Original and sophisticated malwares
Date : April 02, 2009
Two malwares discovered this month have come to our attention by their sophistication and by the originality of the equipments they are targeting.
Both represent limited threats but they say a lot about the inventiveness and skill of cybercriminals.
The Skimer Trojan
Sophos has discovered a Trojan targeting Automatic Teller Machines (ATMs).
This Trojan, named Skimer, qualified as sophisticated by several sources, infects the Diebold ATMs that use the Microsoft Windows operating system.
It records the credit card data and PIN codes entered during authentication. This information can then be used to manufacture an illegal duplicate of the original card.
Because ATMs are generally not connected to the Internet this malware should be installed by someone with a physical or privileged access to the banking network or to the machine itself (e.g. maintenance company).
Then to recover the stolen data, an attacker must use the keypad of the infected ATM in such a way to print these data on a receipt.
This mode of spreading explains that the dissemination of Skimer seems very limited, even confidential. Indeed only few specimens of this malware have been found on ATMs in Russia.
The discovery of this Trojan allows to draw the following lesson:
The Psybot worm
The Psybot worm, discovered by the DroneBL company (specializing in networks monitoring) and reported by Symantec, targets some routers.
It spreads via brute force attacks (IDs / passwords) against the router web interfaces based on mipsel architecture and using the Linux operating system.
Once Psybot has managed the identification by brute force attack it copies itself on the router with the command wget or ftpget. Then it blocks TCP ports 22 (ssh), 23 (telnet) and 80 (web interface) to prevent access to the administrators.
After that it opens a backdoor on the infected system via an IRC channel, and it waits for malicious commands from a remote server (distributed denial of service, malicious code download, TCP ports scanning ...).
This worm is interesting due to the type of devices it attacks (personal routers). Its threat, however, is mitigated by the specificity of these devices (architecture, operating system, web interface rarely accessible from Internet) and because its propagation (by brute force attack) is only possible on devices protected by weak passwords.
For more information:
Skimer
Both represent limited threats but they say a lot about the inventiveness and skill of cybercriminals.
The Skimer Trojan
Sophos has discovered a Trojan targeting Automatic Teller Machines (ATMs).
This Trojan, named Skimer, qualified as sophisticated by several sources, infects the Diebold ATMs that use the Microsoft Windows operating system.
It records the credit card data and PIN codes entered during authentication. This information can then be used to manufacture an illegal duplicate of the original card.
Because ATMs are generally not connected to the Internet this malware should be installed by someone with a physical or privileged access to the banking network or to the machine itself (e.g. maintenance company).
Then to recover the stolen data, an attacker must use the keypad of the infected ATM in such a way to print these data on a receipt.
This mode of spreading explains that the dissemination of Skimer seems very limited, even confidential. Indeed only few specimens of this malware have been found on ATMs in Russia.
The discovery of this Trojan allows to draw the following lesson:
- ATMs are not immune from attacks by malicious codes,
- however, these attacks require physical or privileged access to the targeted machines, which limits the Trojan spreading,
- the development of the discovered malicious code has required a precise knowledge of hardware and software of the attacked ATMs. This limits its distribution to a single brand of machine. This information also suggests that the attackers could have designed a malware against ATMs using an operating system more exotic than Microsoft Windows. If ATMs using Microsoft Windows are more vulnerable to attacks, the use of another operating system is not a complete protection against malware.
The Psybot worm
The Psybot worm, discovered by the DroneBL company (specializing in networks monitoring) and reported by Symantec, targets some routers.
It spreads via brute force attacks (IDs / passwords) against the router web interfaces based on mipsel architecture and using the Linux operating system.
Once Psybot has managed the identification by brute force attack it copies itself on the router with the command wget or ftpget. Then it blocks TCP ports 22 (ssh), 23 (telnet) and 80 (web interface) to prevent access to the administrators.
After that it opens a backdoor on the infected system via an IRC channel, and it waits for malicious commands from a remote server (distributed denial of service, malicious code download, TCP ports scanning ...).
This worm is interesting due to the type of devices it attacks (personal routers). Its threat, however, is mitigated by the specificity of these devices (architecture, operating system, web interface rarely accessible from Internet) and because its propagation (by brute force attack) is only possible on devices protected by weak passwords.
For more information:
Skimer
- Sophos analysis: http://www.sophos.com/security/analyses/viruses-and-spyware/trojskimera.html
- Symantec analysis: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-031905-5048-99
- CNIS article: http://www.cnis-mag.com/fr/le-premier-virus-pour-dab-un-joli-cas-decole/actualite.html
- Symantec analysis: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-032400-0103-99
- McAfee analysis: http://vil.nai.com/vil/content/v_154392.htm
- Zdnet article: http://www.zdnet.fr/actualites/internet/0,39020774,39388927,00.htm
- "The register" article: http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm
