Kaspersky Lab researchers have discovered a new ATM (automated teller machines) malware called ATMii that allows hackers to dispense all the available cash stored in the ATMs. This malware targets only those ATM machines that run Microsoft Windows 7 and Windows Vista.
The malicious threat was first detected by Kaspersky six months ago when one of the affected banks shared the malware with Kaspersky security researchers. According to security experts at Kaspersky Lab, the malware includes two files, the exe.exe file (injector module: 3fddbf20b41e335b6b1615536b8e1292), and the dll.dll file (module to be injected: dc42ed8e1de55185c9240f33863a6aa4).
In order to install the ATMii on ATMs, the attacker needs direct access to the target ATM (either over the network or physically). The malware allows hackers to scan machines to determine the amount of cash stored at any given time and manipulate the infected ATMs to drain specific amounts of money. If it is successful, allows criminals to dispense all the cash from the ATM. The malware also contains a “die” command that ensures that it deletes a configuration file.
Kaspersky senior developer Konstantin Zykov said in a detailed blog post “The injector, which targets the atmapp.exe (proprietary ATM software) process, is fairly poorly written, since it depends on several parameters. If none are given, the application catches an exception,”.
However, the small codes can be used to make big losses in ATMs and the entire cash in the ATM can be withdrawn at one time. In order to avoid such attacks, security measures like default-deny policy and device control as well as technical measures to protect the ATM against physical access will be required.
“ATMii is yet another example of how criminals can use a small piece of code to dispense money to themselves. Some appropriate countermeasures against such attacks are default-deny policies and device control. The first measure prevents criminals from running their own code on the ATM’s internal PC, while the second measure will prevent them from connecting new devices, such as USB sticks,” Zykov added.
Travis Smith, principal security researcher at Tripwire, commented in an email to SC Media UK: “The ATMii malware is very targeted, not only because it only supports Windows 7, but also because it is targeted to a specific ATM executable (atmapp.exe). According to Kaspersky’s initial report, this is a proprietary application, so it’s unlikely this specific malware variant will have a large impact on the ATM market world wide. Even with minimal impact, it’s quite easy to prevent the malware’s infection path by implementing foundational controls. Limiting network access and disabling USB ports will reduce the attack surface enough that this simple type of malware won’t make it onto an ATM.”