Killing the enemy
There are certain protection measures for difficulting the functioning of banking Trojans. Specifically,
Trusteer Rapport is an application for securing “the communication between the keyboard and the website”. According to its Website:
“Rapport secures browser communication from keyboard to website. It detects and prevents Man–in-the-Browser, Man-in-the-middle, phishing, and other attacks launched directly against the user.”
We have confirmed in lab tests that ZeuS cannot grab any data in a machine where this software is installed. Unfortunately, the ZeuS’ guys haven’t just been lazing around; in one of the latest samples of of the Trojan, we have seen how ZeuS, right after infecting a computer, downloads and executes a second file whose purpose is to render useless this software.
This executable file ends the active processes and overwrites certain files with empty files. As a result, the program cannot be restarted.
The result is extremely interesting, as the program is disabled without the user receiving any message, though the icon of the program disappears.
After contacting the team in charge of Trusteer, we confirmed that they have implemented some measures to counter the mentioned attack. Although continuous update of security measures is required, we are very pleased to see how quickly the Trusteer team can react and keep up with these attacks.