• Trials & Downloads
  • Personal / Home Office products
  • Business Products
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• About Norman
  • Vision & Values
  • Management Team
  • Our Technology
  • Awards & Certifications
  • Customer Cases
  • Press & Media Center
  • Events
  • Careers
  • Subscribe to newsletter
  • Contact Us

Security Center

Unlimited supply of money...

2009-06-19 [Malware discussion, Spreading mechanisms, Trends & predictions]

   Week 16, 2009

Introduction

This security article's title may look like the intro to a fairytale told to by a criminal to her child. However, a family of malicious software (malware) that has appeared this year seems to make this fairytale come true for some…

This malware infects Automatic Teller Machines (ATMs) or cash dispensers running Windows operating system.

A few details

The malware in this family seems to enable the following functionality (highlights):

• intercepts and stores transaction information - including account balance information - on the ATM's disk (for later retrival)
• intercepts and stores authentication information (e.g. PIN codes) on the ATM's disk (for later retrieval)
• offers a user interface that enables several options, including
  • removal of the malware from the infected ATM's disk
  • deletion/restoring log files
  • rebooting the ATM
  • displaying information about available cash in the ATM
• attempts to write to a validated smartcard inserted into the ATM, or print using the ATM's printing device

This ATM malware does not seem to have potential to spreading over networks, which means that the spreading mechanism is most likely "hands-on" by insiders. 

Norman's antivirus software detects this malware as W32/Skimer.x (where 'x' is a letter which defines the different variants).

Implications

The W32/Skimer and similar malware that infects cash machines, are of course extremely interesting in itself. The heavy dependancy on insiders, however, restricts its malicious capacity strongly.

Of more interest perhaps is that this shows malware is actually spreading into new areas than "traditional" desktop and server computers. We discussed this with several examples in another security article in March this year. W32/Skimer is a real-life example of such a predicted scenario.

Other examples will certainly follow. The trigger mechanisms that decides which targets that are most exposted to exploitation are:

• Exploitability of the device
  Although the particular malware that was the basis for this article infects Windows computers, similar malware is perfectly feasible to imagine for Linux and proprietary operating system. It seems pretty safe to presuppose that devices other than traditional computers are as unsecure as the latter. Especially since security issues for these types of devices have not been particularly focused at all.
• Potential for economic gain
  Almost all new malware has (criminal) economic motives as its basis. Devices that enable economic profit for criminals are more likely to be the targets for new malware than those which have not. The bank's cash machines are more interesting targets for the criminal than your lawn mover.

 

• Privacy policy
• License agreement
• Trademarks
• Sitemap
• Contact Us

© Norman ASA