Tuesday, June 30, 2009

New ATM Malware Captures PINs and Cash


By Kim Zetter June 4, 2009 , Wired Magazine

Security researchers have found malware planted on ATMs in Eastern Europe that captures PINs and magnetic stripe data from the machine’s memory and instructs the machines to spit out cash, eliminating the need for primitive skimming devices and advancing the tradecraft of card thieves to a new level.

“This malware is unlike any we have ever had experience with,” said Nick Percoco in a statement. Percoco is vice president and head of Trustwave’s SpiderLabs Incident Response Team, based in Chicago, which was called in to investigate the matter this last spring.

The malware was found on 20 machines in Russia and Ukraine that were all running Microsoft’s Windows XP operating system. At least one machine was infected as early as July 2007 and researchers said they’ve seen advanced versions of the malware that indicates the attackers have been perfecting it since then.

The attack requires an insider, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM. Once that’s done, attackers can insert a control card into the machine’s card reader to trigger the malware and give them control of the machine through a custom interface and the ATM’s keypad.

The malware captures account numbers and PINs from the machine’s transaction application and then delivers it to the thief on a receipt printed from the machine in an encrypted format or to a storage device inserted in the card reader. A thief can also instruct the machine to eject whatever cash is inside the machine. A fully loaded ATM can hold up to $600,000.

Trustwave issued an alert that provides technical details (.pdf) about how the malware works.
The malware was placed on ATMs made by various unspecified vendors. Trustwave spokeswoman, Michelle Genser wouldn’t say how many banks were involved or which ones. She also wouldn’t say how much loot the thieves captured from the machines.

The researchers found signs that the malware was moving to machines in the U.S. and elsewhere, but wouldn’t discuss the nature of those signs. (See update below.)

“They usually start in one country as a testbed and once they realize it’s executable in other countries, it spreads quickly,” she said.

UPDATE: I was finally able to speak with Nicholas Percoco, the head of SpiderLabs, and it turns out the malware has a couple of interesting features.

In order to command the machine to dispense cash, a thief has to pull up a special menu the coder put into the malware. But the menu is protected by a challenge-response feature, suggesting the coder might be leasing access to that function to elite customers who pay a premium for it. Emptying an ATM of cash, of course, will expose the malware more quickly than simply stealing card numbers. So this feature has probably been used sparingly.

With regard to the PINs that are stolen, generally an ATM encrypts the PIN at the keypad as the user types it in. So all the malware would get is a PIN block, and the crooks would then have to find a way to decrypt the PIN block. But Percoco says some older models of ATMs made before 2004 when the card industry imposed security standards on PIN entry devices, encrypt the PIN after it’s sent from the keypad to the ATM system software, so the malware would capture these in the clear. There are also even older PIN pads that will reverse the encryption of a PIN block. So a malware writer could write code to instruct the system to send a PIN block back to the PIN pad to be decrypted, where it would then steal the data in the clear.

The card and PIN data that the malware prints out onto an ATM receipt is encrypted by the malware, not the ATM, with a key that only the coder or his associates know, so that a mule who is sent to the machine with a trigger card to collect the data can’t read it.
2 comments Posted by Revin F Floyd

ATM Vendor Halts Researcher’s Talk on Vulnerability

By Kim Zetter June 30, 2009 , Wired Magazine

An ATM vendor has succeeded in getting a security talk pulled from the upcoming Black Hat conference after a researcher announced he would demonstrate a vulnerability in the system.

Barnaby Jack, a researcher with Juniper Networks, was to present a demonstration showing how he could “jackpot” a popular ATM brand by exploiting a vulnerability in its software.

Jack was scheduled to present his talk at the upcoming Black Hat security conference being held in Las Vegas at the end of July. But on Monday evening, his employer released a statement saying it was canceling the talk due to the vendor’s intervention.

“Juniper believes that Jack’s research is important to be presented in a public forum in order to advance the state of security,” the statement read. “However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected. Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack’s presentation until all affected vendors have sufficiently addressed the issues found in his research.”

In the description of his talk on the conference web site, Jack wrote that, “The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. This presentation will retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATM’s. The presentation will explore both local and remote attack vectors, and finish with a live demonstration of an attack on an unmodified, stock ATM.”

Jack did not disclose the ATM brand or discuss whether the vulnerability was found in the ATM’s own software or in its underlying operating system. Diebold ATMs, one of the most popular brands, runs on a Windows operating system, as do some other brands of ATMs.

Diebold did not respond to a call for comment.

Earlier this year, Diebold released an urgent alert (.pdf) announcing that Russian hackers had installed malicious software on several of its Opteva model ATMs in Russia and Ukraine. A security researcher at SophosLabs uncovered three examples of Trojan horse programs designed to infect the ATMs and wrote a brief analysis of them. Last month another security research lab, Trustwave’s SpiderLabs, provided more in-depth analysis of malware used to attack 20 ATMs in Russia and Ukraine of various brands.

According to SpiderLabs, the attack required an insider, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM. Once that was done, attackers could insert a control card into the machine’s card reader to trigger the malware and give them control of the machine through a custom interface and the ATM’s keypad.

The malware captured account numbers and PINs from the machine’s transaction application and then delivered it to the thief on a receipt printed from the machine in an encrypted format or to a storage device inserted in the card reader. A thief could also instruct the machine to eject whatever cash is inside the machine. A fully loaded ATM can hold up to $600,000.

It’s unclear if the talk Jack was scheduled to give addresses the same vulnerability and malware or a new kind of attack.

It’s not the first time that a vendor has intervened to halt a security talk discussing a vulnerability with its system. In 2005, Cisco tried to prevent researcher Mike Lynn from presenting his talk on a serious security hole in the operating system that runs its routers.

Lynn had received approval from both Cisco and his employer Internet Security Systems (ISS) to present the talk at Black Hat that year. But Cisco changed its mind at the last minute, pressuring the conference to cancel the talk and rip out pages of the presentation from the conference catalogue. Cisco and ISS threatened to sue Lynn and conference organizers if the talk proceeded. Lynn resigned from his job hours before the scheduled talk and gave his demonstration anyway. He was roundly praised by security professionals, including administrators of military and government networks, for defying the threats and disclosing the important vulnerability.

At the end of his talk, Lynn asked the audience if anyone wanted to give him a job. Juniper Networks, the company now responsible for pulling the Barnaby Jack talk, hired Lynn shortly thereafter.
1 comments Posted by Revin F Floyd
Labels: , , , ,
Subscribe to: Posts (Atom)