h1

New Trojan Targets Diebold ATMs

April 15, 2009

Are you running anti-virus software on your ATMs?  A new Trojan that specifically attacks Diebold ATMs has been detected in Eastern Europe.  The virus logs data in a file on the ATM enabling the attacker to retrieve the data and perform other tasks through the ATM keypad.  An attacker has the ability to do the following via the ATM keypad:

  • Display logged data
  • Print the date using the ATM printer
  • Display the ATM software version
  • DISPENSE CASH!
  • Uninstall the virus
  • Shut down the ATM

The virus has only been detected in Eastern Europe thus far but there is no indication that anything would stop it from infecting a US based ATM.  The virus goes by several names depending on the anti-virus company:  Trojan.Skimer (Symantec), PWS-BoldDie (McAfee), Troj/Skimer-A (Sophos).

The existence of the following files MAY indicate an infection:

lsass.exe
trl2
greenstone.bmp:redstone.bmp
redstone.bmp
greenstone.bmp:bluestone.bmp
bluestone.bmp
amitrace.txt

Many ATM vendors will not allow financial institutions to “harden” or patch ATM systems due to potential conflicts with the ATM software.  As most ATM systems run on a Windows platform, many of these systems are vulnerable to compromise.   Financial institutions should evaluate their ATM systems and vendors to determine if their ATMs are sufficiently patched and are running (or capable of running) current anti-virus software.

TrustCC

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: