back to article REVEALED: Cyberthug tool that BREAKS HSBC's anti-Trojan tech

Cybercrooks on an underground forum have developed a technique to bypass anti-Trojan technology from Trusteer used by financial institutions worldwide – including HSBC and Paypal – to protect depositors from cybersnoopers. Trusteer has downplayed the vulnerability and said it's in the process of rolling out beefed-up …

COMMENTS

This topic is closed for new posts.
  1. Ian Chard

    Hands up who trusts Trusteer.

    Anyone... anyone...

    1. Lee D Silver badge

      Re: Hands up who trusts Trusteer.

      Yeah, I'm sorry, but the less software involved in securing my bank transactions the better. As it is, I do my banking in a private browser session so nothing is recorded (not that anything SSL should be recorded anyway), use one of those PIN-generating gadgets, and am paranoid about having a clean machine. Any further software is just another attack vector and if it ties into my browser, I can't really see what it's doing that my browser shouldn't already be doing all the time anyway.

      The hilarious part was when HSBC tried for about a month to get me to install McAffee on my machine, even to the point of getting in the way of my login sessions. I can't think of anything worse in terms of "security" than scanning every single file ever opened anywhere on your computer against a blacklist of known viruses. The fact that I was accessing from Linux and the free software offer didn't include a Linux version only made it more annoying.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hands up who trusts Trusteer.

        Good to know I'm not the only one. I don't even install Antivirus. My installations have become increasingly bare over the years. Less to maintain. Less to update. Less to exploit.

        Even Ad Blockers have become a big no-no for me. Much prefer something which is easily auditable such as this simple little host file; http://someonewhocares.org/hosts/

        1. Allan George Dyer

          Re: Hands up who trusts Trusteer.

          So, Entrope, you reject the idea of Antivirus (described by Lee as checking against "a blacklist of known viruses"*) and embrace a blacklist of known bad hosts on the internet? How often is the list updated? Never seen an innocent site that's been broken into and planted with malicious stuff?

          I wonder how big a hosts file can get before it brings your machine to its knees?

          * an over-simplistic description of modern anti-virus, which will also try to recognise never-before-seen variants of known malware, and apply other rules in its determinations.

          Full disclosure: my company sells anti-virus. It should be part of your information security management strategy.

          1. Lee D Silver badge

            Re: Hands up who trusts Trusteer.

            Antivirus heuristics are - as you well know - next to useless. It's the halting problem all over, because you have no way to tell if something is potentially malicious, and increasingly viruses are using more and more obfuscated code, encrypted payloads, etc. All they do is look for things SIMILAR to the known blacklist of viruses, they can't magically determine what the program will or won't do. It's a slightly looser regexp, that's about it, and it won't perform magic (the day we can get a program that can analyse another binary and say definitely "this program cannot perform action X" is the day that we've solved all the world's programming and AI problems).

            Run any KNOWN virus through VirusTotal.com - at least 20% of big-name antivirus vendors won't recognise it if it's less than 5 years old. Now go through it with a hex editor and change a handful of bytes, rearrange the source a bit if it's a script-based language, etc. By all probability it will get a clean bill of health even if you throw your own antivirus with heuristics enabled directly at it.

            That said, I don't personally use hosts blocking either, for exactly the reason you point out. It's like managing email spam by blocking sender addresses - ineffective and costs more than it saves.

            Notice, however, that I don't say that antivirus is 100% useless - it has it's place in an intrusion detection style method of application. Scan disks looking for known viruses on a schedule, just to check you are clean. Scan new disks inserted into the system as a check-box exercise to provide some sort of reassurance. But I disagree strongly with the "let's intercept every disk access at all times, on every machine, and run it through a third-party program" when it's clearly ineffective against any half-sensible virus or crafted malicious program until that virus makes it into the signature list. I have it deployed in places where it's necessary (mostly systems with untrusted users and things like PCI-compliant workstations), but on my personal machine it's an unnecessary abomination.

            And, yes, I have seen any number of things romp past a fully up-to-date antivirus running in full heuristics with real-time file access scanning enabled - even things that were spread YEARS ago - without so much as a hint that anything was up. And normally their first action is to shut the AV down. AV on a network is infinitely more useful as a miner's canary (when it dies and stops talking back to the central management console, chances are it's infected or disabled) than it is as a real-time monitor of a user's actions. And decent group policy and system security is even more useful than even that.

            Don't big up antivirus as the solution to all the problems and some magical, mystical guardian of the underworld. It's not. It's a useful tool to check you aren't already compromised with a known virus. That's about it. It's like having a checklist of things NOT to do on an electrical installation. Sure, going down the list is reassuring that you haven't committed any of your previous errors, but it doesn't mean that the system is electrically safe or that your checklist isn't missing something.

