Dec. 22, 2016
Trend Micro, a security software company based in Los Angeles, has discovered Alice, a new family of ATM malware that the company described in its blog as "the most stripped down ATM malware family we have ever encountered."
Trend Micro first discovered the Alice ATM malware family in November as result of a joint research project on ATM malware with Europol EC3, the company wrote in a blog post on its website.
"Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information-stealing features," the blog said. The sole purpose of BKDR ALICE.A is to empty the safe of an ATM.
Like other known malware programs, Alice must be physically installed on the ATM. Once this is done, the malware checks to make sure it's running in a proper ATM environment.
Alice connects to the ATM's CurrencyDispenser1 peripheral, and no other hardware; therefore criminals cannot issue any commands via the PIN pad.
Instead, they simply enter a specific 4-digit PIN based on the ATM's terminal ID. This opens the operator panel, which the attacker can use to see what's in the ATM and to instruct the machine to dispense its contents. Because ATMs often have a dispense limit of 40 notes, it could take several passes to empty the safe.
Since Alice only looks for an XFS environment, Trend Micro believes that it was designed to run on any vendor hardware configured to use Microsoft Extended Financial Services middleware.
According to the Trend Micro blog, the new discovery is remarkable because it shows "a clear tendency for malware writers to attack an ever-increasing variety of platforms. This is especially acute against ATMs, due to the high monetary value they represent."
Read the full-length blog about the Alice malware program.