Rollout: RSA FraudAction Anti-Trojan service

Doesn't anyone rob banks with guns anymore? In 2006, 55 Brazilians were arrested for stealing $4.7 million from several financial institutions using credentials gathered by keylogging software, while Russian thieves were nabbed for stealing $1.1 million, again using account information stolen via Trojans.

A new service aims to help financial institutions, online auction sites and fund-transfer companies stop Trojans before they can victimize customers. The RSA FraudAction Anti-Trojan service identifies keyloggers, session hijackers and other malicious software, then works with ISPs and law enforcement to take down the sites that distribute Trojans and collect stolen credentials.

RSA FraudAction is a compromise: Financial institutions take action to eradicate malware without having to muck around with customers' computers. However, the service is reactive, relying on antivirus software to find existent malware. It also provides an excuse to delay the adoption of solutions such as out-of-band transaction authentication that would more effectively prevent fraud.

Beware Geeks Bearing GiftsThe anti-Trojan service, available now with pricing based on volume, is an extension of RSA's antiphishing service, which scans large volumes of e-mail looking for phishing attacks against clients. The service notifies clients of new attacks and works to take down servers that host spoofed sites and collect user credentials.

RSA now brings this concept to malware. It looks for two types of Trojans: those that steal credentials for financial fraud and those that perform malicious transactions during legitimate sessions.

By moving quickly to choke off distribution of Trojans that target financial institutions, the service aims to reduce the number of infected customers and thus cut down on fraudulent transactions. The service also may recover information about compromised accounts.

RSA is partnering with several antivirus vendors--it wouldn't say which--to help identify malware aimed at clients; it also examines e-mail captured through various honeypots. When malware is discovered, the antivirus vendors and an RSA "Trojan Team" dissect it to find out how it infects computers, understand its mechanisms--key logger, session hijacker--and identify the command-and-control channels running the malware.

Once this information is assembled, the real value of the service kicks in. RSA runs a 24-hour response center whose agents will contact the ISP hosting the Trojan sites and ask to have the sites taken down. RSA says it works to build a strong case that includes traffic dumps, screenshots and malware analysis. Thanks to its antiphishing service, which has been active for several years, RSA says it has ongoing relationships with a host of international service providers and law enforcement agencies in Korea, Russia and South America, all known malware hotspots.

During the pilot phase of the anti-Trojan service, RSA claims to have addressed 176 unique Trojan incidents. It says in 80 percent of those cases, it had sites taken down by first-line responders. About 15 percent had to be escalated to a second tier within the ISP. For the remaining 5 percent, RSA involved local law enforcement.

RSA is the first to offer a service that specifically addresses the Trojan threat. Its biggest competitor on the antiphishing side is MarkMonitor. Given MarkMonitor's antiphishing infrastructure, it would be trivial for the company to add an anti-Trojan service.

One Step Behind

Any anti-Trojan service will suffer from the same problem as an antivirus product: It goes into effect only after Trojans are distributed or machines compromised. And as more malware includes rootkit-like capabilities to thwart detection, identifying infections will become more difficult. Also, it's laughably easy for criminal sites to reappear elsewhere on the Internet hours after being taken down.Moreover, the service relies heavily on the goodwill of ISPs. RSA has no legal authority to compel a takedown, and while it can appeal to police, cybercrime laws vary widely from country to country, as does the level of cooperation of international law enforcement.

Finally, if a bank knows about the existence of a Trojan that's targeting its customers, is it obligated to inform those customers? The murky legal issues mean plenty of room for lawyers. In 2005, a man sued Bank of America over the loss of $90,000 that was transferred from his account by criminals who had remotely installed a keystroke logger on his computer. Bank of America contends it had no way to know the transfer was illegitimate. While the suit is yet to be resolved, such a defense would be less credible for subscribers to an anti-Trojan service.

Technology Editor Andrew Conry-Murray can be reached at [email protected]/a>.