OS and Software > All Things Unix > Automotive Gauge Cluster Design Runs Linux

reply to No_Strings

Re: Automotive Gauge Cluster Design Runs Linux

Windows XP Cash Machines Can Steal Your PIN

quote:

---

Windows XP cash machines can steal your PIN

It is bad enough that the bad guys constantly try and phish your financial data via email and fake websites, now cash machines are getting in on the act.

The SpiderLabs team reports that it has been able to perform an analysis of the malware, which had been discovered on compromised East European cash machines running Windows XP.

The malware was able to capture the magnetic stripe data from the private memory space of transaction-processing applications that were installed on these compromised ATMs, along with PIN codes for good measure.

Courtesy of some advanced management functionality found within the malware code, the attackers are able to control the compromised cash machines via a customised interface which can be accessed by simply inserting a controller card into the ATM card slot.

The stolen data can then be printed using the receipt printer built into the ATM, or output via the card reader to a suitable storage device. SpiderLabs do not believe that there is any networking functionality built into the malware, however.

I understand that the malware can be installed, and activated, by way of a Borland Delphi Rapid Application Development executable that replaces the original isadmin.exe utility file. Executing this dropper produces the malware file within the C:\WINDOWS directory of the machine.

This is not the first time that ATM security has left customers vulnerable nor will it be the last.

Trustwave warns it "highly recommends ALL financial institutions with ATMs under management perform analysis of their environment to identify if this malware or similar malware is present. Trustwave collected multiple version of this malware and therefore, feels that over time it will
evolve."

---

quote:

---

ATM security leaves customers vulnerable to hackers

It has been estimated that something in the region of 70 percent of the ATMs in current use are based not on the proprietary hardware, software and communication protocol platforms of old but instead on PC/Intel hardware and commodity operating systems, the most popular being Windows XP embedded. In fact, it is not too much of a stretch of the imagination to think of these ATMs as being simple PCs running simple PC operating systems and using the standard Internet Protocol that we are all used to. Of course, all this is housed in a very secure vault-like box along with some additional peripherals, which makes it all OK. Or does it? According to Network Box, a managed security services company which has just published a white paper on the subject of IP-ATM security, banks and financial institutions are failing to properly secure their ATMs, leaving consumers' personal details vulnerable to hackers. The report itself actually cites three main threats to ATMs: internet protocol (IP) worms; disruption of the IP network and denial of service; and the harvesting of consumers' transaction data for malicious purposes. The latter could result in hackers being able to collect consumers' personal details, such as their card number, account balance and transaction history.

It doesn't take a genius to work out that all a determined hacker, and for determined read backed by a highly professional criminal organisation, needs to do is access some part of that IP network between the ATM and payment processor to be privy to the personal detail contained within the unencrypted data stream.

The ATM manufacturers do integrate firewall software on the devices but these do nothing to prevent unencrypted traffic from leaving the machine, just make it harder for the less professional hacker to get into the ATM itself.

Mark Webb-Johnson, CTO of Network Box, told us "Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack. We've already seen in August 2003 how the Nachi (aka Welchia) Internet worm crossed over into 'secure' networks and infected ATMs for two financial institutions; and we've witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. The chances are that if banks don't use technology that can actually provide an effective level of protection - technology that is already on the market - then it is very likely that more high-profile attacks are to follow."

---

Well the most recent ATM "hack" (which was the first one you posted) involved physically hacking the machine: it doesn't matter that the guy replaced isadmin or did whatever else. No OS can withstand this kind of attack.

The second article addresses two points: an unencrypted IP network (which seems unrelated to Windows), and Nachi/Welchia/Slammer worm attacks on ATM networks.

Of all these points, only the last really weighs in on the issue of OS security, and it's not at all dispositive. It's obviously Microsoft's bug if they have a remotely exploitable flaw, but does this obviate any responsibility for a financial network designer to reduce attack surfaces? To turn off services you don't need? To patch issues you know are important?

In an engagement some years ago, I more or less completely penetrated the network used by Standard & Poors to distribute stock quote information to subscribers: by hacking one machine, I was able to pop my head up inside the network of some very large institutions who had no idea that they were at such risk.

The device in question ran Linux, had services enabled by default, and had not been patched recently, but never once in the years since this event did I associated the problem with Linux.

It was the people who built the devices who were simply shockingly careless, and would have made the same mistakes with any other OS.

I don't mind blaming Microsoft (or any vendor) for stuff they actually get wrong, but it's intellectually dishonest to stop the search for information once you learn that MSFT is involved and just assume it's their fault.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site

Ok, inartful wording.

The incident to which your first quoted article referred is the same one discussed in the Security forum, and it involved a physical-access hack.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site

reply to Steve
From TweakTown
June 5, 2009 -

quote:

---

Flaw in XP lets malware steal PIN Numbers

There is a hack that has been put into place on ATM (Automated Teller Machines)using windows XP as an OS that allows for malicious persons to recover account and PIN numbers directly from the machine.

The hack is most likely inserted using a compromised card that when read by the ATM causes the infection to begin. Once the virus is in play it replaces the isadmin.exe file which then replaces the lass.exe file.

Once the infection has run its course another “control” card can be used to harvest the information gathered. According to the report the card can even eject the cash box on the ATM.

---

quote:

---

Windows XP-Based ATMs Targeted by Hackers

The malware contains advanced management functionality allowing the attacker to gain full control of the compromised ATM through a customized user interface built into the malware. This is accessible by inserting controller cards into the ATM’s card reader.

Analysts do not believe the malware includes networking functionality that would allow it to send harvested data to other, remote locations via the Internet, but does allow for the output of harvested card data via the ATM’s receipt printer or by writing the data to an electronic storage device inserted into the ATM’s card reader. Analysts also discovered code enabling the malware to eject the cash dispensing cassette.

"This malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, Pins and cash from each infected machine," said TrustWave.

"We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems."

The malware is installed and activated through a dropper file called isadmin.exe. It is a Borland Delphi Rapid Application Development (RAD) executable.

Executing the dropper file produces the malware file lsass.exe within the C:\WINDOWS directory of the compromised system and does so via functionality provided by a Windows API. Once the malware is extracted, the dropper proceeds to manipulate the Protected Storage service that normally handles the legitimate lsass.exe executable, located in the C:\WINDOWS\system32 directory to point at the newly created malware.

The service is also configured to automatically restart in the event that it crashes, ensuring that the malware remains active.

---

quote:

---

Malware allows criminals to control cash machines

Trustwave Report (pdf)
The company also said that it had collected multiple versions of the malware and felt that over time it could evolve and infect a more widespread number of ATMs.

---

quote:

---

ATM Fraud: 7 Growing Threats to Financial Institutions

#7. Malware -- That report from SpiderLabs isn't the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM's transaction application's private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.

---

You seem positively determined to make this about Microsoft, but it's not. I wrote about this in the Security forum, and the speculation:

reply to Steve
I AM NOT, NOR HAVE I EVER BEEN, matunga. I promise! Geez!

Yes, I strongly support FOSS. Guilty.
Yes, I find many of MS' well documented tactics unappealing and frequently skirting legality, if not plunging overboard. Groklaw and numerous others have published the sordid details over the years.

said by Steve:

said by Lurkarooski :

I think you owe SUMware an apology for that comparison.

As do I; this is not even close.

reply to Matt
Never mind. Forget it.

matunga, really. geez.