By Kevin Poulsen, SecurityFocus Nov 24 2003 3:18PM
The Nachi worm compromised Windows-based automated teller machines at two financial institutions last August, according to ATM-maker Diebold, in the first confirmed case of malicious code penetrating cash machines.
The machines were in an advanced line of
Diebold ATMs built atop Windows XP Embedded, which, like most versions of Windows, was vulnerable to the RPC DCOM security bug exploited by Nachi, and its more famous forebear, Blaster.
At both affected institutions the ATMs began aggressively scanning for other vulnerable machines, generating anomalous waves of network traffic that tripped the banks' intrusion detection systems, resulting in the infected machines being automatically cut off, Diebold executives said.
"The outbound traffic from the ATM was stopped -- limited, from a network standpoint -- and effectively isolated," said Nick Billett, Diebold's director of software engineering. "In many cases, the machines were cleaned up that day."
A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but
Diebold had neglected to install it in the infected machines. Billett defended the company's patching process, which he said involves testing each new bug fix, and deploying at a wide variety of institutions with a mix of network architectures. "A lot of those machines actually have to be visited by a service technician" to be patched, said Billett. "Our experience in the past is we are able to turn those around in one or two days."
more:
http://www.securityfocus.com/news/7517
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
