Windows Trojan on Diebold ATMs

Vanja Svacjer, a virus expert for Sophos, has reported his latest find in a blog entry: a Trojan that spies on PINs. The difference is that this example specialises in cash dispensers made by Diebold, which run Windows.

When Svajcer investigated rumours of malware on automated teller machines (ATMs) and specifically checked the Sophos malware database for samples referencing Diebold, the allegedly targeted ATM manufacturer, he struck oil with three files. Closer analysis then apparently revealed code using undocumented Diebold Agilis functions to address the magnetic-card reader and inject code into some of the ATM's processes.

Svajcer is also "fairly sure" of having discovered code that captures and logs PINs as they are typed in. Here, however, his analysis becomes a little dubious. For example, on cash dispensers that satisfy the guidelines of the German ZKA (Zentraler Kreditausschuss, a joint committee operated by the central associations of the German banking industry), PINs are input into a specially secured hardware security module (HSM) that communicates directly with the card reader. A Trojan running on the operating system of the cash dispenser couldn't simply read the PIN, because it never appears in plain text on the computer. The ZKA list of approved cash dispensers includes Diebold systems running Windows XP and Agilis.

But Svajcer isn't way off target. The US journalist Robert McMillan writes that Diebold has confirmed to him that there were cases of Trojan's on Russian cash dispensers, which caused Diebold to issue a warning to its clients in January. A letter apparently sent by Diebold actually refers to a precautionary security update for the Windows software on its cash dispensers.

Vanja Svajcer suspects that injecting the Trojan requires direct access to the cash dispenser. He concludes that he doesn't believe "malware attacks on ATMs will become mainstream." Nonetheless, Sophos anti-virus software now detects the malware as Troj/Skimer-A.

(djwm)