Rapport prevents user-space malware patches from taking control of a web session

(16/10/2008)

Malicious patching is a technique that replaces legitimate code with malicious code in the user-space processes of a computer's memory. This approach enables the malware to completely control the operation of the patched process, and is commonly used to hijack web browsers.

For example, user-space malware patches can read user credentials, change html pages, and tamper with transactions even when a two factor authentication mechanism like a hardware token, smart card, and mobile text code has been used to establish a secure web session.

Trusteer has announced that it has enhanced its Rapport product to prevent user-space malware patches from taking control of a web session after a user has logged-on to a secure web site using two factor authentication methods such as hardware tokens, smart cards, biometrics, or mobile text codes. These types of patching malware, which include the SilentBanker, torpig (sinowal) and wsnpoem Trojans, sit inside the browser and can change data, add requests on behalf of a web site, and collect information which it sends to attackers.

According to analysts, the latest version of SilentBanker is concerning because it defeats two-factor authentication where a user has a separate log-in device, like a token, smart card, etc., that is synchronized with the bank's server. SilentBanker makes the security of two-factor authentication useless by intercepting communications before they are encrypted and forwarding them to the attacker. According to Symantec, the latest version of SilentBanker targets over 400 banks, some of which use two-factor authentication.

To protect against user-space malware patches like SilentBanker, Rapport Function Patch Protection detects malicious patches, analyzes them, and removes them from the browser and other protected components. It uses an in-the-cloud service that analyzes function patches to determine whether a specific patch is malicious or not. This capability complements two factor authentication mechanisms like RSA, VASCO, and others. The ability of Rapport to maintain the security of a web session after a user has logged-on to a web site using two factor authentication is critical since the computer is granted privileged access to confidential data and permission to execute sensitive transactions.

"Providers of online financial services have made significant investments in strong authentication technologies to protect their users and themselves from Internet fraud, but user space patching is threatening to circumvent these mechanisms," said Mickey Boodaei, CEO of Trusteer. "Rapport Function Patch Protection detects and removes user-space patches to maintain the security of web sessions that assume a very high level of trust, especially applications that use two factor authentication."

Function Patch Protection is available immediately with the Rapport product. Existing installations of Rapport will be automatically upgraded with this new capability when the product performs its next unattended update.

Related topics:  Authentication and identity management   Hacking and intrusion prevention   Internet and Web security   Security threats and vulnerabilities   Virus, Worm, Email security, spyware and malware 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources