Updated Skimer Malware Infects ATMs Worldwide (thestack.com) 121
An anonymous reader writes: Researchers at Kaspersky have discovered an improved version of Backdoor.Win32.Skimer infecting ATM machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine. The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult. Skimer may lie dormant for months until it is activated with the phsyical use of a "magic card," which gives access control to the malware, and then offers a list of options that are accessed by inputing a choice on the pin pad. The user can then request the ATM to: show installation details, dispense money, start collecting the details of inserted cards, print collected card details, self delete, enable debug mode, and update. Here's a video of the Skimer malware in action.
Missing an M? (Score:1)
Re: (Score:1)
Nope, that's correct. It's a new technique based on a Russian word that means "gullible".
Re: (Score:1)
Re: (Score:2)
Got it, the all knowing Google apparently isn't so hip to this.
Most Wonderful He-Got-Whooshed message of the decade!
Re: (Score:1)
Indeed. I sooo hate "Replies returned for (Google corrected version)" "Choose the actual spelling you entered instead"
Great.. so if the great Mr G doesn't like my spelling I have to take three steps instead for every word or phrase...
Re: "Didn't you mean...?" Er, no, Mr Google sir.. if I had meant that I would have said so. And how long before they disable unapproved words or spellings altogether?
YaVol! Za! All bow down before ze mighty Alphabet.. Ya!
Re: (Score:2)
so not schemer
Re: (Score:3, Funny)
Re: (Score:1)
Using the magical oracle known as "Google", we find the answer to that question is...
ATM malware [securityweek.com]
ATM malware [securelist.com]
ATM malware [hackread.com]
ATM malware [pcworld.com]
ATM malware [kaspersky.com]
ATM malware [darkreading.com]
(you probably get the idea by now: "Skimer" is ATM malware)
Re: Missing an M? (Score:2)
You probably didn't get the idea that it's spelled "skimmer" (two M's). You might also try reading your own subject line.
I am afraid it is you who is incorrect. A skimmer is a device, usually electromechanical, that you install in or on a legitimate card reader to illicitly read card numbers. This malware is a new version of "Backdoor.Win32.Skimer" (really, actually spelled with one "m"). While the malware can skim card numbers, it can do much more - including collecting PINs and telling the ATM to dispense cash. Given the capabilities of the malware, it's better to refer to it by it's proper name or as malware. If you read t
ATMs running Windows. (Score:5, Insightful)
This is just begging for it.
Re: (Score:2)
The ones to blame are the banks trying to get a cheap solution.
It's not too hard to code for Windows, but it's also the most targeted OS when it comes to malware. And it's not easy to figure out all possible attacks since Windows is very bloated - even the lighter versions usually have a lot of unnecessary stuff floating around.
Re: (Score:2)
And they were being exploited even before the Windows ATMs were.
Re: (Score:2)
They would like to pay for support, but someone just emptied the ATMs.
Re: (Score:1)
Re: (Score:2)
There's a bunch of different versions of Windows XP embedded. Some of them were EOL with the regular version of Windows XP. A bunch were just EOL earlier this year. A few specialized versions are supported until sometime in 2019.
Re: (Score:2)
And if [the ATMs] were running Linux, [the hackers] would exploit Linux
That's very true -- the real question is, why should an ATM (or any other security-critical dedicated device) be capable of running any off-the-shelf software at all?
If I was in charge of designing ATMs, I'd ask for an OS that only runs programs that are encrypted and signed with my company's super-secret private key. That way even if someone somehow got their malware loaded onto the box, the OS would be literally incapable of executing the malware's code. (ideally the CPU itself would be customized to us
Re: (Score:2)
In other words, use a Micro-channel architecture machine running OS/2.
Actually, why not ask IBM to make an ATM out of an AS/400 running OS400? Proprietary code on closed hardware, can't go wrong.
Re: (Score:2)
Nah - I'd go for a solution built on an embedded kernel on a processor that isn't that common, like the Zilog Z8 family. (Not compatible with Z80)
Or use an FPGA solution.
If done right it's a lot harder to plant malicious functionality into the ATMs.
Re: ATMs running Windows. (Score:1)
Re: ATMs running Windows. (Score:2)
Re: ATMs running Windows. (Score:2)
Re:ATMs running Windows. (Score:5, Insightful)
Re:ATMs running Windows. (Score:5, Informative)
I do security for embedded systems, and you both misunderstand the problem,
An ATM is supposed to have physical security. It's full of money. If it isn't physically secure, you can just take the money out.
So it's reasonable to use an OS and not bother to update it (I guarantee, even if it was Linux it wouldn't get updates, because updates can break stuff and the manufacturer doesn't want the customer screaming at them to send an engineer to their Hawaii branch right away because their customers are screaming at them) Even if you do update it, there are always zero days, some flaws might be in things like firmware that can't or won't be updated anyway, someone will just rip the circuit board out and replace it with their own etc. So forget that, your main defence is physical security.
