back to article Ripper! Boffins find malware thought behind $347k Thai ATM raids

Researchers at security firm FireEye may have found the malware responsible for plundering ATMs across Thailand and other parts of South East Asia. The security boffins reckon the Ripper malware is "strongly" linked to the plundering last week of ATMs in Thailand in which 12 million Thai baht (US$346,992 ,£265,308, A$458,432) …

  1. frank ly


    "Thieves insert a custom EMV card into ATMs which sets up the machines ..."

    Who thought it was a good idea to make this functionality possible? Everything you do can be stripped and analysed and reverse engineered, then taken advantage of.

    1. Anonymous Coward
      Anonymous Coward

      Wanna bet it's some debug/support functionality that "might be useful"?

      Minimal attack surfaces and YAGNI sadly absent from most designs. Shades of the Larson cartoon of castaways in an inflatable lifeboat lifting in a box of "ACME broken glass and sharp metal bits" because "well, it might come in useful"

    2. Anonymous Coward
      Anonymous Coward

      Re: WTF!

      That struck me as well, but on reading the article, ElReg is wrong: the EMV card is not the infection vector as they mistakenly wrote. It's only the authentication mechanism.

      From the original:

      "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism. Although this technique was already used by the Skimmer family, it is an uncommon mechanism."

      EMV cards do not have the ability to contain the amount of data needed for an infection, let alone to automatically install software on the host.

      In fact, the original article does not explain how the ATMs are infected, but the choice of a country with a less-than-stable society could imply some insider help.

  2. Anonymous Coward
    Anonymous Coward

    If only...

    If only it was the only bug in ATM machines in Thailand...

    For some month, it is advertised that ATM will be using the chip on cards and not the magnetic strip... Since it has been announced, some of the ATM at my bank stopped working at all with any card that has a chip on it. I complained a couple of time, not to avail.

    One evening, I found the top part (computer part) of one ATM open, with no operator around. It was enough to push it to lock, but I also complained with the central bank.

    So malware? Just another day at work.

  3. wyatt

    Want to know about the internals of an ATM? Work in a pub which has one. The cash is (should be) removed each night and placed into a safe therefore reducing the attractiveness of the machine as a target for theft. From memory, the whole of the case opens up so you can see/access all parts rather than just the area where the cash is stored.

    Security starts with physical security..

    1. short

      Meh, I bought one off ebay to have a look... (NCR, pub-grade). Mrs Short wants rid, but I think it looks nice in the hall... It throws a bios beep code, so really needs a pi / mame install.

      1. Hey Nonny Nonny Mouse

        Beat the end of level boss to get cash out?

  4. Anonymous Coward

    NCR ATM malware family

    "Regalado has revealed the malware's internal workings in a technical analysis."

    You forgot to mention the malware only runs on the WinTEL platform.

    1. Anonymous Coward
      Anonymous Coward

      Re: NCR ATM malware family

      Prize for Mr/Mrs Obvious.

      Now if ATMs ran on ARM/Linux combinations, guess what platform the Malware would only infect?

      Trust me, get rid of windows today, replace every single PC and server in the world with Linux, and see how long it is before Linux dies under the Malware crush.

      I mean, criminals are not going to stop just because the OS changed..

  5. Calleb III


    "across Asia and Japan." A bit redundant, last time I checked Japan was in Asia

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022