Detecting a zero day trojan

Discussion in 'other anti-malware software' started by emmjay, May 29, 2014.

Thread Status:
Not open for further replies.
  1. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    883
    Location:
    Triassic
    For online banking and other financial activities I have been using IE11, SBIE forced (this browser is not used for anything else). My bank strongly recommends Trusteer Rapport, but I have found that it does not play nice with SBIE. Now that IE is supposedly sandboxed, I thought I would try IE without SBIE, and install TR. It is now installed and it plays nice with IE.

    I came across this article while trying to determine if one approach was better than another. This IBM blog came up during my search. ...

    http://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U4IAL_mSxuI

    The new Zberp Trojan, a variant of the Zeus VM Trojan, enables cyber criminals to grab basic information about the infected computer, including the Computer name, IP and more. It can take screen shots and send them to the attacker. It steals data submitted in HTTP forms, user SSL certificates and even FTP and POP account credentials. The Zberp Trojan also includes optional features that enable Web injections, dynamic Web injections, MITB/MITM attacks and VNC/RDP connections.


    Does SBIE behave the same way as TR when encountering a trojan like Zberp? Would deleting the contents of the session be enough, or would this trojan do damage with SBIE? Could the attackers get the financial info from my banking session (w/ SBIE) if this trojan were to execute during a browser session?
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, i don't use SBIE, but from what i've read on here, deleting the contents of the session should be enough. Yes the attackers could get financial info & anything else if a Keylogger etc were to execute during a browser session.

    That's why an AntiExe & Anti Keylogger HIPS etc are very worthwhile additions, even with SBIE ! Trusteer Rapport is quite good, but a bit heavy on my system when i tried it. Plus it uses undocumented phone home tactics.
     
  3. Jryder54

    Jryder54 Registered Member

    Joined:
    Sep 3, 2013
    Posts:
    214
    You can do a search and probably find an answer to this. Such as -http://forums.sandboxie.com/phpBB3/viewtopic.php?t=11737- This trojan doesn't sound too unique. Zemana anti-logger and WSA identity shield are good solutions IMO and should be compatible with SBIE.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    First you have to be infected, and that is already extremely unlikely with a modern browser. I have never ever seen malware automatically "execute during a browser session". If it can exploit the browser or Windows enough to do that, who knows what it's capable of and if your security is enough. SBIE start/run restrictions may help, but no guarantees on such a sophisticated attack.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    If I´m correct, SBIE doesn´t offer any specific anti-trojan protection. I would advice a specialized tool like SpyShelter or Zemana. Having said that, I was quite surprised to see that SBIE did quite well in the MRG Effitas Project 31 test (see link), I still wonder how it managed to pass 2 out of 3 tests. :)

    https://www.mrg-effitas.com/test-archive/
     
    Last edited: May 30, 2014
  6. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    883
    Location:
    Triassic
    Tnx for all the responses. I have come to the conclusion that if a zero-day trojan were to infect my computer, I would be better off with Trusteer Rapport than SBIE for doing financial transactions online. Re: deep in the linked article, TR detected and removed the zero-day trojan.

    Rasheed187 is correct, SBIE does not do this. I suppose once the AVs and anti-malware products are aware of trojans such as Zberg, then SBIE would be good to go, otherwise not so.
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Wouldn't you be better off using SBIE to avoid getting infected by a trojan in the first place?
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    A few thoughts...

    First: Trusteer Rapport gets mixed reviews. I've tried it on a couple of computers and it caused noticeable slowdowns in the browser. There are also serious questions about how secure it is. Go to Youtube and search on "Neil Kettle at 44CON", watch the video and make up your own mind. This video is over two years old now, however as far as I know Trusteer refused to acknowledge the problem and (by implication) refused to say whether or not it was fixed in future versions.

    Yes the banks recommend TR and offer it for free, but that's no guarantee of anything. The main thing to find out is if your bank covers your accounts against online fraud. If you can show "due diligence", ie you have current AV and keep your computer clean I doubt you would have a problem if your account was hacked, but if you're concerned you could find out what criteria your bank uses.

    Second: The best security measure you can implement IMHO is two factor authentication. My bank sends a text message with a code every time I log in, so even if hackers were able to steal my account credentials they wouldn't be able to log in to my account (unless they were able to steal my phone as well which is highly unlikely).

    Third: If you're going to use IE make sure you have the latest patches via Windows Update. Microsoft only recently fixed a serious exploit.

    http://time.com/85500/microsoft-fixes-internet-explorer-security-bug/

    Fourth: IE is sandboxed?
     
