Level 1: https://www.mrg-effitas.com/wp-content/uploads/2017/02/MRG-Effitas-Online-Banking-Certification-Q4-2016-Level-1_wm.pdf Level 2: https://www.mrg-effitas.com/wp-content/uploads/2017/02/MRG-Effitas-Online-Banking-Certification-Q4-2016-Level-2_wm.pdf
I wonder why HMPA failed the simulator test. I also wonder if there are any banking trojans out there that are using the "Event Tracing CLI" method. If not, then I don't see the point of it. And Win Defender hasn't got any behavior blocking component, so no wonder it failed.
https://www.cyberpointllc.com/posts/cp-logging-keystrokes-with-event-tracing-for-windows-etw.html Of note:
MRG explains their use of malware simulators in the test's methodology. And again, it's something I don't agree with since the simulated malware cannot be peer examined for correctness or applicability. As such, it needs to be excluded from any effectiveness ranking or certification for security software. Additional "synthetic" malware has been and is currently used for penetration testing of perimeter network defenses and the like where it is applicable and needs to remain.
We are using the InfoLeakPOC, and NOT the KeyloggerPOC in our tests. InfoLeakPOC is similar to malware-in-the-browser when malware can see (and manipulate) data before TLS encryption when sending and after TLS decryption when receiving data. https://github.com/CyberPoint/Ruxcon2016ETW/tree/master/InfoLeakPOC Regarding the use of simulators: All of our partners who implement a Safe Browser in their product are more than happy to be tested with simulators. It happened in the past multiple times that we tested them with simulators, they failed, they fixed their product. And months later, the technique used in our simulator was implemented in in-the-wild malware. And because of the use of our simulators, now all end-users who used the safe browsers were protected via generic protections. We believe this is more important than anything ...
I don't get it, was it related to Event Tracing CLI or not? I agree, those simulators are quite cool.
I guess I can't visualize it. Can it also be used to inject code into the browser? Perhaps you can give some more info, because it's very vague.
On a very high level overview, Event Tracing works like a debugger, which can hook code before it is encrypted in SSL/TLS. It is basically an OS function created to help developers tracing/debugging. More info can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363668(v=vs.85).aspx
OK, I see. So it's basically another way to hook for example the browser. That's why I believe it remains crucial for HIPS to monitor API hooking. Normally speaking, most banking trojans will always try to hook only a couple of API's to hijack connections and websites.