Trusteer Rapport

Discussion in 'other anti-malware software' started by PC__Gamer, Jun 17, 2011.

Thread Status:
Not open for further replies.
  1. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    yes, in germany the banks are paying the most for the card reader, so you get one for 5-40 € around.
    most banks have not the TAN numbers they have more secure like card readers and so on. can not understand why others do not use it..
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Because it's expensive to buy the card readers and customers find them an inconvenience. Those problems will disappear to a great extent if the approach adopted by Visa Codesure rolls out however. http://www.visaeurope.com/en/about_us/innovation/visa_codesure.aspx
     
  3. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Scoobs,

    Sounds like you know how Rapport is implemented. Can you explain. I am sure I can find a way to bypass it :) If my BHO is in the same process and privilege level as your protection, we both have the same privileges and hence whatever Rapport does, I can undo.

    Also, its in the Bank's best interest to get their customers to use online banking. Why ? Because it saves the bank money. The less customers that come to the bank brick and mortar, the less they need to spend on bank facilities, tellers etc.. all of which cost way more than online banking. So the money that they loose because of online theft is just the price of doing business, but when you compare that with what they save when customers bank online instead coming into a branch, they come out of ahead.

    Bottom line.. they are doing everything they can to convince customers they are safe doing banking online. Offering them free McAfee, Kaspersky etc. free Key scramblers etc.. none of it really works, but it does make their customers feel safer, so they continue to bank online.

    there you have it.
     
    Last edited: Jun 18, 2011
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    BTW latest version of SpeEye has an anti-Rapport option too. :eek: The cat n mouse game. :)

    It also shows that Rapport is really effective.
     

    Attached Files:

  5. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Yes, pure cat and mouse now. Rapport's success has resulted in Spyeye attempting to terminate it, but Trusteer have responded and claim to have blocked that particular termination. There's been at least two different methods of disabling Rapport that I've read about but each time the malware authors implement a new method of termination, Trusteer respond and block it. The more successful Rapport (and any other similar software, e.g. Prevx SOL) becomes, the more they will be targeted.
     
  6. guest

    guest Guest

    Are you going to proof anything or continue with the bla bla?
    We are waiting for your video bypassing Trusteer rapport.
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Cleaned a machine recently with a rootkit & keylogger in volsnap.sys. Credit card details had been stolen, and Rapport had no idea about the keylogger.

    Was going to format it anyway, but was curious. Uninstalled Rapport from safe mode, and removed all the autostarts of other malware present (but left them in situ), then reset into normal mode as MBAM works better there.

    Malwarebytes detected the log file generated by the keylogger, but not the keylogger/rootkit itself. Removed the rootkit with Combofix - I can't remember if Combofix needed to restart the PC or not. Afterwards scans of the system folder from both Antivir and SAS portable strangely detected the leftover Rapportkell.sys as a trash.gen trojan. Neither program could remove it without a restart, which was interesting, as normally I'm able to manually delete it.

    Upon restart, as I half-expected the rapportkell.sys was no longer detected by either program! Confirmed with hashes, with virustotal.com, and with Avira support. Wish I'd done that before the restart!

    Afterwards I reformatted anyway, as it was an old XP machine from before the time of SATA hard drives and AGP and had never been reinstalled!
     
  8. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Here is your proof guest. Rapport has been bypassed.
     
  9. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380

    Actually what it shows me is that Rapport is no different from the protection in other AV products. It gets bypassed just like everything else. So what extra am I getting with Rapport ? Just a false sense of security I would guess.

    guest, look at the screen shot 6 posts above this one.. more proof
     
  10. guest

    guest Guest

    Anyway you were talking without having any idea


    The screenshot proves nothing: http://www.trusteer.com/blog/alleged-newmerged-spyeye-and-rapport

    If what he said is true then Zemana has the same problem, and probably SafeOnline since none of them control the driver register, so a kernel mode keylogger can be easily installed, this is why I use Spyshelter, because it's monitor this kind of attacks.
    http://technonxt.wordpress.com/2010/05/11/spyshelter-4/
     
  11. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Your threshold for 'proof' is certainly a lot lower than mine. If you've used Rapport then you'd know that you specifically have to protect the websites you want protecting. Having credit card details stolen does not mean Rapport wasn't working, it simply means that the credit card details were entered into a website that wasn't configured for protection by Rapport. So, in short, that's no proof at all.
     
  12. guest

    guest Guest

    Well, would be nice to have more detail to know how exactly the RJK3 credit card was stolen. If he entered the info the the bank website and the data was stolen is a fail because all the banks works in https and Trusteer rapport automatically put the protection at max for all the https websites.
     
