Page 1 of 2

Trusteer Rapport

Posted: Fri Mar 09, 2012 4:06 pm
by Captain Ned
Does anyone here know about this thing, or has done any forensics on it?

Trusteer Rapport is a bit of software pushed out by banks to secure their on-line banking platforms. It claims to totally prevent trojan and man-in-the-middle attacks as well as claiming that it buries itself so far in the OS kernel that it can outwit keyloggers. My cursory 'Net research turns up the usual crowd of complainers, but in this case with some justification. it does not appear in Add/Remove Programs, it sets the Temporary Internet Files folder/contents to "hidden" and "read-only", and it appears to amass a pile of data in Docs & Settings\%User%\Application Data. From a regulatory perspective these behaviors worry me, and one of my institutions is using this software.

Thanks in advance.

Re: Trusteer Rapport

Posted: Fri Mar 09, 2012 4:20 pm
by Pagey
Ned, Brian Krebs has a bit of analysis here: http://krebsonsecurity.com/2010/04/a-cl ... -trusteer/

I've read about it some, but I have not seen it used at either of the FIs I've worked for...yet.

Re: Trusteer Rapport

Posted: Fri Mar 09, 2012 6:10 pm
by Ryu Connor
Can't comment on the effectiveness of the software (haven't used it). It might be very effective and for some organizations worth the cost (albeit the cited article says Zeus already knows how to work around it).

Security is a tradeoff against usability. Each of us have our own acceptable threshold for that and getting burned generally causes the tolerance to discomfort to increase immensely.

That being said, I start to draw the line at security programs that are excited about the fact they are essentially rootkits. Again - it might work great - but you now have an extra variable in terms of support when evaluating the abilty of that branch to migrate to updated or new software. To be more succinct, who knows how much software compatibility that tool will break. This reads ripe for nasty interactions with OS patches and service packs especially. Change management is a hard job, this doesn't read like software that gonna do you any favors.

Re: Trusteer Rapport

Posted: Fri Mar 09, 2012 6:40 pm
by Captain Ned
Ryu Connor wrote:
That being said, I start to draw the line at security programs that are excited about the fact they are essentially rootkits. Again - it might work great - but you now have an extra variable in terms of support when evaluating the abilty of that branch to migrate to updated or new software. To be more succinct, who knows how much software compatibility that tool will break. This reads ripe for nasty interactions with OS patches and service packs especially. Change management is a hard job, this doesn't read like software that gonna do you any favors.

And that's my issue. I just learned of this thing a couple of days ago and don't know if the bank in question requires accepting this thing in order to maintain an online banking relationship. If the program is a requirement, I've got a massive number of regulatory questions as the rootkit nature of this thing implies massive reputation risk issues on the part of the bank, especially given how the vendor advertises that they burrow deep into the kernel.

One thing's for sure, this thing is sneaky. I was first made aware of it earlier this week when my boss asked me about it based on something funky he'd seen on his office PC's screen. A check of Task Manager showed 2 separate unkillable processes. This is on a fully-managed work PC with full Active Directory controls over program installation and a hardcore enterprise-level Sophos installation that won't let me run CCleaner, but never burped once about this thing.

No sir, I don't like it.

[/rubs chin with hoof]

Re: Trusteer Rapport

Posted: Fri Mar 09, 2012 6:56 pm
by UberGerbil
Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.

Re: Trusteer Rapport

Posted: Fri Mar 09, 2012 7:23 pm
by derFunkenstein
UberGerbil wrote:
Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.

That's what I was thinking as well. If my financial institution required it, I'd be required to change financial institutions. And I say that as someone who very much loves his credit union.

Re: Trusteer Rapport

Posted: Fri Mar 09, 2012 7:32 pm
by bthylafh
I'm waiting for the day when banks distribute a secure virtual machine based on Linux or OpenBSD, containing only enough to run a web browser and a software updater, and require that for online banking.

Re: Trusteer Rapport

Posted: Fri Mar 09, 2012 7:41 pm
by Captain Ned
UberGerbil wrote:
Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.

