Trusteer

Trusteer Flashlight is an end to end service enabling banks to perform ongoing risk analysis and investigate malware related fraud incidents easily and quickly. Using Flashlight, banks can definitively determine malware variants committing fraud against them and use recommendations provided by Flashlight to block them.

When an incident of fraud is reported, Flashlight enables banks to instantly initiate an investigation into the incident and performs analyses within minutes to identify malware responsible. The service includes a unique remote access capability to lift suspicious software samples without the need for physical presence by bank representatives. When a new, previously unknown malware is suspected to be the cause of the fraud incident, Trusteer’s fraud experts analyze and reverse engineer samples collected to reveal how its mechanism works to commit fraud. This results in the discovery of a new malware variant.

A comprehensive report identifying the malware responsible and recommending methods of blocking it is delivered at the end of every investigation. The Flashlight service also includes ongoing analysis of command and control centers, reporting of new malware to anti-virus vendors and submission to takedown services to prevent future attacks.

Briefly, here’s how Flashlight works:

• The customer calls their bank or the bank contacts their customer with regard to a fraud incident
• The bank asks their customer to install Trusteer’s forensic software that identifies the malware variant
• If unidentified, new unknown malware is suspected. Trusteer’s team of fraud experts investigate suspicious behavior and malware sample
• Full reverse engineering of the unknown malware is performed, if required, by Trusteer fraud analysis experts
• The bank receives a full report on the malware (both know and unknown) with recommendations for blocking it
• Trusteer reports the malware to Anti-Virus vendors & takedown services

Financial institutions are especially sensitive targets when it comes to malware related fraud, especially with sophisticated malware being unleashed everyday. Strong authentication and fraud detection are a good start but, to keep fraudsters out of customer bank accounts, it’s important to identify the specific malware variants attacking a bank, analyze them and incorporate findings to prevent their infiltration in the future.

The problem is that drilling down to acquire data necessary for analysis requires extensive investigation of customer computers. Despite its criticality, most banks perform very limited fraud incident investigations because of the following hindrances:

• Manual and time consuming process
• Complexity of data collection
• Customer perception of intrusion
• Necessity for physical access to customer computers
• Hard to scale to the entire customer base

Flashlight uses a complete behavioral approach to malware detection and investigation. Once its forensic desktop software is installed, a range of behavioral analyses are performed to detect suspicious behavior and software as well as remotely collect forensic information, including suspicious software samples that can be used to further investigate the incident. Performed in seconds, analyses include but are not restricted to the following

• Browser files and key operating system files to determine integrity
• Browser add-ons
• Pieces of software that inject into the browser
• Software that communicates with the browser
• Drivers installed
• Communication flow between the customer’s computer and their bank
• Vulnerable and outdated pieces of software on the customer’s computer
• Network security issues on the customer’s network

Behavioral analyses compare suspicious behavior and footprints to known malware behavior and footprints. In the event of a match, malware relation to the fraud incident and the variant responsible are confirmed.

If behavioral analyses do not reach a conclusive decision, unknown malware is suspected to be the cause of the incident. Trusteer’s fraud analysts inspect the information gathered and remotely collected code samples of suspicious modules such as DLLs, patches, and drivers. If required, the fraud analysts conduct a full reverse engineering of the malware, revealing how its mechanism works to commit fraud. This results is the discovery of a new malware variant by Trusteer.

Features

• Instantly and remotely analyze the relevant computer and identify the cause of fraud
• Reverse engineering of new malware samples to understand how they commit fraud
• Perform ongoing analysis of relevant malware command and control centers
• Submit malware samples to Anti-Virus vendors to ensure removal from desktops
• Submit command and control servers to takedown services
• As needed consulting in mitigating malware attacks

Benefits

• Definitively and quickly determine whether fraud events are malware related
• Acquire metrics and categorization on fraud events
• Ensures simple, automated risk analysis and reporting for investigations
• Full life cycle management - from analysis right up to submission to takedown services
• Feedback from malware analysis indicates what fraudsters are trying to achieve
• Backed by Trusteer’s extensive malware and security expertise