Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Big Spending Drives Developemt Of SpyEye

Trusteer : 08 February, 2011  (Technical Article)
How targeted attacks on Trusteer are helping the company provide unique protection to banking and corporate clients agains the Zeus and SpyEye malware
Mickey Boodaei, Trusteer CEO comments on SpyEye.



I'm starting to think that the SpyEye author has hired a Chief Marketing Officer. Given the amount of money some of these malware authors are making, they can certainly afford real talent. The perfect buildup for the forthcoming version of SpyEye/Zeus has made it clear to me once more why these guys rule the malware world – they have a rare combination of excellent technical skills and perfect marketing execution. Using social marketing tactics that only companies like Google and Apple have been able to successfully utilize so far, they leaked a secret beta version to the media; the main features are visually highlighted so that every screen shot tells the story of why this is the next generation, game changing, most innovative piece of malware we've ever seen. Massive media coverage and non-stop chatter among security professionals is everything that a Chief Marketing Officer can dream of before launching a new version.



We're still debating whether we should thank SpyEye's Chief Marketing Officer for including Trusteer as one of its main features for the upcoming version. Ever since the story broke out, we've been seeing tremendous interest from potential customers, the press and analysts, all curious to learn more about our services and what we're doing to address this threat. On the other hand, it forces us to publicly explain what we're doing to address targeted attacks. We've been keeping information about the secret war Trusteer is fighting to protect people from SpyEye Zeus away from fraudsters (and competitors) by limiting it to our business customers. Due to the rumours which might discourage people from using Trusteer Rapport - the only free browser security service that is effective against SpyEye/Zeus - it is now time to set the record straight on why over 70 banks are using Trusteer Rapport to protect their customers.



Zeus has been launching direct attacks against Trusteer for the last couple of years now. There are several different attacks against Rapport incorporated into different versions of Zeus, all of which focus on disabling the software on customer computers. All are successfully blocked by Trusteer. We're probably the most attacked brand in the security industry today and we've gained a lot of experience from it. We employ a counter-intelligence group that is completely focused on detecting and reacting to any new targeted attacks and is constantly designing new features that allow us to detect and block such attacks in a timely manner. The logic behind our self-protection mechanism is complex and is specifically designed to keep customers protected while keeping fraudsters confused and inconclusive about how we operate.



The attack used by SpyEye against Rapport has been known to us for some time before it broke out publicly. It arrived through our intelligence channels and was addressed immediately by our behavioral engine. This engine tracks the behavior of different unknown software components inside the computer. Whenever such a component applies logic that matches one of these rules, it is blocked and terminated.



The problem with behavioral approaches has always been the fear from false positives. What if a legitimate piece of software applies the same logic and gets terminated as well? If you look at the core functionality of SpyEye from a behavioral perspective, the logic it applies is not that unique - injecting into the browser and communicating with servers on the internet are all tactics used by many browser add-ons and most security products. You can hardly apply behavioral rules on programs that do that. However, when the program becomes hostile against another program and tries to terminate its threads, remove its files etc there are two options - either it is security software with a false positive or malware applying a targeted attack. Security software can be whitelisted. They are all signed, public and can be tested and approved. Therefore, anything else which uses this hostile logic must be malware and can be easily identified, blocked and completely removed. By applying this anti-Trusteer logic, SpyEye has to come out of its hiding place and start shooting and by that it allows definitive detection of its existence and components and allows Trusteer to strike back heavily and get rid of the infection altogether.



This anti-Trusteer feature is a great opportunity to easily detect the existence of SpyEye on customer computers and get rid of it. It seems to me that in their passion to differentiate service from other malware tools, the authors of SpyEye ignored a simple rule - for malware it's always better to keep a low profile.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo