News

The hazards of outing ATM malware

A Russian developer of ATM antivirus software publicizes its discovery of an ATM Trojan horse ... and pays the price.

September 30, 2015

In December 2013, Russian antivirus software developer Dr. Web announced that it had added protection to its ATM Shield product to block Trojan.Skimer.18 malware.

Threats followed immediately, according to a post on the Dr. Web blog. A message from either the programmer or the crime syndicate (Dr. Web isn't sure which) read, in part:

... the development of Dr.Web_ATM_shield threatens activity of Syndicate with multi-million dollar profit. Hundreds of criminal organizations throughout the world can lose their earnings.

You have a WEEK to delete all references about ATM.Skimmer from your web resource. Otherwise syndicate will stop cash-out transactions and send criminal for your programmers’ heads.

When Dr. Web proved to be indifferent to the idea of criminal organizations losing their earnings, the "syndicate" firebombed Dr. Web offices. Twice.

Then they sent another message:

Taking into account the fact that you’ve ignored syndicate’s demands, we employed sanctions. ...

If you don’t delete all references about atmskimmer viruses from your products and all products for ATM, the International carder syndicate will destroy Doctor Web’s offices throughout the world ...

Somewhat cryptically, the sender also said that the syndicate would lobby other countries to prohibit the use of Dr. Web antivirus products "under the pretext of protection against Russian intelligence service."

According to a detailed blog post by Krebs on Security, (which includes an interview with Dr. Web CEO Boris Sharov) the company sustained a third firebombing at its office in Kiev, Ukraine. 

Despite threats and attacks, though, Dr. Web continues to pursue its mission of identifying and studying ATM threats.