A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #14736  by p4r4n0id
 Wed Jul 18, 2012 7:41 pm
@EP_X0FF: thx alot man!

Any chance you have some high level info / ref. how the bypass works?

Thx again,

p4r4n0id
EP_X0FF wrote:
p4r4n0id wrote:Hi Guys,

Looking for a sample that bypasses trusteer Raport.

Thx,

p4r4n0id
Take one of the latest samples from this thread
http://www.kernelmode.info/forum/viewtopic.php?t=93
 #14787  by EP_X0FF
 Sat Jul 21, 2012 5:01 am
p4r4n0id wrote:@EP_X0FF: thx alot man!

Any chance you have some high level info / ref. how the bypass works?

Thx again,

p4r4n0id
By signatures approach mostly. It hooks ws32_32!send and advapi32!CryptEncrypt for example. In case of CryptEncrypt called SpyEye examinies caller code for containing "rapportKoan", "rapporttanzan36" strings and returns fake error to the caller if any found. In case of send it checks for "rapport", "trusteer" and if any returns fake error about dead network. Additionally some variants may try to restore bot hooks + fool security soft by "short to jong jump" splicing.

Any further questions are better to ask in the appropriate thread.