  9. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Everytime that someone mentions Rapport this loooong video shows up again. That was a bug that only affected users with Mac computers (not Windows) that had altered a security setting inside the Mac operating system, and it was acknowledged and fixed. It seems to be the only weapon against Rapport's reputation in the whole world, so that's not too bad for them, I guess.
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    As you know there was a long discussion about TR in Wilders here:

    https://www.wilderssecurity.com/threads/trusteer-rapport.333451/

    It's been a while since I watched the video, but IIRC the flaw existed in Windows as well. I hardly think that the length of the video can be held against it. I'll reread the previous thread before I say more.

    Edit: After rereading that thread I feel that the issues around Rapport were discussed thoroughly and I won't repeat them. You and I did not agree in that thread and that's OK. To people who want to use it I would just say make sure you look at the compatibility list and don't rely on it exclusively.
     
    Last edited: Jun 1, 2014
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Hi Emmjay, some of your questions about Sandboxie and keyloggers ought to be answered by reading this link. I think the last line in the link is very important. If you use a restricted sandbox where only Firefox can connect to the internet and only a few programs are allowed to run, to avoid getting your browser hijacked and used to send out information, using only well known addons is what you need to do.
    http://www.sandboxie.com/index.php?DetectingKeyLoggers#defend

    Bo
     
  12. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    883
    Location:
    Triassic
    Tnx everyone for the additional comments - always appreciated. I checked out the video (tnx, it was worth watching) and Bo's link.

    Bo, I actually do not have any questions about keylogging even though hooking is used by the trojan I referenced. Financial information is also stolen through its ability to take screenshots and send them to the attacker. I assume these screenshots are of my login credentials and then my account information. Being zero-day it has the advantage of not being detected by AVs, A-MWares etc. for a short period of time ... so, if I was unlucky enough to get infected before the protectors got wind of the trojan, does it not stand to reason that the SBIE FF dedicated browser would be a copy of an already infected system? The trojan will have been incorporated and ready for a browser session.

    Also you spoke to FF only. I have a great deal of confidence in SBIE. In fact I have 3 separate sandboxes setup (USB drives, media player and default) on FF, forced. Contents set to auto delete. I wanted to dedicate a browser to online financial activity and that is the only reason I chose IE. I have no affection for it, but it was sitting there doing nothing and I have read that it has improved a lot (exception noted VicTek).
     
    Last edited: Jun 1, 2014
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    If you´re worried about banking trojans, I would advice not to use IE, since it´s one of the most targeted browsers. And I´ve also read bad stuff about Rapport, has it been improved, no slowdowns? :)
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    I would agree that IE has improved significantly and dedicating a browser for online financial activity is a good idea too. You may want to check IE's Advanced Settings in Internet Options - I believe there's a setting for "Enable Enhanced Protected Mode" which is not checked by default (a reboot is required to actually turn it on after checking the box). Regarding sandboxes I believe the general idea is that they protect the OS from the browser and not the other way around but I don't use one and can't speak from experience.
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    If your system is infected, Sandboxie can not protect your login credentials or account information. If taking screenshots is what the malware does, its gonna do it. Sandboxie protects you if the system is clean before using Sandboxie. To make sure my system is clean, I never stop using Sandboxie. Example: I download files in a sandboxed browser and run them in sandbox until the day I delete them.

    Bo
     
  16. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    883
    Location:
    Triassic
    Enhanced Protection Mode is grayed out on my system (X86). I think MS withdrew it from W7/32 (o_O). It is only 64bit I believe.

    I am now having doubts about using IE (you guys spooked me)! Back to FF to set up a dedicated tight sandbox for all my Financial stuff. I trust Bo's advise.
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    I might be wrong, but it may be possible to enable Enhanced Protection Mode by starting IE with the "run as administrator" command and going into Internet Options from the elevated browser.

    Edit: My wife's computer runs Windows 7 32bit and in Internet Explorer 11 Advanced Options I see:

    "Enable memory protection to help mitigate online attacks"

    The feature requires elevation to enable/disable.
     
    Last edited: Jun 2, 2014
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    it does not matter if you work inside or outside sandboxie if you were hit bei a trojan.
    hit outside means trojan grabs anything including action inside sandboxie and resists.
    hit inside means trojan grabs anything including action inside sandboxie, deleting the box delete the trojan.

    but in any case your data and passwords are compromised.

    if your sandbox is setup well it may defeat the trojans works in particular but not at all.
    additional software may stop it completely.

    if not an alu helmet may help ^^
     
  19. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    883
    Location:
    Triassic
    Tnx Victek. I did not know that.
     
Loading...
Thread Status:
Not open for further replies.