RE: Trusteer Rapport Security Circumvention

From: Amit Klein <amit.klein@trusteer.com>
To: bugtraq@securityfocus.com
Cc:
Subject: RE: Trusteer Rapport Security Circumvention
Date:


Hello BugTraq

Andrew Barkley of Computer Sciences Corporation contacted us with this
around the same time it was posted to BugTraq. Since then we've fixed
the issue and are now completing the QA cycle with the intention of
releasing this fix 12 hours after learning about the problem. 

Best,
-Amit
Amit Klein, CTO, Trusteer


> -----Original Message-----
> From: barkley@usa.net [mailto:barkley@usa.net] 
> Sent: Tuesday, February 16, 2010 12:58
> To: bugtraq@securityfocus.com
> Subject: Trusteer Rapport Security Circumvention
> 
> Hi,
> 
> 
> Trusteer is an innovative software to combat fraud, thus it's 
> global uptake in the financial sector. Trusteer also seems 
> quite adamant that their software is bullet-proof, their 
> website pretty much sums it up. However, on having a closer 
> look and some tinkering, I discovered a complete no brainer 
> vector for circumventing Trusteer's security. I've tested 
> this on various XP platforms successfuly, please feel free to 
> notify the vendor as you wish and/or to publish whatever you 
> feel appropriate under the circumstances.
> 
> 
> http://www.trusteer.com/solutions
> http://www.trusteer.com/product-0
> http://www.trusteer.com/product/technology
> Trusteer Rapport locks down your browser once you connect to 
> a sensitive website such as your bank. Any malicious software 
> that tries to ride on the browser is left out of the locked 
> down browser, and cannot access  your sensitive information 
> and transactions. Rapport also locks down communication 
> between your browser and the bank, preventing any 
> network-based attack from diverting traffic to fraudulent locations.
> 
> 
> The following illustrates how malware on entering a system by 
> whichever means, and on detecting Trusteer's services, can 
> easily (automated/scripted) disable Trusteer's security for 
> whatever malevolent purposes.
> 
> 
> Step-by-step illustration, how to easily circumvent 
> Trusteer's security.
> 
> Firstly, disable Trusteer's service (RapportMgmtService.exe) 
> in your active Hardware Profile. Trusteer doesn't protect 
> this option, thus this is a good starting point for now.
> i.e.
> [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY
_RAPPORTMGMTSERVICE\0000]
> "CSConfigFlags"=dword:00000001
> 
> NOTE: This in fact disables Trusteer's service 
> (RapportMgmtService.exe) in the Services.msc GUI i.e.
> Services.msc > "Rapport Management Service" > "Log On" > 
> "Hardware Profile" > "Disabled"
> 
> 
> On the very next reboot, at least one reboot is required to 
> disable the kernel driver (RapportPG.sys), Trusteer's service 
> (RapportMgmtService.exe) should now be inactive/disabled, and 
> thus you'll be able to rename Trusteer's now unprotected folders.
> i.e. Command Prompt
> C:\> cd \"Program Files"
> C:\> rename Trusteer TrusBeer
> 
> NOTE: At this point the web browser's not protected by 
> Trusteer, nor is Trusteer's software & system settings 
> protected, thus pretty much open to your imagination.
> 
> 
> The following step is not required, especially seeing as 
> Trusteer's service (RapportMgmtService.exe) was disabled 
> previously in the active Hardware Profile. However, should 
> you also wish to reconfigure Trusteer's now unprotected 
> drivers & services to start manually, or even disable/delete 
> completely, you may or may not have to reboot one more time, 
> as the following step may need another reboot to take 
> advantage of the previously now renamed unprotected folders 
> in the previous step.
> i.e. Command Prompt
> C:\> sc config RapportMgmtService start= demand C:\> sc 
> config RapportPG start= demand
> 
> 
> Should you wish to cover your tracks (you'll also have to 
> clear event logs), rename Trusteer's home folder back to the 
> original and restore the Hardware Profile registry entry.
> i.e.
> [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY
_RAPPORTMGMTSERVICE\0000]
> "CSConfigFlags"=dword:00000000
> 
> i.e. Command Prompt
> C:\> cd \"Program Files"
> C:\> rename TrusBeer Trusteer
> 
> 
> Cheers
> 
> Andrew Barkley
> (-_-)
> 





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.