[ISN] Nachi worm infected Diebold ATMs

From: InfoSec News (isn@private)
Date: Fri Nov 28 2003 - 01:39:27 PST

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2003-48"

    http://www.theregister.co.uk/content/55/34175.html
    
    By Kevin Poulsen
    SecurityFocus
    Posted: 25/11/2003 
    
    The Nachi worm compromised Windows-based automated teller machines at 
    two financial institutions last August, according to ATM-maker 
    Diebold, in the first confirmed case of malicious code penetrating 
    cash machines. 
    
    The machines were in an advanced line of Diebold ATMs built atop 
    Windows XP Embedded, which, like most versions of Windows, was 
    vulnerable to the RPC DCOM security bug exploited by Nachi, and its 
    more famous forebear, Blaster. 
    
    At both affected institutions the ATMs began aggressively scanning for 
    other vulnerable machines, generating anomalous waves of network 
    traffic that tripped the banks' intrusion detection systems, resulting 
    in the infected machines being automatically cut off, Diebold 
    executives said. 
    
    "The outbound traffic from the ATM was stopped -- limited, from a 
    network standpoint -- and effectively isolated," said Nick Billett, 
    Diebold's director of software engineering. "In many cases, the 
    machines were cleaned up that day." 
    
    A patch for the critical RPC DCOM hole had been available from 
    Microsoft for over a month at the time of the attack, but Diebold had 
    neglected to install it in the infected machines. Billett defended the 
    company's patching process, which he said involves testing each new 
    bug fix, and deploying at a wide variety of institutions with a mix of 
    network architectures. "A lot of those machines actually have to be 
    visited by a service technician" to be patched, said Billett. "Our 
    experience in the past is we are able to turn those around in one or 
    two days." 
    
    In this case, the two affected financial institutions, which Diebold 
    declined to name, somehow slipped thought the cracks, said Billett. 
    The company would not say how many machines were knocked out by the 
    worm. 
    
    Windows Bugs 
    
    The incident highlights new dangers for financial institutions, as 
    legacy ATMs running OS/2 and propriety communications protocols give 
    way to more versatile and cost effective terminals built on Microsoft 
    Windows and TCP/IP -- with all the attendant security problems. 
    
    Though ATMs typically sit on private networks or VPNs, the most 
    serious worms in the last year have demonstrated that 
    supposedly-isolated networks often have undocumented connections to 
    the Internet, or can fall to a piece of malicious code inadvertently 
    carried beyond the firewall on a laptop computer. 
    
    January's Slammer worm indirectly shut down some 13,000 Bank of 
    America ATMs by infecting database servers on the same network, and 
    spewing so much traffic that the cash machines couldn't processes 
    customer transactions. 
    
    "I think of ATMs as a relative of SCADA systems, as those things not 
    really being on the Internet, but being on some network," says Peter 
    Lindstrom, an analyst with Spire Security. "In some ways, it's kind of 
    ironic, that I think standardization across the board has created some 
    of the issues." 
    
    In response to the problem, and to meet their customer's IT 
    requirements, Diebold next month plans to begin shipping all new 
    Windows-based ATMs preinstalled with a software-based firewall, made 
    by Sygate Technologies. The company will also offer to put the Sygate 
    product on existing machines already in the field. "We have many 
    customers that are placing ATMs on their network, and as a result of 
    that we have to meet certain criteria ... we haven't had to meet 
    before," said Chuck Somers, vice president of global software 
    development at Diebold. 
    
    Somers said he wasn't aware of Diebold ATMs being infected by earlier 
    Windows worms, like Blaster or Slammer. "I'm not aware specifically of 
    machines that were [comprised] as a result of previous ones," he said. 
    "I was made aware specifically of the ones with Nachi, and that was 
    cleaned up" 
    
    Microsoft had no immediate comment Monday. 
    
    Despite the allure of hard cash, don't expect to see a rash of 
    made-for-Hollywood ATM hacks -- machines around the country suddenly 
    spitting out wads of 20s at random, said Marc Maiffret, Windows expert 
    and "chief hacking officer" at California-based eEye Digital Security. 
    
    "The actual point of service terminal itself getting infected-- that's 
    pretty crazy," said Maiffret. "But worms are always going to be able 
    to infect a lot more interesting machines than individual intruders 
    are." Moreover, before reaching an ATM network, a human attacker would 
    likely encounter more alluring high-finance targets along the way. 
    "They're going to have to go through a lot of juicer networks first." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Nov 28 2003 - 03:57:28 PST