INSECURITY FIRM Trustwave Spiderlabs has reported that automated teller machines (ATMs) running Microsoft Windows XP are vulnerable to an automated attack that can nick bank account numbers and personal identifying number (PIN) codes.
The briefing (PDF) says that several variants of the malicious software were discovered on hacked cash machines in Eastern Europe.
Reading between the lines, it seems apparent that it will be only a matter of time before criminals deploy such attacks more widely at ATM machines located throughout the world.
The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The machine is compromised by replacing the isadmin.exe file to infect the system.
The malicious isadmin.exe program then uses the Windows API to install the functional attack code by replacing a system file called lsass.exe in the C:\WINDOWS directory.
Once the malicious lsass.exe program is installed, it collects users account numbers and PIN codes and waits for a human controller to insert a specially crafted control card to take over the ATM.
After the ATM is put under control of a human attacker, they can perform various functions, including harvesting the purloined data or even ejecting the cash box.
Trustwave's briefing concludes it "highly recommends ALL financial institutions with ATMs under management perform analysis of their environment to identify if this malware or similar malware is present."
What financial institutions do after that will be up to them, of course. But we'd suggest that they look toward replacing their vulnerable ATMs running Windows XP with other machines that don't run any Microsoft software, as it is known to be insecure. µ