October 15, 2008
Trusteer Adds Protection Against SilentBanker and Other Malware That Bypasses Two Factor Authentication and Transaction Signing
Trusteer, the customer protection company for online businesses, today announced that it has enhanced its Rapport product to prevent user-space malware patches from taking control of a web session after a user has logged-on to a secure web site using two factor authentication methods such as hardware tokens, smart cards, biometrics, or mobile text codes. These types of patching malware, which include the SilentBanker, torpig (sinowal) and wsnpoem Trojans, sit inside the browser and can change data, add requests on behalf of a web site, and collect information which it sends to attackers.
According to analysts, the latest version of SilentBanker is concerning because it defeats two-factor authentication where a user has a separate log-in device, like a token, smart card, etc., that is synchronized with the bank's server. SilentBanker makes the security of two-factor authentication useless by intercepting communications before they are encrypted and forwarding them to the attacker. According to Symantec, the latest version of SilentBanker targets over 400 banks, some of which use two-factor authentication.
To protect against user-space malware patches like SilentBanker, Rapport Function Patch Protection detects malicious patches, analyzes them, and removes them from the browser and other protected components. It uses an in-the-cloud service that analyzes function patches to determine whether a specific patch is malicious or not. This capability complements two factor authentication mechanisms like RSA, VASCO, and others. The ability of Rapport to maintain the security of a web session after a user has logged-on to a web site using two factor authentication is critical since the computer is granted privileged access to confidential data and permission to execute sensitive transactions.
"Providers of online financial services have made significant investments in strong authentication technologies to protect their users and themselves from Internet fraud, but user space patching is threatening to circumvent these mechanisms," said Mickey Boodaei, CEO of Trusteer. "Rapport Function Patch Protection detects and removes user-space patches to maintain the security of web sessions that assume a very high level of trust, especially applications that use two factor authentication."
How Patching Malware Works
Malicious patching is a technique that replaces legitimate code with malicious code in the user-space processes of a computer's memory. This approach enables the malware to completely control the operation of the patched process, and is commonly used to hijack web browsers. For example, user-space malware patches can read user credentials, change html pages, and tamper with transactions even when a two factor authentication mechanism like a hardware token, smart card, and mobile text code has been used to establish a secure web session.
Function Patch Protection is available immediately with the Rapport product. Existing installations of Rapport will be automatically upgraded with this new capability when the product performs its next unattended update.
Trusteer enables online businesses to establish a secure communication tunnel with their customers over the Internet that stretches from user's keyboard into the company's website. Trusteer's flagship product, Rapport, allows online banks, brokerages, and retailers to protect their customers from identity theft and financial fraud. Unlike conventional approaches to Web security, Rapport protects users' confidential information even if their computer is infected with malware including Trojans and keyloggers, or is victimized by pharming, phishing attacks. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit www.trusteer.com.