Trustwave’s SpiderLabs performed the analysis of malicious software (malware) found
installed on compromised ATMs (Automated Teller Machines) in the Eastern European
region. This malware captures magnetic stripe data and PIN codes from the private memory
space of transaction-processing applications installed on a compromised ATM. The
compromised ATMs discussed in this briefing ran Microsoft’s Windows XP operating system.

The malware contains advanced management functionality allowing the attacker to fully
control the compromised ATM through a customized user interface built into the malware.
This interface is accessible by inserting controller cards into the ATM’s card reader.
SpiderLabs analysts do not believe the malware includes networking functionality that
would allow it to send harvested data to other, remote locations via the Internet. The
malware does, however, allow for the output of harvested card data via the ATM’s receipt
printer or by writing the data to an electronic storage device (possibly using the ATM’s card
reader). Analysts also discovered code indicating that the malware could eject the cash-
dispensing cassette.

What follows is a high-level summary of the key features identified during Trustwave’s in-
depth analysis of the malware sample. It is, however, believed that this is a relatively early
version of the malware and that subsequent versions have seen significant additions to its
functionality.
Continue reading “Security Alert: Malicious software (malware) found installed on compromised ATMs (Automated Teller Machines)” »