Benefits from constant feature enhancements and targets multiple vendors

Jun 4, 2009 11:15 GMT  ·  By

Following a March report from Sophos regarding a Trojan that infects Diebold ATMs and steals credit card data, another similar piece of malware has been analyzed (PDF) by researchers from Trustwave. The malicious application is able to infect Windows XP-based ATMs from multiple vendors and features complex functions.

The file analyzed by Trustwave had a creation date of 25 July 2007, suggesting that this sort of highly complex malware has existed for quite a while now. "It is [...] believed that this is a relatively early version of the malware and that subsequent versions have seen significant additions to its functionality," the researchers advise.

Similar to the Trojan reported by Sophos, this threat was also discovered in Eastern Europe and seems to target accounts with the balance in United States Dollars, Russian Roubles and Ukrainian Hryvnia. The analysis suggests that the malware has been developed by someone with clear knowledge of ATM software and professional coding skills and needs to be installed by bank insiders, such as people responsible with ATM maintenance.

The malware is installed in the C:\WINDOWS folder as lsass.exe and hijacks the "Protected Storage" service in order to get loaded on system reboot. It hooks into processes handling transaction messages and captures track 2 data and PIN numbers of credit cards used at the ATM. The information is stored in two separate text files and is encrypted using the DES algorithm.

Several operations can be performed by inserting controller cards into the compromised ATM. There are two types of these trigger cards, one giving access to all functions and the other only to a function that allows printing the captured data through the ATM receipt printer. The first is probably used by the cybercriminals themselves, while the limited controller card is most likely for hired money mules.

Through the interface displayed on the ATM screen when a full-access control card is inserted, the analyzed version allows attackers to reset or delete log files, uninstall the malware, display statistics about transactions, reboot the ATM operating system, print a test message or print all collected data.

A secondary menu is available after the response to a challenge question is provided. From this menu, cybercrooks can attempt to access information usually available only to ATM managers, such as how much cash is currently in the machine. This can be useful to them, because the malware also has the ability to eject the ATM cash-dispensing cassette.

The researchers have not yet been able to determine the precise purpose of another identified function. The only note that it "Appears to be associated with memory card reader/writer functionality that may be used to transfer the harvested data directly to a card injected into a compromised ATM."

"Trustwave collected multiple versions of this malware and therefore, feels that over time it will evolve. It will also begin to propagate to a more wide-spread population of ATMs, thus a proactive approach in prevention and identification will be necessary to prevent future attacks," the company warns.