I don't know that at the moment, but can guarantee that it's moved to the top of my to-do list.

As for e-banking security, the best way is to deliver confirmations through an alternate channel, i.e. text-capable cellphone. You enter a transaction and the e-banking platform immediately sends a confirmation request with a single-use code to the text-enabled (or better) cellphone you listed when you signed up for e-banking. Enter the one-time code and the transaction is completed.

Re: Trusteer Rapport

Posted: Mon Mar 19, 2012 10:42 am
by Captain Ned
Update, after some forensics:

From page 4 of the 64 page install log:

SOFTWARE RESTRICTION POLICY: C:\Docs yada yada yada \\rap93953\RapportSetup-Fill.msi is permitted to run at the 'unrestricted' authorization level.

It doesn't care if you're admin or not, 'cause it is. This is in a full AD environment with no user-level privileges to install anything. We configured a box with a Sophos definition file specifically set to stop this thing. Sophos never blinked and let it run.

Folks, if your financial institution asks you to install this, quickly decline. If they require you to install it, find a new financial institution.

EDIT: Revised Sophos definitions now work.

Re: Trusteer Rapport

Posted: Mon Mar 19, 2012 6:54 pm
by Captain Ned
Hmm, beastie pulled in a digital certificate that granted the app "unrestricted" authorization (direct quote from log).

Is there any way that's legit (or am I not sufficiently paranoid)?

Re: Trusteer Rapport

Posted: Mon Mar 19, 2012 7:10 pm
by Jason181
"Legit" or not, it sure wouldn't please me. Just wait until the bad guys figure out how to exploit that.

Re: Trusteer Rapport

Posted: Mon Mar 19, 2012 7:16 pm
by StuG
I'm not gonna lie. I read the title and thought that you were making a mockery of Tech Report, and expected to hear some rant about how that name was relevant to your current disliking of the website.

Re: Trusteer Rapport

Posted: Mon Mar 19, 2012 7:22 pm
by Captain Ned
StuG wrote:
I'm not gonna lie. I read the title and thought that you were making a mockery of Tech Report, and expected to hear some rant about how that name was relevant to your current disliking of the website.

Que?

[/Manuel]

Re: Trusteer Rapport

Posted: Mon Mar 19, 2012 7:29 pm
by StuG
Captain Ned wrote:
StuG wrote:
I'm not gonna lie. I read the title and thought that you were making a mockery of Tech Report, and expected to hear some rant about how that name was relevant to your current disliking of the website.

Que?

[/Manuel]


I mean it was obvious once I get into the thread that it wasn't so.

Re: Trusteer Rapport

Posted: Mon Mar 19, 2012 7:31 pm
by derFunkenstein
StuG wrote:
I mean it was obvious once I get into the thread that it wasn't so.

I read you, I had the same kind of thought when the thread popped up.

Re: Trusteer Rapport

Posted: Mon Mar 19, 2012 8:37 pm
by Dizik
Sounds similar to McAfee's HBSS and its many components.

Re: Trusteer Rapport

Posted: Tue Mar 20, 2012 1:30 pm
by Ryu Connor
Software Restriction Policies (SRP) is a Group Policy Object (GPO) that can be pushed down to machines in order to black list or white list programs.

The Unrestricted access level simply means the program runs with the rights of the user. This is not a smoking gun of misdeed.

One of the rules of SRP allows for controlling the use of programs through a Certificate. This too is not a smoking gun of misdeed.

This does not mean that the program is not vile. The above just isn't evidence to prove it.

Re: Trusteer Rapport

Posted: Tue Mar 20, 2012 1:59 pm
by Captain Ned
Ryu Connor wrote:
The Unrestricted access level simply means the program runs with the rights of the user. This is not a smoking gun of misdeed.

One of the rules of SRP allows for controlling the use of programs through a Certificate. This too is not a smoking gun of misdeed.

This does not mean that the program is not vile. The above just isn't evidence to prove it.

Hmm, that only adds to the confusion. The individual in question does not have sufficient user rights under current GPO to install ANY software, yet it installed. The install log does not identify the certificate provider, so that seems to be the next line of inquiry.

Re: Trusteer Rapport

Posted: Tue Mar 20, 2012 2:28 pm
by Ryu Connor
Right click on the installer and choose Digital Signatures from the tabs to see the signing certificate and the verifying authority.

I presume that this is being installed manually? As software using GPO publishing or assignment will ignore user rights.

Re: Trusteer Rapport

Posted: Tue Mar 20, 2012 2:40 pm
by Scrotos
http://en.wikipedia.org/wiki/Trusteer

In a recent presentation given at 44con, bypassing Trusteer Rapport's keylogger protection was shown to be relatively trivial.

Wow, really? BoA, HSBC, buncha banks are pushing this on customers? Good luck in your investigation, Ned, I'm interested in that info for advising our customer base as well.

Re: Trusteer Rapport

Posted: Tue Mar 20, 2012 2:45 pm
by Captain Ned
Scrotos wrote:
Wow, really? BoA, HSBC, buncha banks are pushing this on customers? Good luck in your investigation, Ned, I'm interested in that info for advising our customer base as well.

We've heard that BoA also requires one to click-thru an explicit hold-harmless against them for anything Repport might do to a user's system. That's flatly unacceptable.

Re: Trusteer Rapport

Posted: Tue Mar 20, 2012 2:49 pm
by Ushio01
Captain Ned wrote:
Does anyone here know about this thing, or has done any forensics on it?

Trusteer Rapport is a bit of software pushed out by banks to secure their on-line banking platforms. It claims to totally prevent trojan and man-in-the-middle attacks as well as claiming that it buries itself so far in the OS kernel that it can outwit keyloggers. My cursory 'Net research turns up the usual crowd of complainers, but in this case with some justification. it does not appear in Add/Remove Programs, it sets the Temporary Internet Files folder/contents to "hidden" and "read-only", and it appears to amass a pile of data in Docs & Settings\%User%\Application Data. From a regulatory perspective these behaviors worry me, and one of my institutions is using this software.

Thanks in advance.



I have it on my computer and it does appear in Add/Remove Programs. The only thing it seems to do is stop me leaving the bank website if I have a password in copy and paste.

Re: Trusteer Rapport

Posted: Tue Mar 20, 2012 2:56 pm
by Captain Ned
Ushio01 wrote:
I have it on my computer and it does appear in Add/Remove Programs. The only thing it seems to do is stop me leaving the bank website if I have a password in copy and paste.

Whereas in the install we found here in the office (XPSP3) it did not.

Re: Trusteer Rapport

Posted: Mon Mar 26, 2012 12:40 pm
by thegleek
Captain Ned wrote:
Ushio01 wrote:
I have it on my computer and it does appear in Add/Remove Programs. The only thing it seems to do is stop me leaving the bank website if I have a password in copy and paste.

Whereas in the install we found here in the office (XPSP3) it did not.

What is it called exactly under add/remove programs? Am I looking for "Trusteer Rapport" or some other company? I can't seem to find this anywhere on my Win7 x64 computer.

Re: Trusteer Rapport

Posted: Mon Mar 26, 2012 4:10 pm
by UberGerbil
Will definitely be keeping an eye out for this in the future. If your antimalware tools can't see it, they sure can't see if it's infected. Have you tried looking for it with rootkit revelear (or similar)?
thegleek wrote:
What is it called exactly under add/remove programs? Am I looking for "Trusteer Rapport" or some other company? I can't seem to find this anywhere on my Win7 x64 computer.
Unless you're an online banking customer with BoA or some other institution that mandates its use, you probably (hopefully) don't have it.