            1. Anonymous Coward
              Pirate

              Re: Hands up who trusts Trusteer.

              The main thing, not to do, during an electrical installation, is use both hands.

              Or you'll end up like that guy -----> (or did they move him back to the left?)

          2. Anonymous Coward
            Anonymous Coward

            Re: Hands up who trusts Trusteer.

            "It should be part of your information security management strategy." In my organization, yes. At home, no. And even in my organization it is as you mentioned "PART" of the strategy... and not a very sizable one at it. Lee has already sufficiently pointed out some of the pitfalls of antivirus solutions (my personal complaint would be resource usage, especially if real-time file system scanning is enabled).

            Extremely tight group policy restrictions (SRP/Applocker) on their own go an extremely long way in preventing most unwanted applications from running with hardly any performance penalty. And these days if something is sufficiently sophisticated to bypass any such restrictions (through a zero day vulnerability, for instance) then chances are it is going to be equally as proficient in bypassing an antivirus solution.

            Yes, websites can be compromised to deliver malicious content. Happens all the time. If such content is delivered merely as an executable, it won't run due to SRP. If as a PDF/DOC/XLS/... chances are it would have to make use of a zero day and it must not count on JS in Acrobat (disabled) or any form of Macro (also disabled). Again, see point above with respect to zero day vulnerabilities.

            Is my solution 100% airtight? No, it isn't. No solution is. I do employ a good many layers of security however (including antivirus, but with limitations) in order to make it as difficult as possible for any of my systems to be compromised by any form of malware. The key here is to prevent being compromised by "common" forms of malware. Targeted attacks are a separate story altogether.

            Is antivirus 100% useless? No, it isn't. I still recommend antivirus products to home users and companies. Especially so companies with no dedicated IT security resources (personnel to maintain policies, audit said policies, perform rapid updates of deployed applications, and et cetera). Even for companies with dedicated IT security resources antivirus CAN have its place as an additional layer of checks.

            Have firm policies in place. Restrict everything that isn't required. Run strictly as user. Limit the number of resources/applications (and plugins, if applicable) to the absolute bare minimum. Keep your software as up to date as possible. And you're likely 99% ahead of the vast majority of malware writers already who really prefer to target the masses rather than worry about the few who know what they are doing.

            (P.S. I'm not claiming to know it all. But I'm writing based on experience. Again, I will never claim that my systems are 100% airtight and I will always welcome someone to proof to me that what I am doing is absolutely wrong/absurd. This is ultimately what security is about. Learn and keep learning.)

            1. Allan George Dyer

              Re: Hands up who trusts Trusteer.

              OK, Lee, Entrope, we seem to mostly agree: AV is not a 100% perfect solution to malware, but it does have an important place in an InfoSec strategy. Your initial remarks didn't give the same impression.

              However, Lee, I do disagree with your assessment of heuristics, and your test is not valid: changing bytes at random is not likely to result in a working program, so why should it get recognized as dangerous? I could say you've proved the opposite: the heuristics can distinguish between working malware and a similar corrupt file that does nothing.

              1. Lee D Silver badge

                Re: Hands up who trusts Trusteer.

                I do not mean change bytes at random (though, if you pick bytes in the data areas of the PE, it will have roughly the same effect on a naive AV). I mean rearrange the source, or put a check after the one it was previously before, etc. If you have a binary (and not source), you can still change the bytes that correspond to an awful lot of the code and not have any effect at all (similarly, with sufficient knowledge, you can change the code so that it does any number of equivalents without actually changing the effect of the code).

                But try it with a simple VBScript / Javascript exploit. Jumble the code around so it does pretty much the same, but does some things in different orders, jumps through an unnecessary hoop or two, uses different buffer contents to try to execute via an overflow or data-execution vulnerability, etc. Most of the time, it'll fly past any antivirus.

                AV sometimes does not even read the whole of the executable file. I've sat and watched filemon accesses of certain AV's in operation and they can sometimes do no more than a simple hash (if they do read the whole binary) or a quick jaunt through the first few Kb of the executable. There's little to no "deep analysis" going on. Heuristics is a really misleading term, even when AV isn't that naive. In the end, everything is signature based. The signatures might be slightly variable in some cases (i.e. we don't care what's in actual the overflow exploit buffer that gets run, but we check how you get to that point) and use the equivalent of a wildcard or two to "genericise" the exploit it looks for, but a wildcard in a grep (which is what 99% of antivirus actually is/does) is NOT a heuristic. And it *can't* account for simple tweaks in the exploit code that are obvious to any programmer who reads through some exploit source as being perfectly equivalent attacks even if they result in HUGELY different binaries.

                AV and spam-filtering have much more in common than most people think. And yet I still get some spam through the best filters in the world after receiving them from servers publishing all kinds of SPF records, etc.

