A popular anti-keylogging tool used by online banks such as HSBC, Trusteer’s Rapport, has come under direct attack by malware writers trying to bypass its protection settings.
In a discovery reported made by fellow security vendor Webroot Software, a Trojan the company names ‘Phisher-Rancor’ runs a batch file that tries to close down the Rapport app, while a second variant targets a separate binary, config.js.
Luckily, the malware fails to overcome Rapport’s built-in protection mechanisms, starting with its ability to reload itself if closed down, a characteristic common to all anti-malware programs.
Although the Trojan fails, Trusteer will doubtless take the attempt as a clear warning.
“While this appears to be an isolated (and, for now, totally inept) incident of an easily defeated phishing Trojan that attempts to disable this particular anti-phishing software, it isn’t a good idea to underestimate the enemy. Clearly this attempt was a failure, but the next one might not be,” says Webroot researcher, Andrew Brandt.
Malware that tries to disable anti-virus engines or blocks access to specific update or security websites is an absolutely standard part of the criminal arsenal. In recent times it has been unusual for this tactic to achieve much success.
Trusteer's CEO, Mickey Boodaei, also emphasised that Rapport's use by banking sites depended on more than the application's integrity itself.
"Criminals are trying to disable Rapport as while it's active they're unable to commit fraud or steal information. The Rapport software client is just one component in a wider fraud prevention solution that Trusteer provides to banks. Attempts to disable Rapport are detected and addressed not just by the Rapport client itself but also various other system components in the cloud and on the bank's servers," he said.
What is more unusual is the targeting of a single, specific app in a targeted manner. Trusteer is itself a targeted approach to security, protecting online banking communications by verifying websites in a way that can also be used to set up an encrypted channel between a user’s browser and the banking systems.
It is secure enough that UK bank HSBC has encouraged its customers to use it with its own servers. The tool can also be used by any user at no cost for domain lookup (up to a maximum of 100 sites) although the most secure mode does require that the institution in question integrates it with their login system.
Supported browsers include IE. Mozilla Firefox and Google’s Chrome.