Re: Trusteer Rapport

Posted: Mon Mar 26, 2012 5:00 pm
by Captain Ned
UberGerbil wrote:
Will definitely be keeping an eye out for this in the future. If your antimalware tools can't see it, they sure can't see if it's infected. Have you tried looking for it with rootkit revelear (or similar)?
thegleek wrote:
What is it called exactly under add/remove programs? Am I looking for "Trusteer Rapport" or some other company? I can't seem to find this anywhere on my Win7 x64 computer.
Unless you're an online banking customer with BoA or some other institution that mandates its use, you probably (hopefully) don't have it.

UPDATE:

After review, and after review of my office server configs, I'm almost OK with this beastie. The non-public docs (those provided to customers) say all the right things. My claim of installing over GPO restrictions is temporarily in abeyance as we review exactly how GPO restrictions and .MSI objects interrelate. Our policy is to block them but they're not getting blocked, and it's not just this piece of software.

On a non-domain XPSP3 box I have verified that it shows in Add/Remove Programs and can be uninstalled from an admin login. The only trick is that you have to stop the underlying service before running uninstall (again from an admin login), otherwise it sees the removal attempt as malware-generated. Once the service is stopped it happily and completely uninstalls.

As I said above, my guess is that the conflict between our mis-configured domain policy and the installer for this is the reason we didn't see it in Add/Remove Programs.

Once we've settled that mess, I'll Wireshark it and see if, how, why, and what it phones home for/with.

Re: Trusteer Rapport

Posted: Fri Sep 28, 2012 8:38 am
by 33713pufferfish
Almost 13 years later, and this thing is still around.
As of last year, SunTrust bank requires their institutional clients (I work at one) to install this program before they can access their account.
My only issues with this so far are one, you can't stop the process, and two, you can't uninstall it like you can with other programs. I don't trust anything that I can't stop and uninstall.

Re: Trusteer Rapport

Posted: Tue Jan 15, 2013 8:24 am
by TrusteerSupport
Hi 33713pufferfish and others,

if you have administrator privileges on the computer you're using, you can stop and/or remove rapport.

While using third-party uninstallers Rapport is not fully removed- using the Windows tool or via the Rapport Console removes it entirely. Uninstall instructions can be found here: http://www.trusteer.com/support/uninstalling-rapport .

Stopping Rapport can be done via the Rapport Console as well (clicking on the Rapport address/systray icon opens it)-
PC users: Start Menu > Programs > Trusteer Rapport > Stop/Start Rapport
Mac OS users: Apple menu > System preferences > Other > Rapport > Stop/Start Rapport

For further assistance or any other issue, please contact our 24/7 support team at http://www.trusteer.com/support/report-problem . We wish to investigate any problem our users are having with Rapport.

Regards,

Alex Man
Trusteer Technical Support

Re: Trusteer Rapport

Posted: Sun Jan 27, 2013 8:48 am
by Head4Heights
A (young) customer's rather old laptop was misbehaving. Upon investigation I identified a number of bits of software that were either downright suspect or of dubious value. I have been aware for some time that Rapport falls into one or both of those categories and so after said customer denied having installed it, I tried to remove it following Rapport's own guidelines. That'll be http://www.trusteer.com/support/uninstalling-rapport (NB: Trusteer Rapport) which advises using Control Panel to remove it in the normal way.

Surprise surpise:
... "files are locked by another software" (is this Ingrish or what??)
... problem persists, please see this site ...troubleshoot_uninstall.

Off I go. Ah! They have an application to download that will uninstall it. No, wait. only after a lengthy, slightly intimidating and patronising form filling exercise that goes to some support wonks who will, if the mood takes them, let me have it!!!! Who owns this PC?? :evil: Who do they think they are??

So I'm waiting for a reply from these <expletive>s

In the mean time, is there a safe place to download this removal application ahead of being told by some wonk that I need to try A, B, C etc before they allow the *owner* of the PC to remove their unwanted software?

Thanks.

Re: Trusteer Rapport

Posted: Sun Jan 27, 2013 9:41 am
by Lordhawkwind
I've used this software for several years on my PC and now on my Mac as well.

Never had any issues and it seems to do a good job. The big question I suppose is are you more/less secure with this software on your computer.

Cheers