                And, as I say, once you get into compressed and encrypted payloads, picking up on them inside a program is much, much, much harder than AV companies would ever have you believe. Some take to tagging anything that does that as "suspicious" - that generates a bucket of false positives. Some take to trying to decrypt the data using the technique that they KNOW from their database is used to encrypt it, and then analyse the decrypted parts (e.g. Opera is compressed with a UPX-like packer that most AV know how to "decrypt"). But the fact is that without that prior knowledge or an obvious signature of what the file is doing with itself, the AV is stuck looking at random bytes and some code that decrypts them.

                Hell, polymorphic viruses have been prevalent since the 80's at least, and pretty much the same techniques still baffle most AV in it's strictest modes.

                AV has its place. Pretending to be able to tell that random, unknown programs are safe or not is NOT one of them.

        2. Anonymous Coward
          Anonymous Coward

          Re: Hands up who trusts Trusteer.

          Nope, me neither

          I did install it once, but the loads of extra external network connections it creates to strange looking endpoints (which don't have any obvious relationship with Trusteer until you waste time digging into whois data) made me so twitchy that I uninstalled it immediately.

          I'll add my vote to preferring as simple a setup as possible.

      2. Anonymous Coward
        Anonymous Coward

        Re: Lee D

        I'm assuming here your bank doesn't force JRE down your throat then?

        Still seems to be quite the "in" thing for a good many financial institutions.

        1. Chemist

          Re: Lee D

          "I'm assuming here your bank doesn't force JRE down your throat then?"

          Have you got an example - I've never found one. ( 3 banks, 2 building socs, 1 credit card company)

          1. TheOtherPhil

            Re: Lee D

            danskebank.ie - They insist on using JRE but apparently that's OK because they use two-token authentication. Shame it's in the form of a handily copied credit-card sized bit of paper with a look-up table on it. (And, in the case of one user at least, a scribbled password in the corner.)

            Their tech support chaps tell me it's fine using java in the browser - but you do need to make sure you trust your computer...

          2. Dave Lawton
            Happy

            Re: Lee D

            Bank that doesn't require owt special, and that includes Javascript - The Coop

      3. Roger Greenwood
        Meh

        Re: Hands up who trusts Trusteer.

        Can only agree with you Lee. You can forgive a bank not taking account of the small proportion of techie customers they have, but I get annoyed when IT companies ring up trying to sell me services who have also not heard of anything other than MS Windows. They just assume. Sometimes I let them rabbit on for ages before letting on.

  2. This post has been deleted by its author

  3. Richy Freeway

    This isn't it's major flaw.

    The biggest problem with Rapport is the horrendous performance hit it brings. I'd go as far as saying it's worse than Norton. 8 out of 10 computers we get in for repair that are running slow have Rapport installed. Remove it and the problem vanishes.

    1. Don Jefe

      Re: This isn't it's major flaw.

      Trusteer doesn't have to concern itself with the end user. The banks are their customers. After they've got management all hot and ready for it they're golden. Good work if you can get it.

  4. Mark Allen

    Old Virus - Rapport a joke

    This is more ancient news. I removed a virus from a client's machine at least two or three years ago. He had Rapport on the laptop and some brand name anti-virus software and he only knew he was infected as I had trained him to be paranoid to changes.

    As he logged into his HSBC account there was one subtle change. Instead of asking for the 2nd, 4th, 7th letters of his password he was asked for the full password. This is when he phoned me - good man.

    Clearly the virus had inserted its own HSBC looking fake page on TOP of the web browser and redirected clicks to it. So Rapport didn't have a clue it was there. I remember clicking on the daft Rapport tool and it telling me everything was fine. Anti-virus was happy. Malware scanners saw nothing. I killed it with a Linux Boot Disk and intelligent deleting of the nasties that were they obvious to me, but hidden in Windows.

    I have always seen Rapport the same as the retired security guard seen in some banks. A guy with a uniform on, but too old to actually stop a robbery or get in the way. To some customers he looks reassuring so keeps his job even though he is next to useless.

    Personally I don't do online banking - I like to keep people employed. So walk into my local branch and\or use the phone. Real physical security and no man in the middle.

    1. Anonymous Coward
      Anonymous Coward

      Re: Old Virus - Rapport a joke

      I knew from the outset, when HSBC were trying to make me install this crap, that it wasn't likely to protect me.

      I never installed it.

      1. druck Silver badge
        Facepalm

        Re: Old Virus - Rapport a joke

        HSBC were trying to get me to download it, when I was using Linux.

        1. Dave Lawton
          FAIL

          Re: Old Virus - Rapport a joke

          It insisted I ought to install it ... on an ARM based Chromebook !

