FireEye discovered a new ATM malware sample named "RIPPER," which it says is responsible for the theft of approximately...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
$378,000 from ATMs across Thailand. How does this ATM malware work, and is there anything vendors can do to prevent more instances?
New ATM malware is starting to become a nonevent due to its prevalence, and it is something ATM manufacturers are already combating currently. It is turning into a constant competition between criminals and enterprise security programs. Unfortunately, ATMs are used in relatively insecure locations and have long lifespans, which makes protecting them over time more difficult.
The FireEye report on the RIPPER malware states that it has similar functionality to previous ATM malware, but is able to attack multiple brands of ATMs. Attackers use a specially manufactured ATM Europay, MasterCard and Visa (EMV) card for authentication; the malicious EMV chip is authenticated by the ATM and delivers the RIPPER malware to the system.
FireEye obtained the RIPPER malware from VirusTotal and analyzed it after they identified commonalities between ATM attacks in Thailand. The RIPPER ATM malware can disable network connections to reduce the chance of network-based alarms, delete logs to reduce evidence of the attack, set itself to look like a legitimate program on the endpoint and control cash dispensing.
ATM vendors can prevent ATM malware infections by using whitelisting. It is unclear why ATMs don't use whitelisting on a widespread basis, since the functionality of an ATM is very limited, and enterprises responsible for the machines should aim to prevent unapproved software from running on the ATMs. Whitelisting doesn't block all attacks, and it can be bypassed, but since ATMs don't run Microsoft Word, that specific bypass shouldn't work.
Enterprises with ATMs could also regularly scan the file system for unapproved files and set an alarm or disable all functionality if the logs are tampered with.
Learn about the self-deleting ATM malware GreenDispenser
Find out the impact of Conficker malware infections of industrial control systems and supervisory control and data acquisition systems
Discover how SWIFT network communications can be made more secure
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.