Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck Earth Operating Systems Privacy Software Windows News Build Technology

Updated Skimer Malware Infects ATMs Worldwide (thestack.com) 121

An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.
This discussion has been archived. No new comments can be posted.

Updated Skimer Malware Infects ATMs Worldwide

Comments Filter:
  • What's a Skimer?
    • by Anonymous Coward

      Nope, that's correct. It's a new technique based on a Russian word that means "gullible".

      • Got it, the all knowing Google apparently isn't so hip to this.
        • Got it, the all knowing Google apparently isn't so hip to this.

          Most Wonderful He-Got-Whooshed message of the decade!

          • by doccus ( 2020662 )

            Indeed. I sooo hate "Replies returned for (Google corrected version)" "Choose the actual spelling you entered instead"
            Great.. so if the great Mr G doesn't like my spelling I have to take three steps instead for every word or phrase...
            Re: "Didn't you mean...?" Er, no, Mr Google sir.. if I had meant that I would have said so. And how long before they disable unapproved words or spellings altogether?
            YaVol! Za! All bow down before ze mighty Alphabet.. Ya!

      • by jsepeta ( 412566 )

        so not schemer

    • Re: (Score:3, Funny)

      by Dave... ( 4509081 )
      A person who takes all their cloths off and jumps in a pile of money.
    • by Anonymous Coward

      What's a Skimer?

      Using the magical oracle known as "Google", we find the answer to that question is...
      ATM malware [securityweek.com]
      ATM malware [securelist.com]
      ATM malware [hackread.com]
      ATM malware [pcworld.com]
      ATM malware [kaspersky.com]
      ATM malware [darkreading.com]
      (you probably get the idea by now: "Skimer" is ATM malware)

  • by EmagGeek ( 574360 ) on Wednesday May 18, 2016 @07:57PM (#52138837) Journal

    This is just begging for it.

    • Don't blame Windows for incompetent banks you hacky sack kicking hipster. All they had to do is run a relatively current version of Windows and turn on AppLocker and this crap wouldn't even be possible without the kind of breech that would leave much more lucrative targets exposed. Meanwhile nobody has a week and a half to download then cross-their-fingers-and-compile all of the crap you would need to make an alternative Linux based ATM scheme secure. Most of these devices still use dial-up modems AND a wid

  • by glomph ( 2644 )

    Yow, you'd think it would be banned by now, it's such a shack of sit.

  • by Anonymous Coward

    Just a sec here.

    There are ATM's running a version of Windows?

    I genuinely had no idea that was a thing. I always figured they would use some hardened, embedded OS or custom thing doing only what the ATM needed and nothing more.

    Wow. Learned somethin' new.

    Carry on then.

    • Managers can be dumb sometimes. They think that if they use Windows on embedded systems that they'll save lots of time and money because they can hire cheap developers who don't need much training.

    • Re:wait a sec (Score:5, Informative)

      by toonces33 ( 841696 ) on Wednesday May 18, 2016 @08:10PM (#52138873)

      Most ATMs still run an embedded version of XP. This isn't the same as the XP that we all used to use, but a special version for embedded systems, but Microsoft has dropped support for it as well, and support ended this year on Jan 12th.

      • by dbIII ( 701233 )
        Some places cut corners and run the retail XP.
        Insane on so many levels especially since dedicated lines to ATMs are mostly a thing of the past now. The funny thing is this stuff crept in because security issues of the software were dismissed due to dedicated lines and being able to treat the ATMs as if they were on a well firewalled private LAN.
    • "There are ATM's running a version of Windows?"

      There is an easy way to identify the less-than-major banks that would do this: look for the armored car to be a bicycle messenger carrying a cigar box.

    • by Macdude ( 23507 )

      If it didn't have windows how are the guys that service the machine supposed to play minesweeper?

    • There are ATM's running a version of Windows?

      Yes indeed! In fact one of the reasons it was popular is so they could run nice full colour advertisements on them written in flash.

    • by jsepeta ( 412566 )

      Prior to XP they ran NT, or OS2/Warp.

  • by h4ck7h3p14n37 ( 926070 ) on Wednesday May 18, 2016 @08:15PM (#52138881) Homepage

    How does this malware get installed on a target machine? Is it installed by a technician on-site, or is it delivered over the bank's network?