Same as on the outside actually. If you don't physically secure the customer facing part of the ATM, someone will install a skimmer and camera to capture PIN numbers.
It's nice to have a USB port for non-OS updates, because sometimes your customer will want to change the adverts being displayed or add a new feature. Like the money box, it needs to be physically protected. The mistake these guys made was to not protect the port properly. There was a lock, but staff often left it open because they didn't see the security risk, or they were the ones installing the malware.
Banks just accept this, because even with fraud it's cheaper than employing human tellers.
Re: (Score:2)
Re: (Score:3)
ATMs use either a dedicated network or a VPN connection with hard coded IP addresses (to avoid DNS issues). All incoming connections should be firewalled, which even on XP is enough to secure it.
Re: (Score:3)
I agree here - it's possible to exploit Linux as well, it would be necessary to use an operating system that's stripped down to the bare essentials of what's needed in an ATM to get rid of possible exploits.
The early ATMs were harder to hack from this perspective since they were running their own software. They probably had some other security issues instead, so everything wasn't better.
Re: ATMs running Windows. (Score:3, Interesting)
TiVo did solve this problem on Linux: custom kernel requires apps to be digitally signed. Custom chip on the mobo requires the kernel to be signed. If you want to hack a modern TiVo (series 3 or newer), you need to replace a custom chip soldered to the mobo.
This is why there's an anti-TiVo clause in the GPLv3.
If ATMs followed this model, it would prevent software hacks like this one. To compromise the ATM, you'd have to open it up and replace hardware. If you can do that, it's easier to just take the mo
Re: (Score:3, Informative)
To compromise the ATM, you'd have to open it up and replace hardware. If you can do that, it's easier to just take the money.
And this, essentially, is the answer to the article, end of story. I'd upvote if I had the points. However, this being /., the discussion below continues in the vein of "my OS is better than yours"
Re: (Score:3)
Kaspersky recommends that banks keep an eye out for âmagic cardâ(TM) information, which will show up on their processing logs and can help to detect potentially infected ATMs.
Kaspersky however did not choose to comment on the unprotected usb ports on these machines. And did not choose to disclose that they paid a bunch of school kids $5 to make that fake video .
Re: (Score:1)
"And if you sit there and say Linux is not exploitable, then your a fucking moron."
Did I say that in my post? Did I say in my post I wanted them running Linux? Did I say anything about another operating system? Did I say or even imply that there was an unhackable operating system in existence?
Please do enlighten me about what mental gymnastics you had to go through to arrive at your conclusions about my post.
Re: (Score:2)
Legion of Grammar Nazis appearing!
Re: (Score:1)
Nice strawman. Where in my post did I saw I wanted them running Linux?
Re: (Score:2)
Don't blame Windows for incompetent banks you hacky sack kicking hipster. All they had to do is run a relatively current version of Windows and turn on AppLocker and this crap wouldn't even be possible without the kind of breech that would leave much more lucrative targets exposed. Meanwhile nobody has a week and a half to download then cross-their-fingers-and-compile all of the crap you would need to make an alternative Linux based ATM scheme secure. Most of these devices still use dial-up modems AND a wid
Windows is still legal? (Score:2, Insightful)
Yow, you'd think it would be banned by now, it's such a shack of sit.
wait a sec (Score:1)
Just a sec here.
There are ATM's running a version of Windows?
I genuinely had no idea that was a thing. I always figured they would use some hardened, embedded OS or custom thing doing only what the ATM needed and nothing more.
Wow. Learned somethin' new.
Carry on then.
Re: (Score:3)
Managers can be dumb sometimes. They think that if they use Windows on embedded systems that they'll save lots of time and money because they can hire cheap developers who don't need much training.
Re:wait a sec (Score:5, Informative)
Most ATMs still run an embedded version of XP. This isn't the same as the XP that we all used to use, but a special version for embedded systems, but Microsoft has dropped support for it as well, and support ended this year on Jan 12th.
Re: (Score:2)
Insane on so many levels especially since dedicated lines to ATMs are mostly a thing of the past now. The funny thing is this stuff crept in because security issues of the software were dismissed due to dedicated lines and being able to treat the ATMs as if they were on a well firewalled private LAN.
Re: (Score:2)
"There are ATM's running a version of Windows?"
There is an easy way to identify the less-than-major banks that would do this: look for the armored car to be a bicycle messenger carrying a cigar box.
Re: (Score:2)
If it didn't have windows how are the guys that service the machine supposed to play minesweeper?
Re: (Score:2)
There are ATM's running a version of Windows?
Yes indeed! In fact one of the reasons it was popular is so they could run nice full colour advertisements on them written in flash.
Re: (Score:2)
Prior to XP they ran NT, or OS2/Warp.
Why is ATM malware possible? (Score:4, Interesting)
How does this malware get installed on a target machine? Is it installed by a technician on-site, or is it delivered over the bank's network?
Wouldn't cryptographically signed software distributed by hand on read-only media put a stop to this? And why would you run some version of Windows instead of using a stripped-down purpose-built operating system? Is it simply a matter of cost trumping security?
