First ATMs Infected by Internet Worm
Security Focus is reporting on what is believed to be the first case of an Internet worm infecting ATM machines. Though the Slammer worm brought down 13,000 Bank of America ATMs, it did so by infecting the database they were connected to, not the ATMs themselves. This summer's Nachi worm actually compromised the ATMs themselves.
The ATMs in question were those manufactured by Diebold. If you'll recall an earlier c4.net article, Diebold is one of the key players in electronic voting machines. The source code for their electronic voting machines leaked out onto the Internet where it was analyzed by a group of researchers and found to have many critical security vulnerabilities. Coincidentally, Diebold has just agreed not to sue the researchers.
The worm took advantage of a vulnerability in Microsoft's operating system, which was running on the ATM. Microsoft released a patch for the vulnerability over a month before the worm infected the ATMs. Diebold claims it tested the patch and installed it on most of their machines. They do not detail how or why these machines were overlooked.
There is some confusion as to how the worm could have infected the machines in the first place. It would seem that the first steps to securing an ATM machine would be to place all ATMs on their own networks. Most traffic to and from the machine should be blocked out of hand.
However, this does not seem to be the case as the vulnerability is a well documented Windows port that had apparently been left wide open. To put this in perspective, a $100 LinkSys router used in many homes connected to the Internet via DSL or Cable lines blocks this port out of the box. Either the port was left open at the router level, or the ATMs were not on their own private network.
Regardless, when the ATMs became infected and started infecting other machines, Diebold claims that the intrusion detection system noticed the unusual network activity and cut off the infected machines before more damage could be done. Diebold says that many of the infected machines were fixed within a day. It is not known how many machines were infected.