On-Line Banking Security - No Software Installation Required

Discussion in 'other anti-malware software' started by itman, May 16, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Came across this recently. Currently being rolled out in the U.K.. Appears to be a big threat to Trusteer Rapport's commercial bank customer based. Software only installed on bank's web servers:

    https://www.mindedsecurity.com/index.php/products/amt-banking-malware-detector

    Not a lot of details on how the software works. Appears to do some type of predictive analysis on browser html code generated and determine that the browser has been compromised. Whereas all this might be good for the banks, might be bad news for customers. Will give banks reason to restrict or terminate online access to customers deemed "malicious." Might be the future of online financial processing though.

    https://www.malware-detector.com/index.php/keyfeatures/

    They also had an article in their blog section that may of interest to anyone using a cloud browser:

    http://blog.mindedsecurity.com/2015/04/beyond-superfish-journey-on-ssl-mitm-in.html
     
    Last edited: May 16, 2015
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Interesting, but personally I prefer to have security tools installed on my own PC, I'm not into agent-less security tools. But for banks it might be interesting. After all, we all know how many people complained about the first versions of Trusteer Rapport, it was causing all kinds of problems.
     
  3. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Sounds bad, to me its not like the banks have a record of admitting when they get it wrong eg chip and pin theft is blamed on the customer despite been proven by other bodies that it can happen without the customers knowledge.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The language that "got me" was "it analyzes the behavior of the HTML page in the user’s browser and can easily detect new kinds of attacks or new malware variants that are running on customer machines."

    So how is that possible? Sure sounds to me like RAT behavior. To run a remote access Trojan/tool, you need a backdoor. Hopefully, they are speaking in the abstract and are running the HTML code in a simulator on the bank' web servers. However, it would have to be a "generic" version of each browser in existence.

    Finally, don't know how this software could detect a keylogger from html code alone? Back to the RAT assumption ..........................
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I wonder how it would detect banking trojans who hook into network API's from the browser. The point of this hooking is to fool the system, to make it believe that the browser is working normally.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    A good example of what you are referring to is here: http://www.pcworld.com/article/2449...to-networking-apis-to-steal-banking-data.html

    This malware does not modify any html code but does do browser .dll injection. So the browser code is modified. AMT authors state they are analyzing browser behavior and if so, should detect the .dll injection. The question is how if nothing is installed on the client PC? Also any AV w/behavior blocker or EMET should detect this.

    -EDIT- Note the comment in the posted link about the malware storing its encrypted data in the registry. Another reason to use a HIPS and define registry protection rules.
     
    Last edited: May 19, 2015
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Last edited: May 22, 2015
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    As dangerous as this Trojan is, it is spread only one way which is as "old as the hills" - We currently know of only one method of distribution for the Emotet banking Trojan: distribution of spam mailings that include malicious attachments or links. Ref: https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/ .

    So doing basic e-mail security procedures is all that is needed to prevent getting infected: Don't open attachments without scanning them; don't click on spam e-mail links; better yet - delete all spam e-mail w/o viewing. If using an e-mail client, receive all e-mail in plain text format - I do.
     
Loading...