  13. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Trusteer never was very good against low-level kernel keyloggers (methods used by such as Elite Keylogger, Award keylogger, etc). Zemana protects against these attacks quite well, as does Spyshelter.
     
  14. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    When do you ever enter your credit card details into your banks website? Trusteer is designed to prevent theft of online banking login credentials, not credit card information. It can be configured to protect other https websites, but does not do it by default....which is certainly a weakness of the solution. However a claim that Rapport has been bypassed because it did not protect something it wasn't designed to protect is a bit silly to say the least.

    Capture of keystrokes into a specific https site secured by Rapport would be far more interesting.
     
  15. guest

    guest Guest

    In order to login in many banks you entered the credit card number and a password, for example in my bank.
    I exactly don't know what he refers with "credit card information"
     
  16. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Is this a proven fact or just speculation? It would be interesting to see any evidence you have as this contradicts the published testing from RLR UK which shows Rapport protecting against Invisible Keylogger, which is itself a kernel keylogger.
     
  17. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    It wasn't my computer - I was cleaning someone else's ;)

    They'd used their computer for both online shopping and internet banking. It was only the credit card details compromised ostensibly. As I said in the PM, when I took a quick look through the Rapport logs it was just the usual activity reports and nothing about screen captures, keylogging, etc.

    It's true as another pointed out that Rapport isn't a general solution for online shopping, but I would have expected it to detect a keylogger operating on the system
    http://consumers.trusteer.com/learn-about-rapport-0#chapter_3
     
  18. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
  19. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Depends which websites they decided to protect with Rapport, doesn't it, as they mainly used Amazon and eBay for purchases. That doesn't answer why the Rapport logs didn't show anything amiss when bank sites were accessed - which is the basis for why I say 'Rapport had no idea about the keylogger'.

    Would seem to me that it'd be smarter for Rapport to detect and remove any rootkits/keyloggers present like Prevx would, rather than letting them remain and update themselves with the possibility of anti-Rapport features eventually working - but that's a side argument. If I come across such a situation again, I'll bring back some logs and samples.

    Certainly the machine is much faster now that I've set it up with prevention in mind, rather than the 'extreme conditions online banking' paradigm it had...
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623

    They also say...

    This basically says If your bank's website, etc is not here, then don't forget to add it yourself.. :D

    They also say...

     
  21. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    'No idea about the keylogger' doesn't mean Rapport wasn't protecting the banking website (assuming it was indeed the specific banking website that was pre-configured to be protected by Rapport). Unfortunately there are too few facts to judge exactly what happened, however since the credit card details were compromised but not the online banking details, it seems reasonable to assume that Rapport did its job.
     
  22. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    No. Unlike Prevx, Rapport doesn't detect or remove rootkits, or alert the user about malware detected on the system. It'll only alert the user if specific symptoms are detected while on a protected website, such as attempts to log keystrokes or screen captures while a protected website has focus.

    On a system like the one described in post #32, having Rapport meant that ostensibly only the banking details were protected, but that the user was completely unaware of the rootkit/keylogger present on the system until after their credit card was used fraudulently.

    Had Prevx been present, the rootkit/keylogger itself would probably not have been detected ~ VirusTotal Results Link Removed per Policy ~. On the other hand, Prevx definitely would have detected the other malware on the system that I'd removed manually, and most importantly it would alerted the user of this fact. Anyone with a touch of sense in that case would think twice before risking using their credit cards, so it's a fair assumption that the credit theft might not have occurred had Prevx been present instead of Rapport.

    Think of Rapport as "extreme conditions online banking", while Prevx SafeOnline as more of a "prevention & early detection" with elements of Rapport style protections added to the package.

    And I think it's reasonable to assume that in posting my experience of Rapport from a cleaning job, that I was answering the OP's actual question. Your last sentence reminds me of the classic line, "the operation was a success but the patient died".
     
    Last edited by a moderator: Jun 29, 2011
  23. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    That is an entirely false analogy. Rapport did its job. The fact that the job Rapport did was not really what was wanted at the end of the day is a different matter. imo Rapport would be wise to adopt the 'any https website' approach that Prevx SOL has or it will forever be accused of these sorts of 'faillure'.
     
  24. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I agree. It would make Rapport safer and more convenient to use, as protection for https would be automatic, instead of the user having to remember to manually add protection individually for each website.
     
  25. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    The fact that Rapport didn't do what was needed at the end of the day is exactly the point, and is exactly why the analogy is apt.

    The only thing that matters to the user was that his money was stolen and needed to be reclaimed, not how well 'Rapport did its job'. On the same token, a patient undergoing surgery cares more about his life and health than he does about the 'success of the surgery'.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.