Feeds

Nachi worm infected Diebold ATMs

Holed in the wall

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

The Nachi worm compromised Windows-based automated teller machines at two financial institutions last August, according to ATM-maker Diebold, in the first confirmed case of malicious code penetrating cash machines.

The machines were in an advanced line of Diebold ATMs built atop Windows XP Embedded, which, like most versions of Windows, was vulnerable to the RPC DCOM security bug exploited by Nachi, and its more famous forebear, Blaster.

At both affected institutions the ATMs began aggressively scanning for other vulnerable machines, generating anomalous waves of network traffic that tripped the banks' intrusion detection systems, resulting in the infected machines being automatically cut off, Diebold executives said.

"The outbound traffic from the ATM was stopped -- limited, from a network standpoint -- and effectively isolated," said Nick Billett, Diebold's director of software engineering. "In many cases, the machines were cleaned up that day."

A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but Diebold had neglected to install it in the infected machines. Billett defended the company's patching process, which he said involves testing each new bug fix, and deploying at a wide variety of institutions with a mix of network architectures. "A lot of those machines actually have to be visited by a service technician" to be patched, said Billett. "Our experience in the past is we are able to turn those around in one or two days."

In this case, the two affected financial institutions, which Diebold declined to name, somehow slipped thought the cracks, said Billett. The company would not say how many machines were knocked out by the worm.

Windows Bugs

The incident highlights new dangers for financial institutions, as legacy ATMs running OS/2 and propriety communications protocols give way to more versatile and cost effective terminals built on Microsoft Windows and TCP/IP -- with all the attendant security problems.

Though ATMs typically sit on private networks or VPNs, the most serious worms in the last year have demonstrated that supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.

January's Slammer worm indirectly shut down some 13,000 Bank of America ATMs by infecting database servers on the same network, and spewing so much traffic that the cash machines couldn't processes customer transactions.

"I think of ATMs as a relative of SCADA systems, as those things not really being on the Internet, but being on some network," says Peter Lindstrom, an analyst with Spire Security. "In some ways, it's kind of ironic, that I think standardization across the board has created some of the issues."

In response to the problem, and to meet their customer's IT requirements, Diebold next month plans to begin shipping all new Windows-based ATMs preinstalled with a software-based firewall, made by Sygate Technologies. The company will also offer to put the Sygate product on existing machines already in the field. "We have many customers that are placing ATMs on their network, and as a result of that we have to meet certain criteria ... we haven't had to meet before," said Chuck Somers, vice president of global software development at Diebold.

Somers said he wasn't aware of Diebold ATMs being infected by earlier Windows worms, like Blaster or Slammer. "I'm not aware specifically of machines that were [comprised] as a result of previous ones," he said. "I was made aware specifically of the ones with Nachi, and that was cleaned up"

Microsoft had no immediate comment Monday.

Despite the allure of hard cash, don't expect to see a rash of made-for-Hollywood ATM hacks -- machines around the country suddenly spitting out wads of 20s at random, said Marc Maiffret, Windows expert and "chief hacking officer" at California-based eEye Digital Security.

"The actual point of service terminal itself getting infected-- that's pretty crazy," said Maiffret. "But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."

Copyright © 2003,

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.