Turning the tables on SpyEye as it comes out of its hiding place

According to Boodaei, whose Rapport in-browser security software is offered free of charge by a growing number of banks, given the amount of money some of these malware authors are making, they can certainly afford real talent.

"We're still debating whether we should thank SpyEye's chief marketing officer for including Trusteer as one of its main features for the upcoming version. Ever since the story broke, we've been seeing tremendous interest from potential customers, the press and analysts, all curious to learn more about our services and what we're doing to address this threat", he said in his latest security blog.

"On the other hand, it forces us to publicly explain what we're doing to address targeted attacks. We've been keeping information about the secret war Trusteer is fighting to protect people from SpyEye-Zeus away from fraudsters (and competitors) by limiting it to our business customers", he added.

The Trusteer CEO went on to say that attack methodology used by SpyEye against Rapport has been known to his company for some time before it broke out publicly.

The attack, he explained, arrived through Trusteer's intelligence channels and was addressed immediately by our behavioural engine. This engine, he says, tracks the behaviour of different unknown software components inside the computer.

And whenever such a component applies logic that matches one of these rules, it is blocked and terminated, he added.

"The problem with behavioural approaches has always been the fear from false positives. What if a legitimate piece of software applies the same logic and gets terminated as well? If you look at the core functionality of SpyEye from a behavioural perspective, the logic it applies is not that unique - injecting into the browser and communicating with servers on the internet are all tactics used by many browser add-ons and most security products", he said.

Boodaei argues that you cannot apply behavioural rules on programs that follow this approach.

But, he says, when the program becomes hostile against another program and tries to terminate its threads, remove its files etc there are two options - either it is security software with a false positive or malware applying a targeted attack.

Security software, says the Trusteer CEO, can be whitelisted, since it is signed, public and can be tested, as well as and approved.

Against this backdrop, he notes that anything else which uses this hostile logic must be malware and can be easily identified, blocked and completely removed.

"By applying this anti-Trusteer logic, SpyEye has to come out of its hiding place and start shooting and by that it allows definitive detection of its existence and components and allows Trusteer to strike back heavily and get rid of the infection altogether", he said..

"This anti-Trusteer feature is a great opportunity to easily detect the existence of SpyEye on customer computers and get rid of it", he added.

"It seems to me that in their passion to differentiate service from other malware tools, the authors of SpyEye ignored a simple rule - for malware it's always better to keep a low profile."

What’s Hot on Infosecurity Magazine?