44Con and Trusteer Rapport

44con Logo

In the recent 44con security conference held at The Grange Hotel in London UK, Neil Kettle of Digit Security Ltd gave a presentation detailing the design of just one of the protections that Trusteer claim their product, namely Trusteer Rapport is capable of providing users.

Keep Calm!The information disclosed detailed both the design and implementation of the anti-keylogger protections that Trusteer claim are an integral part of Trusteer Rapport and in doing so revealed the ease with which said protections can be both ‘switched-off’ and ‘by-passed’ by using functionality provided by Trusteer Rapport itself. As a corollary, it is quite clear that the information disclosed represents a flaw in the design of the protection itself and is not merely a ‘software issue’ or ‘bug’. The flaw affects both the Apple Mac OSX and Microsoft Windows versions of Trusteer Rapport, presumably for all versions up to and including Emerald Release 3.6.1105.54 (OS X).

Trusteer Rapport anti-keylogger subversion on OSXThis research is to our knowledge, the first attempt made to discover the internal mechanisms utilised by Trusteer Rapport to “protect[...] web communication between enterprises, such as banks, and their customers and employees.” [1] Previous attempts at testing Trusteer Rapport have only sought to prove the efficacy of Rapport against known and existing malware that Trusteer presumably have specifically designed Rapport to protect users against [2]. We believe therefore that this research constitutes the first potential disinterested review of the internal mechanisms of just one aspect of the protection that Trusteer claim Rapport provides users. Suffice to say, given the results obtained thus far, it will be interesting to see what else can be “turned-up” or is still waiting to be found inside Trusteer Rapport or indeed how Trusteer will attempt to mitigate the design flaws identified by Digit Security. In the absence of a detailed design document, which only Trusteer themselves can possibly possess, the prospect of reverse engineering Trusteer Rapport may be the only effective avenue available to people for whom marketing claims are simply not enough to convince them that a solution or offering is secure or even fit for purpose.

Finally, whilst the flaws provide a means to effectively by-pass the anti-keylogger protections of Trusteer Rapport, it is important to understand that no current malware is known to utilise said flaws and as such uninstalling Trusteer Rapport on your system is not a solution nor is it advisable. Until such a time as malware developers take into account the presence of Trusteer Rapport, Rapport is still effective against existing malware. However, one thing is clear, the more prevalent Trusteer Rapport becomes, the more likely a target it will be for financial malware developers.

[1] – Trusteer
[2] – RLR-UK “Testing Rapport 912.25 against specified Keyloggers & Screen Capture [malware]“

On September 7, 2011, posted in: News, Research by Neil Kettle | 1 Comment »

One Response to “44Con and Trusteer Rapport”

  1. Digit Security » Blog Archive » Trusteer ‘respond’ to Rapport Issues Says:

    [...] of providing users. The information disclosed detailed both the design and implementation of [...] read more  July 23, 2011 The first vulnerability advisory, albeit covering many vulnerabilities in and of [...]