FAIL: Trojan attempts to attack anti-Phishing tool

by Steve Ragan - Jun 3 2010, 16:50

Webroot posted an interesting observation to their blog this afternoon. They wrote about an obscure Trojan that attempts to hijack Trusteer’s Rapport software, which is designed to prevent Phishing attacks on several well-known and targeted financial institutions.

Webroot calls the bottom-feeding Trojan a generic clone of Trojan-Phisher-SABanks.  Inside the Malware’s code is a process that will seek out Rapport installations and attempt to delete parts of the software’s installation. The process itself is a miserable attempt, and fails at the job completely.

“One version of the Trojan drops, then executes, a batch file that attempts to delete the main application. Another drops a batch which targets a binary file named config.js, buried a few levels below Trusteer’s program folder - four different ways,” wrote Webroot’s Andrew Brandt.

“Unfortunately for the cyberschnooks who wrote this claptrap, and luckily for the rest of us, they didn’t count on Trusteer protecting its components or files in any way. Fortunately, in each of our tests, Rapport handily defeated the meager, unsuccessful attempts by the spy (which we call Trojan-Phisher-Rancor) to delete the application or its configuration file.”

Trusteer’s Rapport, with over 6 million users, is a free browser add-on that locks down the browser itself, which guards against Phishing attacks, as well as prevents malicious traffic redirects between the client and the banking site. Several major banks, including Fifth-Third, HSBC, RBS, and SunTrust use Rapport as part of a working relationship with Trusteer and encourage customers to use the tool on a regular basis.

We’ve asked Trusteer for a comment on the discovery by Webroot, while asking if there was any information they can share about protections in Rapport that will prevent future attacks. As Brandt said, “…this attempt was a failure, but the next one might not be.”

Update:

Trusteer's CEO, Mickey Boodaei got back to us with the following:

"Attempts made by criminal groups to disable Trusteer Rapport emphasize the effectiveness of Rapport in protecting online banking communications. Criminals are trying to disable Rapport as while it's active they're unable to commit fraud or steal information."

"The Rapport software client is just one component in a wider fraud prevention solution that Trusteer provides to banks. This solution allows banks to assess risk associated with customers' end-devices, investigate fraud incidents, limit the activity of high-risk end-devices, protect end-devices, and confirm the protection of end-devices."

When it comes to protections, he added that attempts to disable Rapport are detected and addressed not just by the Rapport client itself but also various other system components in the cloud and on the bank's servers.

"Trusteer has built several layers of protection into the Rapport software to protect its processes, files, registry keys, etc. As new threats emerge, Trusteer continuously responds by creating additional layers of defense."

Around the Web