Trojans in ATMs. Official comments from Kaspersky Lab

Published on March 25, 2009

Trojans in ATMs. Official comments from Kaspersky Lab

    The news about the emergence of viruses in ATMs made a lot of noise today. Links to the corresponding publications on the Lenta.ru and CNews sites have already slipped on Habré , however, we haven’t got any official comments from the companies involved in information security here. And literally just now I got some clarification from Kaspersky Lab. Commented by Alexander Gostev, head of the center for global research and threat analysis at Kaspersky Lab:

    “This malware was detected and added to the Kaspersky Lab anti-virus database on March 19, 2009 under the name Backdoor.Win32.Skimer.a. This is a Trojan program that infects ATMs of the popular American manufacturer Diebold (according to unconfirmed reports, we are talking about ATMs located in the Russian Federation and Ukraine). To date, there is no information about really infected machines. However, we assume that their number, if any, is minimal. Infected machines become vulnerable to further actions of the attacker, namely: having a special access card, the virus writer can remove all the cash available in the ATM, as well as gain access to information about all transactions made through this ATM by other users.

    The principle of infection, given the lack of real calls from banks, is not yet completely obvious. LC experts suggest that there are two possible options: direct physical access to the ATM system or access through the bank’s internal network to which the ATMs are connected.

    An analysis of the program code allows us to assume with high probability that its author is a citizen of one of the CIS countries.

    Unfortunately, the average user will not be able to independently determine the infection of the ATM. However, its owners can do this. To avoid possible infection, LK experts strongly recommend that all banks check the operating ATM networks using a standard anti-virus program that detects this malicious software.

    Backdoor.Skimer.a is the first malware aimed at infecting and existing in ATMs. "We do not rule out the emergence of new malicious programs aimed at the illegitimate use of banking information and cash."