Original and sophisticated malwares

Date : April 02, 2009

Two malwares discovered this month have come to our attention by their sophistication and by the originality of the equipments they are targeting.
Both represent limited threats but they say a lot about the inventiveness and skill of cybercriminals.

The Skimer Trojan

Sophos has discovered a Trojan targeting Automatic Teller Machines (ATMs).

This Trojan, named Skimer, qualified as sophisticated by several sources, infects the Diebold ATMs that use the Microsoft Windows operating system.

It records the credit card data and PIN codes entered during authentication. This information can then be used to manufacture an illegal duplicate of the original card.

Because ATMs are generally not connected to the Internet this malware should be installed by someone with a physical or privileged access to the banking network or to the machine itself (e.g. maintenance company).
Then to recover the stolen data, an attacker must use the keypad of the infected ATM in such a way to print these data on a receipt.

This mode of spreading explains that the dissemination of Skimer seems very limited, even confidential. Indeed only few specimens of this malware have been found on ATMs in Russia.

The discovery of this Trojan allows to draw the following lesson:
  • ATMs are not immune from attacks by malicious codes,
  • however, these attacks require physical or privileged access to the targeted machines, which limits the Trojan spreading,
  • the development of the discovered malicious code has required a precise knowledge of hardware and software of the attacked ATMs. This limits its distribution to a single brand of machine. This information also suggests that the attackers could have designed a malware against ATMs using an operating system more exotic than Microsoft Windows. If ATMs using Microsoft Windows are more vulnerable to attacks, the use of another operating system is not a complete protection against malware.
After analyzing we have assessed the threat of Skimer to a level lower than its spectacular appearance could suggest. Indeed, many obstacles hinder its spreading and with this attack the return on investments for attackers is lower than more traditional methods based on a spread over the Internet (Phishing, server compromission, …).

The Psybot worm

The Psybot worm, discovered by the DroneBL company (specializing in networks monitoring) and reported by Symantec, targets some routers.

It spreads via brute force attacks (IDs / passwords) against the router web interfaces based on mipsel architecture and using the Linux operating system.

Once Psybot has managed the identification by brute force attack it copies itself on the router with the command wget or ftpget. Then it blocks TCP ports 22 (ssh), 23 (telnet) and 80 (web interface) to prevent access to the administrators.
After that it opens a backdoor on the infected system via an IRC channel, and it waits for malicious commands from a remote server (distributed denial of service, malicious code download, TCP ports scanning ...).

This worm is interesting due to the type of devices it attacks (personal routers). Its threat, however, is mitigated by the specificity of these devices (architecture, operating system, web interface rarely accessible from Internet) and because its propagation (by brute force attack) is only possible on devices protected by weak passwords.

For more information:
Skimer
Psybot


Previous Previous Next Next Print Print