    Wouldn't cryptographically signed software distributed by hand on read-only media put a stop to this? And why would you run some version of Windows instead of using a stripped-down purpose-built operating system? Is it simply a matter of cost trumping security?

    • by dbIII ( 701233 )

      And why would you run some version of Windows instead of using a stripped-down purpose-built operating system?

      MS marketing people were very active in the area a few years ago so they "won" the market. Add in place like Diebold with so many political and other connections that pull them in directions other than aiming for an effective product.

    • read only? that will stop the bank from pushing out new marketing ad's as part of the screen saver / slide show.

      also read only will not stop from loading into ram.

    • Re: (Score:3, Informative)

      by khz6955 ( 4502517 )
      Actually, once upon a time an ATM couldn't be programmed without the presence of a sealed hardware unit that couldn't be activated without entering two unique pass-codes entered by two bank officials, the codes being provided by a portable handheld device. Later on the banks 'upgraded' to Windows.
      • Actually, once upon a time an ATM couldn't be programmed without the presence of a sealed hardware unit that couldn't be activated without entering two unique pass-codes entered by two bank officials, the codes being provided by a portable handheld device. Later on the banks 'upgraded' to Windows.

        That sounds almost like a condensed version of computing in general.

    • by Locutus ( 9039 )
      it has to be connected to the Internet so Microsoft can keep track of how many users there are and what they do on their OS. Haven't you read the EULA lately?

      LoB
    • by AmiMoJo ( 196126 )

      Yes, it's down to cost. To build custom hardware and software is expensive, and it will have security flaws in it anyway. Since you have to spend money on physical security to protect the cash, you might as well use it to protect the USB port used for updates too.

      Security costs money. khz6955 talks about needing two secure keys, bank officials and sealed hardware etc, but in practice the money generated by having lots of cheap ATMs displaying adverts and reducing staff numbers far outweighs any losses to fr

    • Either through breaking in to access a USB jack, or by bribing an ATM service tech.

  • What genius decided it was a great idea to make Windows based ATM machines???
  • by jrq ( 119773 ) on Wednesday May 18, 2016 @08:38PM (#52138973)
    Why does the video show a fake(?) ATM dispensing the worst counterfeit $100 bill ever recorded?
  • ATM is an acronym for Automated Teller Machine, so 'ATM machine' is redundant.

  • by liqu1d ( 4349325 ) on Wednesday May 18, 2016 @10:12PM (#52139191)
    Where do I buy one of these magic cards?
  • by Fnord666 ( 889225 ) on Wednesday May 18, 2016 @10:26PM (#52139225) Journal

    Here is the original article [kaspersky.com] on the Kaspersky Labs site in case anyone is interested.

    The article at securelist.com [securelist.com] has a few more technical details and includes a list of the special track 2 values used to activate the functionality.

    • Thanks! I was trying to figure out what "If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream" meant. Which I now read means "The same file will be placed in the NTFS data stream corresponding to the XFS services executable file."
  • It's the most secure OS........ they've shipped.

    And quite the brilliant choice to be used for ATM machines, air traffic voice control systems, train signal systems, on the same LAN as a power plant status/control system, etc. What could possibly go wrong?

    LoB
  • by Anonymous Coward

    This is much like "identity theft" where nobody actually steals your identity (an impossibility). What has actually happened is that a bank or credit card company has engaged in a sloppy transaction with a store or other vendor and with a criminal. All three parties to the crime (none of which is YOU) have agreed to the transaction in your name and agreed not to verify that it is you. Then, when the completely reckless unverified deal went sour, the bank and the store agreed that it's YOUR fault and that Y

  • If we really want to try to install any kind of access security, at the very least the access code should not be on the card but at a (gosh) salted hashed dbase.

    I'd suggest going to chipped ATM cards as well, but from what I hear those are not particularly foolproof either.

    Pretty much any host computer is subject to a MITM attack vector here (the computer IS in the middle of the transaction)

  • Redundant term is redundant.
  • The PIN is entered on the pinpad, and checked by the chip on the card. The Windows machine behind all that never sees the PIN, the dialogue is only between those 2 components.

    Even with magstripes, the PIN is encrypted by the pinpad, and again all the windows part of the ATM can see is this encrypted version.

    I'm talking about ATMs from a big bank, maybe those small cash distributing machines (those who add 2$ fees to your 20$ withdrawal, yuck!) are much more vulnerable, but on our ATMs it's impossible for th

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...