Personal computing discussed

Moderators: renee, Dposcorp

 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Trusteer Rapport

Fri Mar 09, 2012 4:06 pm

Does anyone here know about this thing, or has done any forensics on it?

Trusteer Rapport is a bit of software pushed out by banks to secure their on-line banking platforms. It claims to totally prevent trojan and man-in-the-middle attacks as well as claiming that it buries itself so far in the OS kernel that it can outwit keyloggers. My cursory 'Net research turns up the usual crowd of complainers, but in this case with some justification. it does not appear in Add/Remove Programs, it sets the Temporary Internet Files folder/contents to "hidden" and "read-only", and it appears to amass a pile of data in Docs & Settings\%User%\Application Data. From a regulatory perspective these behaviors worry me, and one of my institutions is using this software.

Thanks in advance.
What we have today is way too much pluribus and not enough unum.
 
Pagey
Gerbil Jedi
Posts: 1569
Joined: Thu Dec 29, 2005 10:29 am
Location: Middle TN

Re: Trusteer Rapport

Fri Mar 09, 2012 4:20 pm

Ned, Brian Krebs has a bit of analysis here: http://krebsonsecurity.com/2010/04/a-cl ... -trusteer/

I've read about it some, but I have not seen it used at either of the FIs I've worked for...yet.
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Trusteer Rapport

Fri Mar 09, 2012 6:10 pm

Can't comment on the effectiveness of the software (haven't used it). It might be very effective and for some organizations worth the cost (albeit the cited article says Zeus already knows how to work around it).

Security is a tradeoff against usability. Each of us have our own acceptable threshold for that and getting burned generally causes the tolerance to discomfort to increase immensely.

That being said, I start to draw the line at security programs that are excited about the fact they are essentially rootkits. Again - it might work great - but you now have an extra variable in terms of support when evaluating the abilty of that branch to migrate to updated or new software. To be more succinct, who knows how much software compatibility that tool will break. This reads ripe for nasty interactions with OS patches and service packs especially. Change management is a hard job, this doesn't read like software that gonna do you any favors.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Fri Mar 09, 2012 6:40 pm

Ryu Connor wrote:
That being said, I start to draw the line at security programs that are excited about the fact they are essentially rootkits. Again - it might work great - but you now have an extra variable in terms of support when evaluating the abilty of that branch to migrate to updated or new software. To be more succinct, who knows how much software compatibility that tool will break. This reads ripe for nasty interactions with OS patches and service packs especially. Change management is a hard job, this doesn't read like software that gonna do you any favors.

And that's my issue. I just learned of this thing a couple of days ago and don't know if the bank in question requires accepting this thing in order to maintain an online banking relationship. If the program is a requirement, I've got a massive number of regulatory questions as the rootkit nature of this thing implies massive reputation risk issues on the part of the bank, especially given how the vendor advertises that they burrow deep into the kernel.

One thing's for sure, this thing is sneaky. I was first made aware of it earlier this week when my boss asked me about it based on something funky he'd seen on his office PC's screen. A check of Task Manager showed 2 separate unkillable processes. This is on a fully-managed work PC with full Active Directory controls over program installation and a hardcore enterprise-level Sophos installation that won't let me run CCleaner, but never burped once about this thing.

No sir, I don't like it.

[/rubs chin with hoof]
What we have today is way too much pluribus and not enough unum.
 
UberGerbil
Grand Admiral Gerbil
Posts: 10368
Joined: Thu Jun 19, 2003 3:11 pm

Re: Trusteer Rapport

Fri Mar 09, 2012 6:56 pm

Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.
 
derFunkenstein
Gerbil God
Posts: 25427
Joined: Fri Feb 21, 2003 9:13 pm
Location: Comin' to you directly from the Mothership

Re: Trusteer Rapport

Fri Mar 09, 2012 7:23 pm

UberGerbil wrote:
Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.

That's what I was thinking as well. If my financial institution required it, I'd be required to change financial institutions. And I say that as someone who very much loves his credit union.
I do not understand what I do. For what I want to do I do not do, but what I hate I do.
Twittering away the day at @TVsBen
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Trusteer Rapport

Fri Mar 09, 2012 7:32 pm

I'm waiting for the day when banks distribute a secure virtual machine based on Linux or OpenBSD, containing only enough to run a web browser and a software updater, and require that for online banking.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Fri Mar 09, 2012 7:41 pm

UberGerbil wrote:
Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.

I don't know that at the moment, but can guarantee that it's moved to the top of my to-do list.

As for e-banking security, the best way is to deliver confirmations through an alternate channel, i.e. text-capable cellphone. You enter a transaction and the e-banking platform immediately sends a confirmation request with a single-use code to the text-enabled (or better) cellphone you listed when you signed up for e-banking. Enter the one-time code and the transaction is completed.
What we have today is way too much pluribus and not enough unum.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Mon Mar 19, 2012 10:42 am

Update, after some forensics:

From page 4 of the 64 page install log:

SOFTWARE RESTRICTION POLICY: C:\Docs yada yada yada \\rap93953\RapportSetup-Fill.msi is permitted to run at the 'unrestricted' authorization level.

It doesn't care if you're admin or not, 'cause it is. This is in a full AD environment with no user-level privileges to install anything. We configured a box with a Sophos definition file specifically set to stop this thing. Sophos never blinked and let it run.

Folks, if your financial institution asks you to install this, quickly decline. If they require you to install it, find a new financial institution.

EDIT: Revised Sophos definitions now work.
What we have today is way too much pluribus and not enough unum.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Mon Mar 19, 2012 6:54 pm

Hmm, beastie pulled in a digital certificate that granted the app "unrestricted" authorization (direct quote from log).

Is there any way that's legit (or am I not sufficiently paranoid)?
What we have today is way too much pluribus and not enough unum.
 
Jason181
Gerbil First Class
Posts: 186
Joined: Thu May 19, 2005 7:23 pm
Location: Oregon

Re: Trusteer Rapport

Mon Mar 19, 2012 7:10 pm

"Legit" or not, it sure wouldn't please me. Just wait until the bad guys figure out how to exploit that.
 
StuG
Graphmaster Gerbil
Posts: 1472
Joined: Wed May 23, 2007 11:19 pm
Location: Florida

Re: Trusteer Rapport

Mon Mar 19, 2012 7:16 pm

I'm not gonna lie. I read the title and thought that you were making a mockery of Tech Report, and expected to hear some rant about how that name was relevant to your current disliking of the website.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Mon Mar 19, 2012 7:22 pm

StuG wrote:
I'm not gonna lie. I read the title and thought that you were making a mockery of Tech Report, and expected to hear some rant about how that name was relevant to your current disliking of the website.

Que?

[/Manuel]
What we have today is way too much pluribus and not enough unum.
 
StuG
Graphmaster Gerbil
Posts: 1472
Joined: Wed May 23, 2007 11:19 pm
Location: Florida

Re: Trusteer Rapport

Mon Mar 19, 2012 7:29 pm

Captain Ned wrote:
StuG wrote:
I'm not gonna lie. I read the title and thought that you were making a mockery of Tech Report, and expected to hear some rant about how that name was relevant to your current disliking of the website.

Que?

[/Manuel]


I mean it was obvious once I get into the thread that it wasn't so.
 
derFunkenstein
Gerbil God
Posts: 25427
Joined: Fri Feb 21, 2003 9:13 pm
Location: Comin' to you directly from the Mothership

Re: Trusteer Rapport

Mon Mar 19, 2012 7:31 pm

StuG wrote:
I mean it was obvious once I get into the thread that it wasn't so.

I read you, I had the same kind of thought when the thread popped up.
I do not understand what I do. For what I want to do I do not do, but what I hate I do.
Twittering away the day at @TVsBen
 
Dizik
Grand Gerbil Poohbah
Posts: 3055
Joined: Sun Jan 02, 2005 3:57 pm

Re: Trusteer Rapport

Mon Mar 19, 2012 8:37 pm

Sounds similar to McAfee's HBSS and its many components.
Heavy is good, heavy is reliable. If it doesn't work, you can always hit them with it.
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Trusteer Rapport

Tue Mar 20, 2012 1:30 pm

Software Restriction Policies (SRP) is a Group Policy Object (GPO) that can be pushed down to machines in order to black list or white list programs.

The Unrestricted access level simply means the program runs with the rights of the user. This is not a smoking gun of misdeed.

One of the rules of SRP allows for controlling the use of programs through a Certificate. This too is not a smoking gun of misdeed.

This does not mean that the program is not vile. The above just isn't evidence to prove it.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Tue Mar 20, 2012 1:59 pm

Ryu Connor wrote:
The Unrestricted access level simply means the program runs with the rights of the user. This is not a smoking gun of misdeed.

One of the rules of SRP allows for controlling the use of programs through a Certificate. This too is not a smoking gun of misdeed.

This does not mean that the program is not vile. The above just isn't evidence to prove it.

Hmm, that only adds to the confusion. The individual in question does not have sufficient user rights under current GPO to install ANY software, yet it installed. The install log does not identify the certificate provider, so that seems to be the next line of inquiry.
What we have today is way too much pluribus and not enough unum.
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Trusteer Rapport

Tue Mar 20, 2012 2:28 pm

Right click on the installer and choose Digital Signatures from the tabs to see the signing certificate and the verifying authority.

I presume that this is being installed manually? As software using GPO publishing or assignment will ignore user rights.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
Scrotos
Graphmaster Gerbil
Posts: 1109
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Trusteer Rapport

Tue Mar 20, 2012 2:40 pm

http://en.wikipedia.org/wiki/Trusteer

In a recent presentation given at 44con, bypassing Trusteer Rapport's keylogger protection was shown to be relatively trivial.

Wow, really? BoA, HSBC, buncha banks are pushing this on customers? Good luck in your investigation, Ned, I'm interested in that info for advising our customer base as well.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Tue Mar 20, 2012 2:45 pm

Scrotos wrote:
Wow, really? BoA, HSBC, buncha banks are pushing this on customers? Good luck in your investigation, Ned, I'm interested in that info for advising our customer base as well.

We've heard that BoA also requires one to click-thru an explicit hold-harmless against them for anything Repport might do to a user's system. That's flatly unacceptable.
What we have today is way too much pluribus and not enough unum.
 
Ushio01
Gerbil
Posts: 73
Joined: Mon Jan 12, 2009 3:54 pm

Re: Trusteer Rapport

Tue Mar 20, 2012 2:49 pm

Captain Ned wrote:
Does anyone here know about this thing, or has done any forensics on it?

Trusteer Rapport is a bit of software pushed out by banks to secure their on-line banking platforms. It claims to totally prevent trojan and man-in-the-middle attacks as well as claiming that it buries itself so far in the OS kernel that it can outwit keyloggers. My cursory 'Net research turns up the usual crowd of complainers, but in this case with some justification. it does not appear in Add/Remove Programs, it sets the Temporary Internet Files folder/contents to "hidden" and "read-only", and it appears to amass a pile of data in Docs & Settings\%User%\Application Data. From a regulatory perspective these behaviors worry me, and one of my institutions is using this software.

Thanks in advance.



I have it on my computer and it does appear in Add/Remove Programs. The only thing it seems to do is stop me leaving the bank website if I have a password in copy and paste.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Tue Mar 20, 2012 2:56 pm

Ushio01 wrote:
I have it on my computer and it does appear in Add/Remove Programs. The only thing it seems to do is stop me leaving the bank website if I have a password in copy and paste.

Whereas in the install we found here in the office (XPSP3) it did not.
What we have today is way too much pluribus and not enough unum.
 
thegleek
Darth Gerbil
Posts: 7460
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI
Contact:

Re: Trusteer Rapport

Mon Mar 26, 2012 12:40 pm

Captain Ned wrote:
Ushio01 wrote:
I have it on my computer and it does appear in Add/Remove Programs. The only thing it seems to do is stop me leaving the bank website if I have a password in copy and paste.

Whereas in the install we found here in the office (XPSP3) it did not.

What is it called exactly under add/remove programs? Am I looking for "Trusteer Rapport" or some other company? I can't seem to find this anywhere on my Win7 x64 computer.
 
UberGerbil
Grand Admiral Gerbil
Posts: 10368
Joined: Thu Jun 19, 2003 3:11 pm

Re: Trusteer Rapport

Mon Mar 26, 2012 4:10 pm

Will definitely be keeping an eye out for this in the future. If your antimalware tools can't see it, they sure can't see if it's infected. Have you tried looking for it with rootkit revelear (or similar)?
thegleek wrote:
What is it called exactly under add/remove programs? Am I looking for "Trusteer Rapport" or some other company? I can't seem to find this anywhere on my Win7 x64 computer.
Unless you're an online banking customer with BoA or some other institution that mandates its use, you probably (hopefully) don't have it.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Trusteer Rapport

Mon Mar 26, 2012 5:00 pm

UberGerbil wrote:
Will definitely be keeping an eye out for this in the future. If your antimalware tools can't see it, they sure can't see if it's infected. Have you tried looking for it with rootkit revelear (or similar)?
thegleek wrote:
What is it called exactly under add/remove programs? Am I looking for "Trusteer Rapport" or some other company? I can't seem to find this anywhere on my Win7 x64 computer.
Unless you're an online banking customer with BoA or some other institution that mandates its use, you probably (hopefully) don't have it.

UPDATE:

After review, and after review of my office server configs, I'm almost OK with this beastie. The non-public docs (those provided to customers) say all the right things. My claim of installing over GPO restrictions is temporarily in abeyance as we review exactly how GPO restrictions and .MSI objects interrelate. Our policy is to block them but they're not getting blocked, and it's not just this piece of software.

On a non-domain XPSP3 box I have verified that it shows in Add/Remove Programs and can be uninstalled from an admin login. The only trick is that you have to stop the underlying service before running uninstall (again from an admin login), otherwise it sees the removal attempt as malware-generated. Once the service is stopped it happily and completely uninstalls.

As I said above, my guess is that the conflict between our mis-configured domain policy and the installer for this is the reason we didn't see it in Add/Remove Programs.

Once we've settled that mess, I'll Wireshark it and see if, how, why, and what it phones home for/with.
What we have today is way too much pluribus and not enough unum.
 
33713pufferfish
Gerbil In Training
Posts: 1
Joined: Fri Sep 28, 2012 8:29 am

Re: Trusteer Rapport

Fri Sep 28, 2012 8:38 am

Almost 13 years later, and this thing is still around.
As of last year, SunTrust bank requires their institutional clients (I work at one) to install this program before they can access their account.
My only issues with this so far are one, you can't stop the process, and two, you can't uninstall it like you can with other programs. I don't trust anything that I can't stop and uninstall.
 
TrusteerSupport
Gerbil In Training
Posts: 2
Joined: Tue Jan 15, 2013 7:34 am

Re: Trusteer Rapport

Tue Jan 15, 2013 8:24 am

Hi 33713pufferfish and others,

if you have administrator privileges on the computer you're using, you can stop and/or remove rapport.

While using third-party uninstallers Rapport is not fully removed- using the Windows tool or via the Rapport Console removes it entirely. Uninstall instructions can be found here: http://www.trusteer.com/support/uninstalling-rapport .

Stopping Rapport can be done via the Rapport Console as well (clicking on the Rapport address/systray icon opens it)-
PC users: Start Menu > Programs > Trusteer Rapport > Stop/Start Rapport
Mac OS users: Apple menu > System preferences > Other > Rapport > Stop/Start Rapport

For further assistance or any other issue, please contact our 24/7 support team at http://www.trusteer.com/support/report-problem . We wish to investigate any problem our users are having with Rapport.

Regards,

Alex Man
Trusteer Technical Support
 
Head4Heights
Gerbil In Training
Posts: 2
Joined: Sun Jan 27, 2013 8:22 am

Re: Trusteer Rapport

Sun Jan 27, 2013 8:48 am

A (young) customer's rather old laptop was misbehaving. Upon investigation I identified a number of bits of software that were either downright suspect or of dubious value. I have been aware for some time that Rapport falls into one or both of those categories and so after said customer denied having installed it, I tried to remove it following Rapport's own guidelines. That'll be http://www.trusteer.com/support/uninstalling-rapport (NB: Trusteer Rapport) which advises using Control Panel to remove it in the normal way.

Surprise surpise:
... "files are locked by another software" (is this Ingrish or what??)
... problem persists, please see this site ...troubleshoot_uninstall.

Off I go. Ah! They have an application to download that will uninstall it. No, wait. only after a lengthy, slightly intimidating and patronising form filling exercise that goes to some support wonks who will, if the mood takes them, let me have it!!!! Who owns this PC?? :evil: Who do they think they are??

So I'm waiting for a reply from these <expletive>s

In the mean time, is there a safe place to download this removal application ahead of being told by some wonk that I need to try A, B, C etc before they allow the *owner* of the PC to remove their unwanted software?

Thanks.
 
Lordhawkwind
Gerbil
Posts: 73
Joined: Tue Jan 05, 2010 10:16 am

Re: Trusteer Rapport

Sun Jan 27, 2013 9:41 am

I've used this software for several years on my PC and now on my Mac as well.

Never had any issues and it seems to do a good job. The big question I suppose is are you more/less secure with this software on your computer.

Cheers

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On