Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
An investigation by Trustwave's SpiderLabs performed an analysis of malware found installed on compromised ATMs in Eastern Europe. It found that the malware is able to capture magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on a compromised ATM.
It revealed that the interface is accessible by inserting controller cards into the ATM's card reader. Analysts at SpiderLabs do not believe that the malware includes networking functionality that would allow it to send harvested data to other remote locations via the internet.However they do believe that the malware allows for the output of harvested card data via the ATM's receipt printer or by writing the data to an electronic storage device (possibly using the ATM's card reader).The analysts also discovered code that indicates that the malware could eject the cash dispensing cassette. They believe that what was identified was a relatively early version of the malware, and that subsequent versions have seen significant additions to its functionality.Trustwave claimed that the malware is installed and activated through a dropper file by the name of isadmin.exe, and that the binary contains a data resource named ‘packageinfo' which in turn contains the actual malware.
Once active, the malware intercepts ATM transactions by injecting code into targeted processes through the binary modification of these processes in memory. The first process targeted by the malware appears to be a system-messaging utility, while the other is a form of ATM software service.
Once it resides in the memory, the malware polls the transaction message queue looking for track 2 data from the current transaction. It can then perform a level of validation and manipulation against this track data to determine whether the transaction is the attacker's trigger or controller card or a valid transaction involving track data that the malware collects by recording it in a file.
Trustwave said: “Given the impact this malware can have on an infected ATM environment, Trustwave highly recommends all financial institutions with ATMs under management perform analysis of their environment to identify if this malware or similar malware is present.
See original article on scmagazineuk.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.