Feeds

'Neverquest' bank-robber 'ware throws the whole Trick Book at victims

Carberp? ZeuS? Get into the fridge, grandad

Next gen security for virtualised datacentres

A new banking trojan that its creators brag can attack “any bank in any country” has already been blamed for several thousand attempts to infect computers.

The Neverquest banking trojan supports almost every trick used to bypass online banking security systems, including web injection, remote system access and social engineering, Kaspersky Lab warns. Neverquest surfaced on hacker forums during July in an advert looking for a partner to work with the trojan on servers run by a group of cybercriminals.

Months later, variants of the malware matching the design specs started surfacing in active attacks. By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world. Things can only get worse as the fraudsters behind the malware are only just spinning up their malware machine, which might take months to reach its full potential.

Neverquest uses the same self-replication mechanisms as Bredolab, a digital pathogen used as a platform for spam distrubution and scareware scams that caused all sorts of problems when it began spreading back in 2009. At its pre-decapitation peak, Bredolab infected an estimated 30m Windows PCs, so Neverquest's similarity to it is bad news for internet hygiene.

Routines built into Neverquest harvest contact information from a victim's email client. This information is used by cybercriminals to send out mass spam mailings with attachments containing trojan downloaders, designed to install Neverquest. Booby-trapped emails contain malicious zip attachments and are typically designed to look like official notifications from a variety of online services.

Another routine steals FTP passwords associated with websites. This compromised access is then used to plant malicious code (exploit packs) on websites. This creates drive-by download attacks so that surfers visiting the otherwise legitimate site are sprayed with malicious code ultimately designed to plant Neverquest malware on vulnerable PCs using browser exploits and similar attacks.

The crooks behind the malware are aiming to steal a march against their more established rivals who push other banking trojan toolkits such as ZeuS and Carberp, according to security researchers.

Sergey Golovanov, principal security researcher at Kaspersky Lab, commented:

“After wrapping up several criminal cases associated with the creation and proliferation of malware used to steal bank website data, a few ‘holes’ appeared on the black market. New malicious users are trying to fill these with new technologies and ideas. Neverquest is just one of the threats aiming to take over the leading positions previously held by programs like ZeuS and Carberp.”

Neverquest steals usernames and passwords to online bank accounts as well as all the data entered by the user into the modified pages of a banking website. Special scripts for Internet Explorer and Firefox are used to enable these thefts, giving the malware control of the browser connection and routing it to the cybercrooks’ command server.

Scripts to enable fraud against German, Italian, Turkish and Indian banks, as well as payment systems, come bundled with the hacker tool. Neverquest also comes with utilities to enable fraudsters to extend the target list.

Kaspersky Lab analysts reckon investment funds from fidelity.com are the top target for the fraudsters behind the malware. Malicious users have the chance not only to transfer funds to their own accounts but also to play the stock market using the accounts and the money of Neverquest victims.

One unusual feature of the malware means fraudsters can conduct transactions and wire money from one compromised account to the accounts of other victims. Normally funds are fraudulently siphoned off from compromised accounts to accounts maintained by money mules in the same country, junior partners in banking fraud scams. These money mules withdraw the money, keeping a small percentage, before using money transfer services such as Western Union to send it to the masterminds behind the scams, who are often based in eastern Europe.

Neverquest is also designed to harvest data to access the accounts of numerous social networking services, including Twitter and Facebook. The malware has yet to use social media to spread, however, according to security researchers at the Russian security firm.

A full write-up on the threat, including screenshot, can be found on a post at Kaspersky Lab's Threatpost blog here. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?