Re: (Score:3)
MS marketing people were very active in the area a few years ago so they "won" the market. Add in place like Diebold with so many political and other connections that pull them in directions other than aiming for an effective product.
Re: (Score:2)
read only? that will stop the bank from pushing out new marketing ad's as part of the screen saver / slide show.
also read only will not stop from loading into ram.
Re: (Score:3, Informative)
Re: (Score:2)
Actually, once upon a time an ATM couldn't be programmed without the presence of a sealed hardware unit that couldn't be activated without entering two unique pass-codes entered by two bank officials, the codes being provided by a portable handheld device. Later on the banks 'upgraded' to Windows.
That sounds almost like a condensed version of computing in general.
Re: (Score:2)
LoB
Re: (Score:2)
Yes, it's down to cost. To build custom hardware and software is expensive, and it will have security flaws in it anyway. Since you have to spend money on physical security to protect the cash, you might as well use it to protect the USB port used for updates too.
Security costs money. khz6955 talks about needing two secure keys, bank officials and sealed hardware etc, but in practice the money generated by having lots of cheap ATMs displaying adverts and reducing staff numbers far outweighs any losses to fr
Re: (Score:2)
Either through breaking in to access a USB jack, or by bribing an ATM service tech.
Wait... (Score:1)
Re: (Score:2)
who ever killed OS/2 at IBM.
Re: (Score:1)
The day Bill Gates screamed IBM's house down [theregister.co.uk]
Confused. (Score:3)
Re: (Score:2)
Re:Confused. (Score:4, Funny)
Why does the video show a fake(?) ATM dispensing the worst counterfeit $100 bill ever recorded?
The must have done a bunch of takes. I think the person on the left has to pee.
Bosco! Bosco! (Score:2)
So you are telling me that a PIN has to be a number?
Re: (Score:1)
To be fair to the anon submitter, that summary was copied from "thestack", where the person who wrote it was not anonymous.
Nicky Cappella https://thestack.com/author/nicky-cappella/ is the fucking moron in this instance.
The original kaspersky article does not contain either fuckup.
http://www.kaspersky.com/about/news/virus/2016/ATM-is-a-New-Skimmer
It's about time that slashdot stopped linking to fucking middle-men, and started linking to the actual source. (Although pointing out additional research from thir
Re: (Score:2)
People have been calling them "ATM Machines" and "PIN Numbers" since the 80s.
There are many commonly used phrases and acronyms(in American English) that don't follow a grammatically correct logic, yet are used constantly.
Deal with it.
Department of redundancies department (Score:2, Insightful)
ATM is an acronym for Automated Teller Machine, so 'ATM machine' is redundant.
Hot water heater (Score:2)
. . . and I suppose you are going to tell me it is called a "water heater"?
Re:Department of redundancies department (Score:5, Informative)
Re: (Score:2)
This article is missing a link (Score:5, Funny)
Re: (Score:3)
Where do I buy one of these magic cards?
You can buy an entire pack [wikipedia.org] of them at any gaming store.
Re: (Score:1)
Original Post by Kaspersky Labs (Score:3)
Here is the original article [kaspersky.com] on the Kaspersky Labs site in case anyone is interested.
The article at securelist.com [securelist.com] has a few more technical details and includes a list of the special track 2 values used to activate the functionality.
Re: (Score:2)
Give em a break, Windows is the most secure (Score:2)
And quite the brilliant choice to be used for ATM machines, air traffic voice control systems, train signal systems, on the same LAN as a power plant status/control system, etc. What could possibly go wrong?
LoB
Don't let them misdirect your attention! (Score:1)
This is much like "identity theft" where nobody actually steals your identity (an impossibility). What has actually happened is that a bank or credit card company has engaged in a sloppy transaction with a store or other vendor and with a criminal. All three parties to the crime (none of which is YOU) have agreed to the transaction in your name and agreed not to verify that it is you. Then, when the completely reckless unverified deal went sour, the bank and the store agreed that it's YOUR fault and that Y
not to mention PINs being on the magstripe (Score:2)
If we really want to try to install any kind of access security, at the very least the access code should not be on the card but at a (gosh) salted hashed dbase.
I'd suggest going to chipped ATM cards as well, but from what I hear those are not particularly foolproof either.
Pretty much any host computer is subject to a MITM attack vector here (the computer IS in the middle of the transaction)
"ATM Machines" "PIN numbers" *twitch* (Score:1)
access to the PIN? (Score:2)
The PIN is entered on the pinpad, and checked by the chip on the card. The Windows machine behind all that never sees the PIN, the dialogue is only between those 2 components.
Even with magstripes, the PIN is encrypted by the pinpad, and again all the windows part of the ATM can see is this encrypted version.
I'm talking about ATMs from a big bank, maybe those small cash distributing machines (those who add 2$ fees to your 20$ withdrawal, yuck!) are much more vulnerable, but on our ATMs it's impossible for th