What? Our ATMs are still running Microsoft Windows?


Cartoon hacker with laptopOver the past decade we have seen some major viruses and worms infect systems running Microsoft Windows, where computers were often infected by a Trojan which then installed a malicious program, which then sustains itself by updating the registry file for the auto-startup on the system. In this way the malicious program would stay resident on the computer, and would often change its name to defeat defence systems. The malware would often only start resident for a short time on the host, and even try to disable the security controls to avoid being detected. On a more secure and locked-down system, it was more difficult for the malware to be downloaded or installed on the system, so the way round this was to force the Windows host to boot from a bootable CD, which give administrator access to the machine, and then could be used to install malicious software, with the normal controls that the operating system would place on the system. This is basically what has happened with the recent ATM back, where operators booted the ATM system from CD, in order to install the malware, which was then access at set times of the week, and with a randomly generated six-digital code. It seems amazing in these days or more secure systems, that a simple boot from CD on an ATM can result in money being withdraw at will. Figure 1 provides an overview for the hack.

atmFigure 1: ATM hack

Malware on Cash Machines

There are two key principles in computer security:

  • The overall security of the system is only as strong as the weakest link.
  • Systems need to be designed to reduce the surface area for an attack.

Unfortunately, as the back-end systems become more secure, intruders are focusing on the development of malware at the front-end device, and where the surface area for attacks is at its greatest. Recently Home Depot , in the US, discovered that at least 56 million credit and debit card details have been compromised from all of it 2,200 stores in the United States, using a malware agent running on the PoS (Point of Sale) devices, and which has been running from April 2014 to the beginning of September 2014 before it was detected. This came after a similar hack at Target hack which exposed an estimated 40 million cards, and where a large number of credit and debit cards have appeared on the credit card clearing house site: rescator.cc .

Skimming devices are well known within ATMs, where an integrated camera and a card skimmer are used to read the details of the pin number and the card details when the user tries to withdraw cash. A while back the manufactures selected their operating system of choice, and in many cases it was initially OS/2 (which was developed jointly by IBM and Microsoft), but it is increasingly a standard build of Microsoft Windows. As Windows is often open to a range of vulnerabilities, it is now the case for ATM machines.

With the use of standard operating systems, such as Microsoft Windows, it has not taken long before intruders could probe the operation the card processing system in the ATM. Early this year Bruce Schneier outlined a new method of encoding malware onto the bank card and drops a file onto the ATM (isadmin.exe file). The isadmin.exe file was then used to replace lsass.exe (which has previously been compromised by the Sasser Worm) with a malicious version, and which then collected credit card details and PIN numbers. These details are then harvested when the hacker inserts a special control card into the ATM to gather user details, and, possibly, ejecting the cash storage unit.

The latest malware is Backdoor.MSIL.Tyupkin, and which is continually running on the system, but will only accept input commands on a Sunday and Monday night, uses a six digital key sequence that can only be generated by the gang leader. When entered correctly, the ATM displays the amount of money in the cassettes, and allows up to 40 notes to be extracted from the ATM.The malware differs from the one outlined by Bruce Schneier as it requires physical access to the ATM to install the malware, where the operator inserts a bootable CD into the ATM controller and which installs the malware. The money gatherer then gains access the ATM with a special six digit code, which is only told to them when they are ready to withdraw the money, as the malware gang do not want anyone going it alone. At present the malware has been active on at least 50 ATMs in Eastern Europe, but could also be infecting units in the USA and India.

Technical details

The installed malware basically copies the malware file of ulssm.exe into the c:\windows\system32 folder and which is sustained on the system by modifying the [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] registry key (Figure 2). This registry key is used to run programs automatically on startup, and thus the malware will stay on the ATM, when it is rebooted.  Once infected it then interacts with ATM through MSXFS.dll (Extension for Financial Services – XFS), and to avoid detection it will only allow access controller commands on Sunday and Monday evenings.

Screen Shot 2014-10-10 at 07.12.50Figure 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key example

The following shows an example of malware installing itself onto a system, and then hiding, and updating the Windows registry to run itself when started (go to 25 mins 20 seconds for the examination on the registry for the Run registry key):


The current threat of CD booting and malware installation on ATMs, with sustained access through a start-up registry key, has been on standard desktops for the last decade, and few lessons have been learnt in terms of the security for physical access to the devices, and also in the rights that malware software can gain on the system. While many companies will focus on the interface with the user, it is often the debugging and diagnostic side which can provide ways into a system.

Most embedded control systems now too are locked-down so that no additional system can be installed, but the choice of standard builds of Microsoft Windows seems to provide easy mechanisms for malicious updates. Microsoft Windows, too, as the core operating systems for ATMs seems to be putting ATMs at great risk, especially it is allows hackers the opportunity to simulate and craft their malware on well-known versions of the operating system.

At the core of this attack is the physical access to the device, and thus access needs to be carefully monitored, but the key lesson, is that the operating system needs to be completely locked-down, and which provides only the software components required to accept user input and dispense of the cash in a reliable way. To still rely on Windows Registry keys, and for them to be updated by the booting of a CD, and to allow malicous programs, seems archaic and where we were over a decade ago with our desktops.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s