A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #11808  by SecureBanking
 Sat Feb 25, 2012 5:05 pm
Hey guys!

some time ago I started a project called "Secure Banking".
The purpose of this software is to detect banking trojans such as ZeuS, Carberp, Spyeye, Tropig, etc. (by detecting man-in-the-middle attacks)
The software also tries to unhook the regarding functions in the browser. (block the malware)
(supported browsers: Firefox, Chrome, IE)

Well, this software is still in the early stages of development so I thought that here I could find some smart tipps how to improve "Secure Banking".

I'm sure there are enough security-holes (hooking my app, etc.) because the main goal of development was/is functionallity.

Feel free to drop me a message if u like this project or if you would be interessted to help me developing this software. :)
I would appreciate any kind of support sooo much. :)

Thanks alot!

More information (in german) can be found here: http://www.secure-banking.net and the download link here: http://www.secure-banking.net/download.php?ver=1.3

P.S. the software is in german, but I hope that is no problem.
 #12348  by SomeUnusedName
 Mon Mar 26, 2012 9:02 am
There is AV software that does the same. I think Rapport works like that (and SpyEye has extra functionality to pwn it, not sure if it still works), and so does G-Data's BankGuard.

The problem is, that will help as long as the software is uncommon. If it becomes a real threat to someone's income, they'll just develop a counter-measurment.
You only seem to check the first few bytes for differences (memory vs. disk) - so one could just hook a couple of instructions lower. You also check for CALL/JMP which is actually legit. Microsoft's hot-patching feature would replace "mov edi,edi" with a short rel. jump, triggering your defenses which would remove the hotpatch. Now I don't know how often wininet gets a hotpatch update but still, it simply isn't that easy.
 #12352  by SecureBanking
 Mon Mar 26, 2012 3:38 pm
Thanks for your reply.

Well, there was only one software on the market which worked similar as mine. (Rapport)
G-Data's BankGuard was published at the beginning of 2012 and I started my project in middle August, 2011. (GDatas BankGuard also just works with FF and IE)

The problem is, that will help as long as the software is uncommon. If it becomes a real threat to someone's income, they'll just develop a counter-measurment.
Sure, there is always a way out. (See Anti-Rapport feature of SpyEye)
But with each "counter-countermeasure" it is more difficult and time-consuming for malware developers.

I'll improve the check-engine in the next update, because i had some problems with relative addresses. But for now it is pretty safe, because I don't know any trojan which uses such an advanced hooking technique.

Thanks for the info about the hotpatching, never heard of it before. ;)
Will do some research work about it.

Thanks!