New Trojan Targets Diebold ATMs
April 15, 2009Are you running anti-virus software on your ATMs? A new Trojan that specifically attacks Diebold ATMs has been detected in Eastern Europe. The virus logs data in a file on the ATM enabling the attacker to retrieve the data and perform other tasks through the ATM keypad. An attacker has the ability to do the following via the ATM keypad:
- Display logged data
- Print the date using the ATM printer
- Display the ATM software version
- DISPENSE CASH!
- Uninstall the virus
- Shut down the ATM
The virus has only been detected in Eastern Europe thus far but there is no indication that anything would stop it from infecting a US based ATM. The virus goes by several names depending on the anti-virus company: Trojan.Skimer (Symantec), PWS-BoldDie (McAfee), Troj/Skimer-A (Sophos).
The existence of the following files MAY indicate an infection:
lsass.exe
trl2
greenstone.bmp:redstone.bmp
redstone.bmp
greenstone.bmp:bluestone.bmp
bluestone.bmp
amitrace.txt
Many ATM vendors will not allow financial institutions to “harden” or patch ATM systems due to potential conflicts with the ATM software. As most ATM systems run on a Windows platform, many of these systems are vulnerable to compromise. Financial institutions should evaluate their ATM systems and vendors to determine if their ATMs are sufficiently patched and are running (or capable of running) current anti-virus software.
TrustCC