  5. Boris the Cockroach Silver badge

    The

    only hope for online banking is for the banks to configure a basic live CD O/S running a cut down version of windows/linux/mac/zx81 (does'nt matter which), tell the customer to insert said disc into PC, then log onto the banks website using the browser on the disc.

    Then remove said disc from the machine, power down and reboot when finished.

    Then theres next to no way any nasties can get on the disc....... until cyber crims start mailing live CDs to everyone... which gets jolly expensive jolly quickly

    1. Anonymous Coward
      Anonymous Coward

      Re: live CD

      I've often wondered why the banks don't do this - although I'm not sure I'd be happy to be forced into a reboot every time I wanted to do some online banking. The cynic in me suspects that the reason might be that a bank-provided CD would mean the customer would be able to blame the bank's software, whereas now, the bank can blame the customer's computer. Perhaps there are better reasons, however.

    2. Don Jefe

      Re: The

      That would have been nice, when all PC's & devices still had optical drives...

      1. Anonymous Coward
        Anonymous Coward

        Re: when all PC's & devices still had optical drives...

        ok then ... how about a bootable usb ROM instead?

  6. Anonymous Coward
    Anonymous Coward

    rapport crapport

    ever tried asking what it does? no one can actually tell you without spewing a load of psuedo nonsense that means nothing

  7. OffBeatMammal

    HSBC two-factor

    I was all excited when I heard HSBC was going to implement two factor ... until they sent me their little dongle which I keep losing! why they couldn't have gone with something I can run on my phone (oh, like Symantec VIP or Google Authenticator)

    then they keep pushing McAfee (quite why I would ever want to do that to myself again) and Trusteer (a vague hand-wavy promise of security) ...

    not to just pick on HSBC though.... there has to be a better way to secure and verify access from an end-user computing device to a server

    1. JaitcH
      Unhappy

      Re: HSBC two-factor

      The SecureKey (key ring dongle) is useless. It has caught fire, and is simply a security placebo. One of my techs took a long time to hack it but now the codes are on my Samsung Note behind a decent password.

      I was speaking to a live technician in London, not the Mumbai sweatshop, and he inquired whether I had Rapport installed. After advising him No, he came back with the rejoinder Don't install it! Seems that Tech Support makes a lot of overtime from that little piece of junk software.

      And it doesn't enhance security much, but it makes customers feel good.

  8. Anonymous Coward
    Anonymous Coward

    internet banking

    utter madness

  9. ElReg!comments!Pierre

    single use PIN

    My bank uses one-time PINs, generated by a card reader that also requires manual input of a (one-time, website-provided) code. It make transactions a tiny bit less convenient but that's probably more secure than most other "solutions".

  10. Mayhem

    Natwest two factor is worthy of Joseph Heller

    Hah.

    I've had a lot of runins with Natwest Business banking lately.

    They have a browser based malware scanner of some form that runs in the background when the user logs in. If this detects what it thinks is malware, it disables the users account, and then their system deletes the user.

    We have to recreate the account from scratch from another admin account, and then wait a week for the pin code to be sent out by their central mail centre. There is no way to speed this up.

    Upon receipt of which the user logs back in, triggers the system again, and the account is promptly redeleted.

    We phone the helpline and they simply advise that Malware X was detected on IP Y for that user.

    The IP is the public gateway for our network. The malware X isn't detected locally, nor on our virtual desktops. We ask for info on specifically what malware was detected. "I can't tell you that".

    How was it detected? "I can't tell you." "You can't, or you won't?" "I can't tell you that either"

    Is there a second line team I can speak to? No, it is based in India, and doesn't talk to end users.

    Can you advise how to get around this? "Install Rapport. We provide it free and it will protect your pc" The user is in a Citrix desktop, via thin client, they don't have a pc. "Install Rapport. It will fix it"

    We tried logging in via Chromebook and guest adsl link. Same result. "Install Rapport" "How?!!"

    All they record for diagnostic purposes is User, Malware family, Public IP & DateTime. Really freaking useful, not even specific to strain of malware.

    Eventually we replaced every item of hardware in the office, rebuilt every accounts user's Citrix profile, and reinstalled windows from scratch on their machines and a month later the system finally gave up deleting the accounts. Only took three months of new account every other week.

    1. This post has been deleted by its author

  11. billse10

    have a relative who was actually told by HSBC staffer that if (s)he didn't install Rapport and McAfee their computer would be hacked into and used for distributing illegal content. Presumably the staffer in question was offering to pay for the licences ....

    While the banks are allowed to employ morons like that, and we're not allowed to smack them about the head repeatedly, they should not be allowed to insist on particular software that only runs on particular operating systems. It's as stupid as BBC saying iPlayer is only available on platforms that they like but claiming it's a publicly available service, and advertising it on their advertising-free (hahaha) channels.

This topic is closed for new posts.

Other stories you might like