Feeds

'Neverquest' bank-robber 'ware throws the whole Trick Book at victims

Carberp? ZeuS? Get into the fridge, grandad

High performance access to file storage

A new banking trojan that its creators brag can attack “any bank in any country” has already been blamed for several thousand attempts to infect computers.

The Neverquest banking trojan supports almost every trick used to bypass online banking security systems, including web injection, remote system access and social engineering, Kaspersky Lab warns. Neverquest surfaced on hacker forums during July in an advert looking for a partner to work with the trojan on servers run by a group of cybercriminals.

Months later, variants of the malware matching the design specs started surfacing in active attacks. By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world. Things can only get worse as the fraudsters behind the malware are only just spinning up their malware machine, which might take months to reach its full potential.

Neverquest uses the same self-replication mechanisms as Bredolab, a digital pathogen used as a platform for spam distrubution and scareware scams that caused all sorts of problems when it began spreading back in 2009. At its pre-decapitation peak, Bredolab infected an estimated 30m Windows PCs, so Neverquest's similarity to it is bad news for internet hygiene.

Routines built into Neverquest harvest contact information from a victim's email client. This information is used by cybercriminals to send out mass spam mailings with attachments containing trojan downloaders, designed to install Neverquest. Booby-trapped emails contain malicious zip attachments and are typically designed to look like official notifications from a variety of online services.

Another routine steals FTP passwords associated with websites. This compromised access is then used to plant malicious code (exploit packs) on websites. This creates drive-by download attacks so that surfers visiting the otherwise legitimate site are sprayed with malicious code ultimately designed to plant Neverquest malware on vulnerable PCs using browser exploits and similar attacks.

The crooks behind the malware are aiming to steal a march against their more established rivals who push other banking trojan toolkits such as ZeuS and Carberp, according to security researchers.

Sergey Golovanov, principal security researcher at Kaspersky Lab, commented:

“After wrapping up several criminal cases associated with the creation and proliferation of malware used to steal bank website data, a few ‘holes’ appeared on the black market. New malicious users are trying to fill these with new technologies and ideas. Neverquest is just one of the threats aiming to take over the leading positions previously held by programs like ZeuS and Carberp.”

Neverquest steals usernames and passwords to online bank accounts as well as all the data entered by the user into the modified pages of a banking website. Special scripts for Internet Explorer and Firefox are used to enable these thefts, giving the malware control of the browser connection and routing it to the cybercrooks’ command server.

Scripts to enable fraud against German, Italian, Turkish and Indian banks, as well as payment systems, come bundled with the hacker tool. Neverquest also comes with utilities to enable fraudsters to extend the target list.

Kaspersky Lab analysts reckon investment funds from fidelity.com are the top target for the fraudsters behind the malware. Malicious users have the chance not only to transfer funds to their own accounts but also to play the stock market using the accounts and the money of Neverquest victims.

One unusual feature of the malware means fraudsters can conduct transactions and wire money from one compromised account to the accounts of other victims. Normally funds are fraudulently siphoned off from compromised accounts to accounts maintained by money mules in the same country, junior partners in banking fraud scams. These money mules withdraw the money, keeping a small percentage, before using money transfer services such as Western Union to send it to the masterminds behind the scams, who are often based in eastern Europe.

Neverquest is also designed to harvest data to access the accounts of numerous social networking services, including Twitter and Facebook. The malware has yet to use social media to spread, however, according to security researchers at the Russian security firm.

A full write-up on the threat, including screenshot, can be found on a post at Kaspersky Lab's Threatpost blog here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.