Trustwave’s SpiderLabs performed the analysis of malicious software (malware) found
installed on compromised ATMs (Automated Teller Machines) in the Eastern European
region. This malware captures magnetic stripe data and PIN codes from the private memory
space of transaction-processing applications installed on a compromised ATM. The
compromised ATMs discussed in this briefing ran Microsoft’s Windows XP operating system.
The malware contains advanced management functionality allowing the attacker to fully
control the compromised ATM through a customized user interface built into the malware.
This interface is accessible by inserting controller cards into the ATM’s card reader.
SpiderLabs analysts do not believe the malware includes networking functionality that
would allow it to send harvested data to other, remote locations via the Internet. The
malware does, however, allow for the output of harvested card data via the ATM’s receipt
printer or by writing the data to an electronic storage device (possibly using the ATM’s card
reader). Analysts also discovered code indicating that the malware could eject the cash-
dispensing cassette.
What follows is a high-level summary of the key features identified during Trustwave’s in-
depth analysis of the malware sample. It is, however, believed that this is a relatively early
version of the malware and that subsequent versions have seen significant additions to its
functionality.
Method of Infection of the ATM
The malware is installed and activated through a dropper file (a file that an attacker can use to
deploy tools onto a compromised system) by the name of
isadmin.exe. It is a Borland
Delphi Rapid Application Development (RAD) executable and is essentially a replacement for
the original
isadmin.exe utility written by Bill Stewart (www.westmesatech.com/wast.html).
The dropper binary contains a Data Resource (RCDATA) named
PACKAGEINFO which in turn
contains the actual malware.
Executing the dropper file produces the malware file
lsass.exe within the C:\WINDOWS
directory of the compromised system and does so via functionality provided by a Windows API
(Application Programming Interface).
Once the malware is extracted, the dropper proceeds to manipulate the ‘Protected Storage’
service—this normally handles the legitimate
lsass.exe executable, located in the
C:\WINDOWS\system32 directory—to point towards the newly created malware. The
service is also configured to automatically restart in the event that it crashes, ensuring that the
malware remains active.
Targeting Track Data
The malware itself is also a Borland Delphi Graphic User Interface (GUI)-compiled executable,
launched as a Microsoft Windows service. It contains the ability to enumerate the available
printing devices. Once active, the malware intercepts ATM transactions by injecting code into
targeted processes through the binary modification of these processes in memory.
The first process targeted by the malware appears to be a system-messaging utility, while the
other is a form of ATM software service.
Once it resides in the memory, the malware polls the transaction message queue looking for
track 2 data from the current transaction. It then performs a level of validation and
manipulation against this track data to determine whether the transaction is the attacker’s
trigger or controller card or a valid transaction involving track data that the malware collects
by recording it in a file. The trigger cards (either a master function card or a single function
card) allow an attacker to interact with and control both the malware and the ATM.
When the parsing routine fails to identify a trigger card, the malware stores the transaction
information in a temporary file named
tr12 in the C:\WINDOWS directory. The malware
harvests transactions as well as balance enquiries provided the currency indicated is American
Dollar (USD), Russian Rouble (RUR) or the Ukrainian Hryvnia (UAH).
Additionally, the malware harvests what is believed to be key or PIN data, saving the
information in a file
C:\WINDOWS\kl.
Primary Command Options and Functionality
When a trigger card is detected, a small window appears giving the user 10 seconds to select
one of 10 command options using the ATM’s keypad.
Text used with permission
