Trusteer Rapport easily bypassed, virtually useless

[Hungry Man]

Unbiased Review of Trusteer Rapport, Neil Kettle at 44CON London September 2011.

Here's a fun quote "Anyone who can read even a line of assembler can bypass Trusteer Raport on both OSX and Windows."

Basically, if you can point to any part of this program you can say "this piece doesn't work." It is not only a fundamentally flawed idea but the execution is awful (the encryption is laughable, essentially if you type a it encrypts to b etc.) There are multiple, very simple ways to bypass the would-be protection entirely and with very few lines of code.

It would be one thing if TR publicly said "Yeah, this is only for legacy malware" but it makes outrageous and overspecacular claims that it can stop 0day keyloggers etc.

 

[Vextor]

Yup, I know it's useless, however my bank thinks it's a piece of genius.

 

[Nathan Wootton]

ha yes, like mine...HSBC

 

[Hungry Man]

http://www.digit-security.com/blog/?p=333

More information. It seems they released a patch, hinted in the article as not doing the trick. They have never addressed the completely useless encryption/ obfuscation.

 

[maniac2003]

Hmm my bank is now advising to use this tool. Think I'll pass for now.

 

[Ink]

There are alternate tools you can use; HitmanPro Alert, Prevx SafeOnline (AFAIK)

 

[woodrowbone]

I sent TR support team a link to the video asking them if the issues are fixed, will return with their answer if I get one? :angel:

/W

 

[TrusteerSupport]

I sent TR support team a link to the video asking them if the issues are fixed, will return with their answer if I get one? :angel:

/W

Hey Woodrowbone,

The specific bypass described in the video is no longer possible, Rapports new version do not allow it.

Trusteer and the banks we work with are constantly testing Rapport against financial malware to make sure it provides the most effective protection possible. We strongly encourage members of the security community to test Trusteer Rapport against financial malware.

The strength of Trusteer Rapport is in its ability to detect, block, and remove financial malware as demonstrated by this report: http://www.trusteer.com/sites/default/files/Mandiant.pdf.

The Register had a piece about it as well- http://www.theregister.co.uk/2011/10/11/trusteer_rapport_security_bypass/

If you can find financial malware that successfully operate on a Rapport protected machine please let us know - publicly or privately. We offer money rewards for anyone who can provide us with a sample of a live financial malware “in the wild” that successfully operates on a Rapport protected machine.

If you wish to continue this discussion- here or privately, we would be happy to do so.

Regards,
Alex Man
Trusteer Technical Support

 

[Deleted member 178]

who can retest it?