Windows XP-Based ATMs Targeted by Hackers

Dennis Faas's picture

Banks are being warned of trouble ahead after approximately 20 ATMs, mostly in Eastern Europe, were compromised. The ATMs running Microsoft's Windows XP operating system were infected with malware that captures magnetic strip data and PIN codes.

According to a report from Trustwave's SpiderLabs, the malware uses the strip data and PIN codes to access the private memory space of transaction-processing applications.

Advanced Management Functionality Built into the Malware

Attackers gain control over the ATMs by inserting specialized controller cards into the ATM's card reader. (Source:

Analysts don't think the malware is capable of sending harvested data to other remote locations over the Internet based on what they found on the infected ATMs already. That said, the malware does allow for the output of harvested data through the ATM's receipt printer, or by writing the data to an electronic storage device inserted into the ATM's card reader.

How the Malware Works

The malware is an executable that is installed through a "dropper file," called isadmin.exe. Once executed, the dropper file produces the lsass.exe malware file within the C:\WINDOWS directory and manipulates the Protected Storage service that normally handles the legitimate lsass.exe executable file to point to the newly created malware.

The malware also contains code that enables it to eject the cash dispensing cassette and is configured to automatically restart in the event that Windows crashes to make sure it remains active.

Eastern Europe Believed to be a Testing Ground

It's believed that the 20 hacked ATMs in Eastern Europe was an experiment before spreading the attacks to other ATMs, including those in the U.S.

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet