Press release BoxID: 403229 (Trusteer)
  • Trusteer
  • 142 Wooster St.
  • 10012 New York
  • Contact person
  • Neil Stinchcombe
  • +44 (2071) 832-833

Turning the Tables on SpyEye

(PresseBox) (New York, ) I'm starting to think that the SpyEye author has hired a Chief Marketing Officer. Given the amount of money some of these malware authors are making, they can certainly afford real talent. The perfect buildup for the upcoming version of SpyEye/Zeus has made it clear to me once more why these guys rule the malware world - they have a rare combination of excellent technical skills and perfect marketing execution. Using social marketing tactics that only companies like Google and Apple have been able to successfully utilize so far, they leaked a secret beta version to the media; the main features are visually highlighted so that every screen shot tells the story of why this is the next generation, game changing, most innovative piece of malware we've ever seen. Massive media coverage and non-stop chatter among security professionals is everything that a Chief Marketing Officer can dream of before launching a new version.

We're still debating whether we should thank SpyEye's Chief Marketing Officer for including Trusteer as one of its main features for the upcoming version. Ever since the story broke out, we've been seeing tremendous interest from potential customers, the press and analysts, all curious to learn more about our services and what we're doing to address this threat. On the other hand, it forces us to publicly explain what we're doing to address targeted attacks. We've been keeping information about the secret war Trusteer is fighting to protect people from SpyEye Zeus away from fraudsters (and competitors) by limiting it to our business customers. Due to the rumors which might discourage people from using Trusteer Rapport - the only free browser security service that is effective against SpyEye/Zeus - it is now time to set the record straight on why over 70 banks are using Trusteer Rapport to protect their customers.

Zeus has been launching direct attacks against Trusteer for the last couple of years now. There are several different attacks against Rapport incorporated into different versions of Zeus, all of which focus on disabling the software on customer computers. All are successfully blocked by Trusteer. We're probably the most attacked brand in the security industry today and we've gained a lot of experience from it. We employ a counter-intelligence group that is completely focused on detecting and reacting to any new targeted attacks and is constantly designing new features that allow us to detect and block such attacks in a timely manner. The logic behind our self-protection mechanism is complex and is specifically designed to keep customers protected while keeping fraudsters confused and inconclusive about how we operate.

The attack used by SpyEye against Rapport has been known to us for some time before it broke out publicly. It arrived through our intelligence channels and was addressed immediately by our behavioral engine. This engine tracks the behavior of different unknown software components inside the computer. Whenever such a component applies logic that matches one of these rules, it is blocked and terminated.

The problem with behavioral approaches has always been the fear from false positives. What if a legitimate piece of software applies the same logic and gets terminated as well? If you look at the core functionality of SpyEye from a behavioral perspective, the logic it applies is not that unique - injecting into the browser and communicating with servers on the internet are all tactics used by many browser add-ons and most security products. You can hardly apply behavioral rules on programs that do that. However, when the program becomes hostile against another program and tries to terminate its threads, remove its files etc there are two options - either it is security software with a false positive or malware applying a targeted attack. Security software can be whitelisted. They are all signed, public and can be tested and approved. Therefore, anything else which uses this hostile logic must be malware and can be easily identified, blocked and completely removed. By applying this anti-Trusteer logic, SpyEye has to come out of its hiding place and start shooting and by that it allows definitive detection of its existence and components and allows Trusteer to strike back heavily and get rid of the infection altogether.

This anti-Trusteer feature is a great opportunity to easily detect the existence of SpyEye on customer computers and get rid of it. It seems to me that in their passion to differentiate service from other malware tools, the authors of SpyEye ignored a simple rule - for malware it's always better to keep a low profile.

For more information see the Trusteer blog at