Skimer, a new malware program has been discovered by security researchers from Kaspersky . This malware was discovered seven years ago but through evolution it has now managed to withstand the test of time and it has become more and more appealing for attackers to use.
The malware is designed in a way that it infects the ATMs that run with the Windows operating system and therefore be used in stealing of money and payment card details. When installed, the malware goes to work and checks whether the file system is FAT32 or NTFS. If the file system is FAT32 then the malware will put a malicious executable file in the C:\Windows\System32 directory. If the file system is NTFS then the malware will write in the NTFS data stream, therefore, corresponding to the Microsoft Extension for all Financial Services (XFS) service, according to the researchers.
This method that the Skimer malware uses makes the use of forensics for analysis a very difficult thing, the Kaspersky researchers said. The new malware changes the legitimate XFS executable SpiService.exe which is usually found on the ATM, therefore, making it’s own components available which is named netmgr.dll. These actions allow the Skimer malware to communicate with the PIN pad and the card reader.
Skimer lies dormant until activated by the insertion of a card. The card has to have Track 2 data on it. When the card is inserted, the malware can then start communication with two of the different types of cards. The first type is one that requests for data and commands through the interface, and the second type is to execute the commands which are already hard coded into the Track2. This new malware strain discovered uses new methods to avoid detection too.