This content is part of the Essential Guide: Antimalware tools and techniques security pros need right now
Problem solve Get help with specific problems with your technologies, process and projects.

How does GreenDispenser self-deleting malware work?

A new type of self-deleting malware, known as GreenDispenser, allows attackers to rob ATMs of cash. Expert Nick Lewis explains how this threat works and how to prevent it.

How does self-deleting malware work? Is it typically on a system long enough to be detected, or does it erase itself before detection? If so, how would enterprises know if any damage is done by self-deleting malware?

The GreenDispenser malware discovered by Proofpoint allows a criminal to empty the cash out of an automatic teller machine (ATM). It seems to rely on poor physical security practices and potential vulnerabilities in the ATM software. Once the GreenDispenser is used to cash out the ATM, it securely deletes itself. The self-deleting malware works by destroying any files it creates at a predefined time, such as once it executes or on a certain date. The files or executable code first need to get onto the victim's machine. In the GreenDispenser example, potential physical security vulnerabilities were exploited to gain physical access to the ATM so the malicious code could be copied to the system.

Obviously, one of the goals of any malware is to not be detected; in the case of GreenDispenser, the malware author tries to reduce the chance of detection by deleting itself before detection occurs. However, the malware needs to be on the system long enough to be executed so the ATM can be cashed out. ATMs and kiosk systems are typically very restricted and have controlled functionality. This gives a significant benefit to a defender because any executable, file or network connection that is not specifically approved can and should be blocked or investigated as suspicious. An enterprise would know damage was done if malware is detected on an ATM or kiosk.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Discover how to detect malware that leaves no file on disk

Find out how some malware types adapt to VMs and self-destruct

Learn more about the effects of a financial malware tool going public

This was last published in February 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal