[p4r4n0id]

Hi Guys,

Looking for a sample that bypasses trusteer Raport.

Thx,

p4r4n0id

[EP_X0FF]

Hi Guys,

Looking for a sample that bypasses trusteer Raport.

Thx,

p4r4n0id

Take one of the latest samples from this thread
http://www.kernelmode.info/forum/viewtopic.php?t=93

[p4r4n0id]

@EP_X0FF: thx alot man!

Any chance you have some high level info / ref. how the bypass works?

Thx again,

p4r4n0id

Hi Guys,

Looking for a sample that bypasses trusteer Raport.

Thx,

p4r4n0id

Take one of the latest samples from this thread
http://www.kernelmode.info/forum/viewtopic.php?t=93

[EP_X0FF]

@EP_X0FF: thx alot man!

Any chance you have some high level info / ref. how the bypass works?

Thx again,

p4r4n0id

By signatures approach mostly. It hooks ws32_32!send and advapi32!CryptEncrypt for example. In case of CryptEncrypt called SpyEye examinies caller code for containing "rapportKoan", "rapporttanzan36" strings and returns fake error to the caller if any found. In case of send it checks for "rapport", "trusteer" and if any returns fake error about dead network. Additionally some variants may try to restore bot hooks + fool security soft by "short to jong jump" splicing.

Any further questions are better to ask in the appropriate thread.