Came across this recently. Currently being rolled out in the U.K.. Appears to be a big threat to Trusteer Rapport's commercial bank customer based. Software only installed on bank's web servers: https://www.mindedsecurity.com/index.php/products/amt-banking-malware-detector Not a lot of details on how the software works. Appears to do some type of predictive analysis on browser html code generated and determine that the browser has been compromised. Whereas all this might be good for the banks, might be bad news for customers. Will give banks reason to restrict or terminate online access to customers deemed "malicious." Might be the future of online financial processing though. https://www.malware-detector.com/index.php/keyfeatures/ They also had an article in their blog section that may of interest to anyone using a cloud browser: http://blog.mindedsecurity.com/2015/04/beyond-superfish-journey-on-ssl-mitm-in.html
Interesting, but personally I prefer to have security tools installed on my own PC, I'm not into agent-less security tools. But for banks it might be interesting. After all, we all know how many people complained about the first versions of Trusteer Rapport, it was causing all kinds of problems.
Sounds bad, to me its not like the banks have a record of admitting when they get it wrong eg chip and pin theft is blamed on the customer despite been proven by other bodies that it can happen without the customers knowledge.
The language that "got me" was "it analyzes the behavior of the HTML page in the user’s browser and can easily detect new kinds of attacks or new malware variants that are running on customer machines." So how is that possible? Sure sounds to me like RAT behavior. To run a remote access Trojan/tool, you need a backdoor. Hopefully, they are speaking in the abstract and are running the HTML code in a simulator on the bank' web servers. However, it would have to be a "generic" version of each browser in existence. Finally, don't know how this software could detect a keylogger from html code alone? Back to the RAT assumption ..........................
I wonder how it would detect banking trojans who hook into network API's from the browser. The point of this hooking is to fool the system, to make it believe that the browser is working normally.
A good example of what you are referring to is here: http://www.pcworld.com/article/2449...to-networking-apis-to-steal-banking-data.html This malware does not modify any html code but does do browser .dll injection. So the browser code is modified. AMT authors state they are analyzing browser behavior and if so, should detect the .dll injection. The question is how if nothing is installed on the client PC? Also any AV w/behavior blocker or EMET should detect this. -EDIT- Note the comment in the posted link about the malware storing its encrypted data in the registry. Another reason to use a HIPS and define registry protection rules.
This is exactly what I meant. Zemana, SpyShelter, HMPA and Trusteer all try to protect against this kinda stuff.
As dangerous as this Trojan is, it is spread only one way which is as "old as the hills" - We currently know of only one method of distribution for the Emotet banking Trojan: distribution of spam mailings that include malicious attachments or links. Ref: https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/ . So doing basic e-mail security procedures is all that is needed to prevent getting infected: Don't open attachments without scanning them; don't click on spam e-mail links; better yet - delete all spam e-mail w/o viewing. If using an e-mail client, receive all e-mail in plain text format - I do.
