Feeds

'Neverquest' bank-robber 'ware throws the whole Trick Book at victims

Carberp? ZeuS? Get into the fridge, grandad

Choosing a cloud hosting partner with confidence

A new banking trojan that its creators brag can attack “any bank in any country” has already been blamed for several thousand attempts to infect computers.

The Neverquest banking trojan supports almost every trick used to bypass online banking security systems, including web injection, remote system access and social engineering, Kaspersky Lab warns. Neverquest surfaced on hacker forums during July in an advert looking for a partner to work with the trojan on servers run by a group of cybercriminals.

Months later, variants of the malware matching the design specs started surfacing in active attacks. By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world. Things can only get worse as the fraudsters behind the malware are only just spinning up their malware machine, which might take months to reach its full potential.

Neverquest uses the same self-replication mechanisms as Bredolab, a digital pathogen used as a platform for spam distrubution and scareware scams that caused all sorts of problems when it began spreading back in 2009. At its pre-decapitation peak, Bredolab infected an estimated 30m Windows PCs, so Neverquest's similarity to it is bad news for internet hygiene.

Routines built into Neverquest harvest contact information from a victim's email client. This information is used by cybercriminals to send out mass spam mailings with attachments containing trojan downloaders, designed to install Neverquest. Booby-trapped emails contain malicious zip attachments and are typically designed to look like official notifications from a variety of online services.

Another routine steals FTP passwords associated with websites. This compromised access is then used to plant malicious code (exploit packs) on websites. This creates drive-by download attacks so that surfers visiting the otherwise legitimate site are sprayed with malicious code ultimately designed to plant Neverquest malware on vulnerable PCs using browser exploits and similar attacks.

The crooks behind the malware are aiming to steal a march against their more established rivals who push other banking trojan toolkits such as ZeuS and Carberp, according to security researchers.

Sergey Golovanov, principal security researcher at Kaspersky Lab, commented:

“After wrapping up several criminal cases associated with the creation and proliferation of malware used to steal bank website data, a few ‘holes’ appeared on the black market. New malicious users are trying to fill these with new technologies and ideas. Neverquest is just one of the threats aiming to take over the leading positions previously held by programs like ZeuS and Carberp.”

Neverquest steals usernames and passwords to online bank accounts as well as all the data entered by the user into the modified pages of a banking website. Special scripts for Internet Explorer and Firefox are used to enable these thefts, giving the malware control of the browser connection and routing it to the cybercrooks’ command server.

Scripts to enable fraud against German, Italian, Turkish and Indian banks, as well as payment systems, come bundled with the hacker tool. Neverquest also comes with utilities to enable fraudsters to extend the target list.

Kaspersky Lab analysts reckon investment funds from fidelity.com are the top target for the fraudsters behind the malware. Malicious users have the chance not only to transfer funds to their own accounts but also to play the stock market using the accounts and the money of Neverquest victims.

One unusual feature of the malware means fraudsters can conduct transactions and wire money from one compromised account to the accounts of other victims. Normally funds are fraudulently siphoned off from compromised accounts to accounts maintained by money mules in the same country, junior partners in banking fraud scams. These money mules withdraw the money, keeping a small percentage, before using money transfer services such as Western Union to send it to the masterminds behind the scams, who are often based in eastern Europe.

Neverquest is also designed to harvest data to access the accounts of numerous social networking services, including Twitter and Facebook. The malware has yet to use social media to spread, however, according to security researchers at the Russian security firm.

A full write-up on the threat, including screenshot, can be found on a post at Kaspersky Lab's Threatpost blog here. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.