Hi all,
does anyone had a look underhood of trusteer rapport (http://www.trusteer.com/products/trusteer-rapport)?

It seems like a very powerful navigation protector, one that hooks in a smart way browser to intercept MITB attacks.

I also seen that there are some early malware that fights its presence http://www.adlice.com/carberp-anti_rapport-beating-trusteer-protection/

So the question is if anyone did some deeper evaluation.

Thanks!

BR,
Shub

Are you more interested in how Trusteer detects this or interested in how malware is trying to get around it? If the detection is in question I am sure would be some secret sauce they don't want to tell you about, but from my experience most products are only as good as the researchers behind them.

Malware still looks to block Trusteer though. There is even reference to Shylock performing a detection for the agent on the machine in this article http://quequero.org/2013/10/caphaw-shylock-in-depth-analysis-part-1/ which is one of the recent deliveries. By the way I wanted to point out that I did a super Google search to find the link above.

Google "webinjects" "trusteer".

Doh, I know the existance of a site called Google which has a lot of interesting possibilities, not exactly being a newbie..
Mine was a first-hand experience/tool/.. request indeed. So, thanks for your information

No problem.

I did not want to be real extensive as I could only assume your knowledge on the subject might already been extensive and that is why you are asking a targeted question like that.

Some assumptions I made based on your first question:

You are looking to do it for application testing and are performing extensive application reversing of Trusteer similar to the reversing on Kaspersky in the past for vulnerability analysis and exploitation then obviously you shouldn't admit it and awesome .

You are looking to identify malware samples that try to evade Trusteer and how they accomplish this task.

So some ideas from the top of my head. Most banker specimens work to filter Trusteer through the static webinjection techniques while they are filtering your browser communications. Some common ones I have seen out there performing this are Zeus, Citadel, Cridex, Ursnif.

If you are looking for your own malware test bed testing just grab a Zeus variant control panel and builder, create your own injects for the purpose of bypassing Trusteer products. You can get ideas from other webinjects and configs out on Pastebin or other places which you probably troll through already.

This would not even be suggesting malware that is using a filter driver or at ring 0 and filtering communications at this level.

Both ideas would be a fun little research projects from a malware perspective and I am sure that malware authors in the past have worked through this process many times to accomplish the goal of evading Trusteer like many other anti-malware solutions.

To enumerate some banker trojans delivery chains off the top of my head would be:

Redkit Exploit Kit -----> Citadel (Before Takedown)
Kulouz Downloader -----> Citadel (After Takedown)
Blackhole Exploit Kit (/controlling/) -----> Zeus P2P (Might be changing if Paunch is really arrested. Seen them pushing email deliveries within recent months more commonly)
Neutrino Exploit Kit -----> Ursnif
Blackhole (/ngen/) -----> Caphaw
Zeus/Spyeye Tracker could also be used

If you want to trade ideas, samples, etc. for anything like this let me know as I always enjoy little side projects like this from an offensive/defensive perspective. I am always looking to learn.