By Andrew Brandt
A small-time Trojan has decided to butt heads with a big-time anti-phishing tool, and ended up with dirt on its face. The malware looks like a fairly generic clone of Trojan-Phisher-SABanks, with an extra feature that sounds like it might be a good selling point for cheap cybercrooks intent on stealing a few bank passwords for fun and profit. The trojan attempts to disable or delete parts of Trusteer’s Rapport anti-phishing software.
And fails, miserably.
One version of the Trojan drops, then executes, a batch file that attempts to delete the main application. Another drops a batch which targets a binary file named config.js, buried a few levels below Trusteer’s program folder — four different ways.
Banks use Trusteer as a way to prevent phishers from using falsified Web pages or Trojans from capturing their customers’ passwords when those customers log in.
Unfortunately for the cyberschnooks who wrote this claptrap, and luckily for the rest of us, they didn’t count on Trusteer protecting its components or files in any way. Fortunately, in each of our tests, Rapport handily defeated the meager, unsuccessful attempts by the spy (which we call Trojan-Phisher-Rancor) to delete the application or its configuration file.
Banks contract with Trusteer to use Rapport to handle the security of online banking logins, so you can’t just use the software with any bank Web site, but the list of banks using the service includes some of the banks targeted most frequently by phishers: HSBC, SunTrust, BBVA Compass, Royal Bank of Scotland, and Fifth Third Bank (among others).
While this appears to be an isolated (and, for now, totally inept) incident of an easily defeated phishing Trojan that attempts to disable this particular anti-phishing software, it isn’t a good idea to underestimate the enemy. Clearly this attempt was a failure, but the next one might not be.