Security experts identified a new attack wave with the ATMii ATM virus that has spread worldwide. The malware has undergone a thorough analysis by the experts and is rapidly being distributed by criminals on a global scale.
ATMii ATM Virus Infection Route
The security experts were able to conduct a full security analysis of the ATMii ATM virus. It is made up of two components:
- Injector Module ‒ An executable file called exe.exe which is responsible for starting the main virus engine.
- Virus Engine ‒ This is the main part of the ATMii ATM virus which is used to attain the infection and carry out the programmed attack sequence.
The virus infection starts with the execution of the injector module by the victims. At the moment no detailed information is available about the distribution tactics however there are several possible intrusion pathways.
One of them relies on an infection via the internal network. This relies on compromising vulnerabilities of other hosts found on the internal hosts. Popular tactics are used such as e-mail spam messages that use social engineering tactics to make the targets infect themselves. Another option is to use web ads, Trojans or malicious browser plugins (also known as hijackers or redirects) that have the ATMii ATM virus as the main payload. The other way of infecting the ATM machines with the ATMii virus is to perform a physical attack on them.
The injector itself is written in the Visual C programming language which means that it is compatible with all contemporary Microsoft Windows versions. When it is launched it starts to process a sequence of commands as defined by the hacker’s instructions. The component supports several parameters as discovered by the security researchers:
- load ‒ It is used to inject a malicious library (dll.dll) into the atmapp.exe process. The command instructs the injector to search for the given process and call the main.
- cmd ‒ This command creates and/or updates the configuration file called c.ini. It is used to configure the injected DLL. The collected samples have been found to update themselves each time the executable file is run with this argument.
- disp ‒ This is short for “dispense” a given amount of currency by the ATM machines.
- Die ‒ Instructs the ATMii ATM virus to delete the configuration file.
The ATM virus is specifically targeted at Microsoft Windows computers as a very large part of the machines still run on versions as early as XP.
ATMii ATM Virus Capabilities
The injection module loads a dynamic library and replaces an important funtion with a wrapper that includes a separate malicious addition. The primary function of the ATMii ATM virus seems to be the infection and misconfiguration of a special process that manages the machines ‒ the proprietary atmapp.exe file. The architecture of the hacker-controlled sequence is to follow the service-based architecture and reconfigure the ATM machines according to the criminals.
Once the injector has successfully called the main virus file it extracts the hardware information. This is done issuing a second subset of commands, the first one is called “scan” which is automatically called once the DLL library is injected into the target process.
Next, the “info” command is used to extract information about the available cassettes and their contents. Once the hackers know the exact amount of money that are currently kept in the machines they can use the “disp” (short for “dispense”) to physically collect the money. Two parameter options are available which can be fine tuned for an exact configuration ‒ currency and amount. The currency type must contain at least one of the three-letter country codes implemented in the ATM’s. The “die” command command can be used by the hackers to delete the c.ini configuration file which can be used to hide the sequence from security administrators or analysts.
Consequences of an ATMii ATM Virus Infection
As a result of the global attack wave the ATMii ATM virus is able to infect machines worldwide. The computer criminals can use the malware to compromise machines in their local area and quickly withdraw large amounts of money without actual physical intervention. This can prove fatal when the machines hold large amounts of money and are not properly secured by the bank’s staff.
Depending on the security policies and performed regular scans the ATMii ATM virus may not be immediately detected and removed which can lead to a lot of perpetrated crimes by the criminals. At the moment no information is available about their identities or initial spread location. We recommend that all computers employ an advanced and at the same time easy-to-use anti-spyware solution. It is suitable for both corporate and users and is able to effectively remove traces of malware in only a few mouse clicks. It also guarantees protection from all kinds of threats.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: