By Michael Kassner in IT Security, December 30, 2013, 8:30 AM PST
New Neverquest malware steals bank account logins and lets attackers access accounts through victims’ computers.
For over five years, Zeus has been the undisputed king of banking malware. Once this trojan was loaded onto a victim’s machine, it could:
- Detect when the owner entered banking information into a web browser.
- Steal passwords and other pertinent login information.
- Encrypt the stolen information and send it to the attacker’s specified servers.
Zeus was also one of the first pieces of malicious software to be sold under a license. For the right price, anyone could use it.
Zeus remains active today, but its source code was published online in 2011 and this cyberscourge has about run its course. Unfortunately, Security experts are already sounding the alarm about a new piece of malware that makes Zeus look like a simpleton. Neverquest significantly raises the bar for online banking malware.
[adsenseyu2]
How Neverquest works
Like Zeus, Neverquest is a Trojan. Bad guys introduce Neverquest to the victim’s computer via social media, email, or file transfer. According to the security blog Threat Post, Neverquest replicates in a manner similar to the Bredolab botnet client:
“Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet.”
Before it was shuttered, the Bredolab botnet consisted of 30 million computers. Why not use something that works?
If the victim’s computer is vulnerable to an exploit targeted by Neverquest’s trojan loader; the malware is installed. Then Neverquest starts paying attention to what the user is typing into their web browser. If a predetermined financial term is recognized, Neverquest checks the website domain name. Since, Neverquest has hundreds of banking and financial institutions in its database; there’s a better than average chance Neverquest will be familiar with the banking website.
Once Neverquest recognizes a banking site, it will relay the login information back to the attackers’ command and control server. Once the victim’s credentials are in the hands of the attackers, they will remotely control the victim’s computer using VNC, log into the victim’s banking website, and do one of the following:
- Transfer money to different accounts
- Change login credentials, locking out account owner
- Write checks to money mules
And to make matters worse, banking sites are unable to distinguish the victim’s login from that of the attacker using Neverquest.
One capability Neverquest has that Zeus doesn’t, is the ability to cultivate new banking sites for its database. If the malcode recognizes certain financial terms, but not the domain; Neverquest will send the information back to the command and control server which then creates a new identity, and updates every compromised computer under its control.
Neverquest in the wild
One sobering reality is that Neverquest is already for sale. Zeus, being “first of its kind” malware, required skilled controllers. Not so with Neverquest, script kiddies and malware non-experts are able to make use of the potent malware as soon as they buy it.
Next reality: standard antivirus software is not effective. Kaspersky mentions in this blog:
“Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that secures transactions. In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.”
Kaspersky also reported that:
“Neverquest is also designed to start harvesting data when an infected user visits any number of sites not related to finance, including Google, Yahoo, Amazon AWS, Facebook, Twitter, Skype and many more.”
It appears that Neverquest developers are looking to diversify.
Protecting yourself
Despite Neverquest’s formidable capabilities, there are several things we can do to protect ourselves. First, there is the security expert’s mantra, “Make sure the computer operating system and all applications are up-to-date.” Doing so will at least prevent malware from exploiting known weaknesses.
Second, even though I wrote the article, Online banking: How safe is it in 2009, using a LiveCD to access banking websites is still a valid method to prevent malware such as Neverquest from stealing your financial information and eventually your money.
About Michael Kassner
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.