Malware targetting banks ATM's

Published: 2009-06-04
Last Updated: 2009-06-04 11:13:34 UTC
by Raul Siles (Version: 2)
3 comment(s)

Interesting recent article (June 2009), thanks Martin, about evolving malware specimens targeting and compromissing bank ATM (Automated Teller Machines) devices in Eastern Europe. It complements a previous similar article (March 2009, original post) . Additional  technical details are available here (PDF file).

The most interesting sections are its advanced ATM specific capabilities (hey, the ATM has a printer, so let's use it), the backdoor management interface (with different privilege levels), the option to force the machine to dispense all its cash, and that it works against ATM's from multiple vendors (although all ATM's were Windows XP based).

The main point is, really, how did the ATM's get infected in the first place? Physical access is mentioned (insider threat?), but I wonder: Would we see this kind of malware silently spreading through the banks private financial networks?

Do you trust your bank ATM's?

Raul Siles

Keywords: ATM malware
3 comment(s)


The bank I worked at for 10 years had problems with the Blaster Worm infecting the Windows ATMs. It made it to our internal network from one badly configured / patched / no AV server that was put on the Internet by a department that should have known better and never really left. Our AV was McAfee, but we didn't have ePO or anything to manage it at the time (relied on FTP settings on local systems). Blaster would hit the ATMs, but have no impact on the ATMs ability to be an ATM. Luckily, we never had anything that was designed to hit an ATM. It was easier to install a skimmer on the physical ATM than to hack them. Physical security was *always* the preferred way for someone to compromise an ATM. Interesting to see software finally catch up. Eventually, we put Sygate Firewalls on the ATMs (because that is what Diebold would support) and we quit getting infected by Blaster.
force the machine to empty? damn, where do i get this code? hahaha
There is the possibility that code was injected through the card reader itself. One would want to look carefully at that driver. I would think that an operating system with fewer resource requirements, and inherently fewer holes, would be more appropriate for this application, but I digress.

Diary Archives