dimensional effect by displaying indicators, fuel gauge, and speedometer information on different levels, as well as adding tunnels and a tapered bezel over the LCD, says Yazaki.

The design is said to be highly customizable by automotive OEMs, enabling a wide range of dashboard designs for entry-level to high-end cars. When used in hybrids, the reconfigurable instrumentation can also display information such as driver and vehicle performance, as well as environmental impact.

The design supports integrated video input for displaying camera information, and the lighting system for the TFT/LCD display incorporates light guides, and uses a minimum number of LEDs "to offer styling flexibility and reduced complexity," says Yazaki. Based on embedded Linux, presumably using Freescale's Linux development platform for its MPC processors, the firmware is also said to make use of the chip's OpenGL ES 1.1 graphics.

The MPC5121e primarily targets "next-generation" telematics systems, such as in-car infotainment, driver assist devices, and digital displays for intelligent dashboards. In October 2007, Wind River, which is scheduled to be acquired by Intel this summer, announced a partnership with Freescale to co-develop a Linux development kit for the SoC. Last year, Freescale shipped a dual-core verson of the SoC called the MPC5123.

No information was offered on the availability of the Yakazi instrument cluster. More information may be found here.

---