
Trojan.Skimer.18 infects ATMs - napolux
http://news.drweb.com/show/?i=4167&lng=en&c=5#.UrC9v9hSLc8.twitter
======
viraptor
I'm still really surprised every time I see a windows-based ATM. Why would a
full, general-purpose OS be included in those machines that need to do just
under 10 operations?

I know it's easier to deal with it that way, but just to limit the exposed
code, it could be based on something much more restricted. If it was small
enough, it could even reboot / netboot itself between each operation to
prevent any modifications being stored locally.

~~~
jboggan
Most of the machines in service were older and running OS/2 which was an
awesome system. Some major banks (BoA, Chase, WellsFargo, etc.) ran newer
machines that had fancier features like check image recognition. Those meant a
move to newer OSes but that was a limited case.

The actual reason OS/2 is gone and all these ATMS are running Windows is
because of companies like NCR and Diebold lobbying the government to put new
language in the Americans with Disabilities Act [1]. It required every ATM to
be capable of text-to-speech translation which the older hardware and OS/2
systems were not capable of (most of the machines I was pulling had 133Mhz
processors and less than 64MB of RAM). This meant 1) new hardware sales, 2)
new software sales, and 3) selling custom ad campaigns to run on the shiny new
color screens and new hardware.

The industry had been stagnant for awhile in hardware and software sales, the
deadline of March 15, 2012 was a great shot in the arm for NCR and Diebold.
Lest you think this really was about helping people with disabilities, the
vast majority of ATMs that I 'upgraded' were drive-through units sitting on
concrete pallets in bank parking lots too high or too inconveniently placed
for anyone to use unless they were driving in a car. I did get some very
positive feedback from the blind and their friends(who knew the IRS employs so
many blind folk?) when I installed some of the walk-up units, but the large
majority were drive-throughs.

[1] - [http://www.americanbanker.com/magazine/121_10/atm-
accessibil...](http://www.americanbanker.com/magazine/121_10/atm-
accessibility-ada-compliance-1042410-1.html)

~~~
TheCraiggers
Thank you for eliminating the last remnants of hope I had for our system of
government. I know lots of people say that nothing is done without a monetary
reason, but I still held out hope that at least some legislation was created
with entirely benevolent reasons.

Bah.

~~~
nebulasri
Welcome to my world :)

I thought in the US, things might work differently though, but it seems just
like "the grass is greener on the other side"

------
jboggan
The screenshot shows APTRA which means this is an NCR machine. I've commented
on threads here before about how freaking vulnerable and buggy many of the NCR
machines are, since they are essentially running Windows XP and are
infrequently manually patched with the monthly fixes. There's only three major
lock types for the older machines and the internal cage has several PS/2 and
USB drives open. There's a manufacturer admin password (one for APTRA Advance
and one for APTRA Edge) that lets you get into XP and then you can do whatever
you want.

------
nwh
That's an incredibly bad job at blurring the sample. It's both visible through
the blur.. and on the text view on the right.

[http://st.drweb.com/static/news/20131216-trojan.skimer.18/1g...](http://st.drweb.com/static/news/20131216-trojan.skimer.18/1g.png)

~~~
anonymfus
Text view in code page 866:

[http://en.wikipedia.org/wiki/Code_page_866](http://en.wikipedia.org/wiki/Code_page_866)

~~~
nwh
I'd completely forgotten the name of it, thanks!

------
JimmaDaRustla
Many countries with EMV standards implemented (Canada, European countries,
Japan, etc.) will use chip over the mag stripe on the back. When this article
refers to Track 2 data, it is referring to the magnetic stripe.

Of course, if your card has a mag stripe, it is still susceptible to this
attack if you use it in an ATM which reads the track data and has the virus.

~~~
brazzy
The malware reaches extremely deep into the ATM software to decrypt the PIN -
it could easily also capture the data which the machine got from the chip.

~~~
JimmaDaRustla
You obviously don't understand how chip cards work.

Unlike mag-stripe, data elements are not accessible on the chip. The PIN check
is performed on the chip card itself, and a PIN cryptogram returned for use in
the online transaction. The PIN does not get decrypted at the ATM.

~~~
brazzy
Actually I didn't know the details but had thought that would be the safest
method to deal with the PIN. But I assumed you were talking about the
equivalent of the "Track 2 data", i.e. issuer ID, account number, etc. Is that
also kept away from the ATM?

As for the PIN - if the encryption happens in the chip card, how does it get
from the PIN pad to the card in a way that cannot be intercepted?

And finally, what prevents compromised ATM software from displaying "please
enter PIN now" while keeping the PIN pad int the direct mode used to enter the
amount?

------
ChuckMcM
Personally, I consider this the real problem 'fire and forget' systems based
on large complex code bases. The US Military invested a ton of money in the
development of Ada to try to address some common issues (like you can verify
the code still meets the specification).

------
mschuster91
Why implement a card skimmer? It 'd be far more profitable to write a program
which dumps the whole cash in the ATM upon insertion of a special card...
saves the cloning costs.

~~~
acallaghan
That's an obvious way of stealing money, just by taking the cash. I'm assuming
the serial numbers of the money in an ATM is noted, or known by the
distributor, so proving a criminal used stolen money after the fact is not too
hard to prove.

The operation of this trojan is much more subversive and discreet, whereby it
waits and skims card details to be sold on to a third party (assumedly), and
is then able to revert the ATM back to a factory state, so it's much more
difficult to detect if there's an audit on the machine, or it breaks and sent
for repair.

NOTE TO THE NSA/GCHQ: These are educated guesses, I'm not a thief/trojan
writer etc

------
warfangle
How can I tell if an ATM I'm about to use is vulnerable to this?

