How does RIPPER ATM malware use malicious EMV chips?
RIPPER malware has been found responsible for the theft of $378,000 from ATMs in Thailand. Expert Nick Lewis explains how this ATM malware works.
FireEye discovered a new ATM malware sample named "RIPPER," which it says is responsible for the theft of approximately $378,000 from ATMs across Thailand. How does this ATM malware work, and is there anything vendors can do to prevent more instances?
New ATM malware is starting to become a nonevent due to its prevalence, and it is something ATM manufacturers are already combating currently. It is turning into a constant competition between criminals and enterprise security programs. Unfortunately, ATMs are used in relatively insecure locations and have long lifespans, which makes protecting them over time more difficult.
The FireEye report on the RIPPER malware states that it has similar functionality to previous ATM malware, but is able to attack multiple brands of ATMs. Attackers use a specially manufactured ATM Europay, MasterCard and Visa (EMV) card for authentication; the malicious EMV chip is authenticated by the ATM and delivers the RIPPER malware to the system.
FireEye obtained the RIPPER malware from VirusTotal and analyzed it after they identified commonalities between ATM attacks in Thailand. The RIPPER ATM malware can disable network connections to reduce the chance of network-based alarms, delete logs to reduce evidence of the attack, set itself to look like a legitimate program on the endpoint and control cash dispensing.
ATM vendors can prevent ATM malware infections by using whitelisting. It is unclear why ATMs don't use whitelisting on a widespread basis, since the functionality of an ATM is very limited, and enterprises responsible for the machines should aim to prevent unapproved software from running on the ATMs. Whitelisting doesn't block all attacks, and it can be bypassed, but since ATMs don't run Microsoft Word, that specific bypass shouldn't work.
Enterprises with ATMs could also regularly scan the file system for unapproved files and set an alarm or disable all functionality if the logs are tampered with.
Learn about the self-deleting ATM malware GreenDispenser
Find out the impact of Conficker malware infections of industrial control systems and supervisory control and data acquisition systems
Discover how SWIFT network communications can be made more secure
Dig Deeper on Threats and vulnerabilities
Related Q&A from Nick Lewis
What are port scan attacks and how can they be prevented?
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Explore benefits and challenges of cloud penetration testing
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
What are the best criteria to use to evaluate cloud service providers?
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading