The news about the appearance of viruses in ATMs caused a lot of noise today. Habré has already posted links to relevant publications on the sites Lenta.ru and CNews, but we have not received any official comments from companies involved in information security. And I literally just received some clarifications from Kaspersky Lab. Alexander Gostev, head of the global threat research and analysis center at Kaspersky Lab, comments:
“This malicious program was discovered and added to the Kaspersky Lab anti-virus database on March 19, 2009 under the name Backdoor.Win32.Skimer.a. This is a Trojan program that infects ATMs of the popular American manufacturer Diebold (according to unconfirmed reports, we are talking about ATMs located in the Russian Federation and Ukraine). To date, there is no information about actually infected machines. However, we assume that their number, if any, is minimal. Infected machines become vulnerable to further actions by the attacker, namely: having a special access card, the virus writer can withdraw all the cash in the ATM, as well as gain access to information about all transactions carried out by other users through this ATM.
The principle of infection, given the lack of real requests from banks, is not yet completely obvious. LC specialists suggest that there may be two possible options: direct physical access to the ATM system or access through the bank’s internal network to which the ATMs are connected.
Analysis of the program code allows us to assume with a high degree of probability that its author is a citizen of one of the CIS countries.
Unfortunately, the average user will not be able to independently determine whether an ATM is infected. However, its owners can do this. To avoid possible infection, LC experts strongly recommend that all banks scan their ATM networks using a regular anti-virus program that detects this malicious software.
Backdoor.Skimer.a is the first malware aimed at infecting and living in ATMs. We do not rule out the emergence of new malware aimed at the illegitimate use of banking information and cash.”
“This malicious program was discovered and added to the Kaspersky Lab anti-virus database on March 19, 2009 under the name Backdoor.Win32.Skimer.a. This is a Trojan program that infects ATMs of the popular American manufacturer Diebold (according to unconfirmed reports, we are talking about ATMs located in the Russian Federation and Ukraine). To date, there is no information about actually infected machines. However, we assume that their number, if any, is minimal. Infected machines become vulnerable to further actions by the attacker, namely: having a special access card, the virus writer can withdraw all the cash in the ATM, as well as gain access to information about all transactions carried out by other users through this ATM.
The principle of infection, given the lack of real requests from banks, is not yet completely obvious. LC specialists suggest that there may be two possible options: direct physical access to the ATM system or access through the bank’s internal network to which the ATMs are connected.
Analysis of the program code allows us to assume with a high degree of probability that its author is a citizen of one of the CIS countries.
Unfortunately, the average user will not be able to independently determine whether an ATM is infected. However, its owners can do this. To avoid possible infection, LC experts strongly recommend that all banks scan their ATM networks using a regular anti-virus program that detects this malicious software.
Backdoor.Skimer.a is the first malware aimed at infecting and living in ATMs. We do not rule out the emergence of new malware aimed at the illegitimate use of banking information and cash.”
