Did You Know?



Reply
Community Leader
Jasper_The_Rasper
Posts: 1,047
Registered: ‎06-12-2013

Trojan program 'Neverquest' a new threat to online banking users, researchers say

Attackers could start to aggressively distribute this malware in the near future, Kaspersky Lab researchers warn.

A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.

The malware was first advertised on a private cybercrime forum in July, according to malware researchers from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.

"By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world," said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a blog post. "This threat is relatively new, and cybercriminals still aren't using it to its full capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could increase considerably over a short period of time."

Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).

However, this Trojan program also has some features that make it stand out.

Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.

 

Full Topic

Community Leader

Please use plain text.
DavidP1970
Posts: 3,149
Kudos: 1,594
Registered: ‎10-28-2012

Re: Trojan program 'Neverquest' a new threat to online banking users, researchers say

Oh nice one!  Nice and nasty that is.. certainly one to keep an eye out for.



      

New to the Community? Register now and start posting!



Helpful Webroot Links:


Download (PC)   Download (Best Buy Subscription)   Submit Trouble Ticket   Account Console   User Guides   



"If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!"
WSA-Complete (Beta Tester), Toshiba Satellite L305, Intel Pentium Dual CPU at 1.87 GHz, 3 GB RAM With Windows 7 (x86) (Yes its old.. but it still usually works! : )
Please use plain text.
explanoit
Posts: 833
Topics: 58
Kudos: 487
Ideas: 50
Registered: ‎01-11-2013

Re: Trojan program 'Neverquest' a new threat to online banking users, researchers say

[ Edited ]

I wish Webroot still deep deep-dives as detailed as this. I miss the PrevX blog =(

Good stuff still years later.

 

http://www.prevx.com/blog.asp

http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf

 

In the TDL3/4 days it was my lighthouse.

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise and WSAWSS administrator of 1400+ computers
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Please use plain text.
Community Manager Community Manager
Community Manager
Cat
Posts: 367
Registered: ‎01-10-2012

Re: Trojan program 'Neverquest' a new threat to online banking users, researchers say

Thanks for posting, Jasper! This is definitely one we have our eye on. Maybe @Grayson can even chime in.

 

And @explanoit - we do still have a Threat Research blog where we showcase our findings: The Webroot Threat Blog

Marco Guiliani has even contributed to it. It just has a new location. If you have any feedback on it though, please share with @Richard . 

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
New to the Community? Sign up for FREE today.
Please use plain text.
TripleHelix
Posts: 5,331
Topics: 399
Kudos: 3,233
Ideas: 5
Registered: ‎02-03-2012

Re: Trojan program 'Neverquest' a new threat to online banking users, researchers say


Cat wrote:

Thanks for posting, Jasper! This is definitely one we have our eye on. Maybe @Grayson can even chime in.

 

And @explanoit - we do still have a Threat Research blog where we showcase our findings: The Webroot Threat Blog

Marco Guiliani has even contributed to it. It just has a new location. If you have any feedback on it though, please share with @Richard . 


Where is Marco's Blog located now if you read his past blog's that's the kind we like reading when he breaks down malware and shows his detailed analysis!

 

Daniel

coollogo_com-133794099.gif


asapvip.png   SigSVIP.png    Sr.Expert Advisor Jan 23 2014.png


Webroot® SecureAnywhere™ Internet Security Complete 2014 Beta Tester v8.0.4.70 on my main system Windows 7 Ultimate 64bit & on Win XP 32bit, Win Vista 32bit, Win 7 32bit, Win 8.1 Pro 32bit & 64bit all on VM's. 


MVP.gif.pngMicrosoft® MVP Consumer Security


New to the Community? Register now and start posting!

Please use plain text.
Community Manager Community Manager
Community Manager
Cat
Posts: 367
Registered: ‎01-10-2012

Re: Trojan program 'Neverquest' a new threat to online banking users, researchers say

 Marco has actually moved on, but his posts can be found here. I'm sure the current members of the Threat Blog team will be able to take this feedback and apply it to some of their posts moving forward. 

 

Nowadays, the team tends to focus on "Here's what we found and here's how to remove it" like this recent blog from @TylerM . :smileyhappy:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
New to the Community? Sign up for FREE today.
Please use plain text.
Threat Researcher
TylerM
Posts: 6
Registered: ‎06-05-2013

Re: Trojan program 'Neverquest' a new threat to online banking users, researchers say

Hi all,

 

This malware has been around for a little bit already in the malware community and is known as Win32/Vawtrak. We have numerous samples and are always gathering more. This specific malware uses the Pony universal stealer system. We have rules in place and should block these in real time. As always please let us know if you have any questions or if you believe you have an infection we don't catch please submit it through the client or submit a ticket from http://www.webroot.com/us/en/support/

 

 

For more detailed info on this threat...

 

Bot URL structure:

/forumdisplay.php?fid=%u
/post.aspx?forumID=%u
/post.aspx?messageID=%u

 Vawtrak strings:

"aPLib v1.01  -  the smaller the better :smileyhappy:"
"Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved."
"More information: http://www.ibsensoftware.com/"
b-o
HzS
OLEACC.dll
COMDLG32.dll
@J7<
8CRYPT32.dll
NETAPI32.dll
MODU
@@@@
@@@@
@@@@
@@@@
@@@@
@@@@
@@@@
@@@@
!!!!!!!!!!!!!!!!ADAA@@@@@@@@@@@@
@@AD
@@@@
@@@@@@@@!!!!
@@@@@@
A@@@@@@@@@
@@@@P
@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@AAAA@@@
@@@@$$$$$$$$$$$$$$$$@@@@@@@@@@@@@@@@
@A@
@A@@@@@@@@@@@@@A@@@@@@@A@AAA@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
"x ATAUAVAWE3"
HcQ<H
:smileytongue:E
RPH
"P E"
X$E;
ruH;
spL;
rkL;
sfL;
raL;
s\3
tUE
tPM
@:;u
t<I
8@:<
\$(H
l$0H
t$8H
|$@A_A^A]A\
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
#+3;CScs
!1Aa
K6\
K6\
K6\
K6\
user_id%
version_id%
framework_key%
framework%
"function EQFramework(g){this._Key=g;this._LastAsync=null;this.Version=1;this.GetXHR=function(){""undefined""===typeof XMLHttpRequ"
random%
text/html
text/plain
text/javascript
text/css
text/xml
application/json
application/x-javascript
application/x-json
application/javascript
application/atom+xml
application/rss+xml
TrustedPeople
TrustedPublisher
Root
Disallowed
CertificateAuthority
AuthRoot
AddressBook
1234
%s.pfx
"\Macromedia\Flash Player\"
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
ff/
sol/
ie/
.txt
client_32.dll
c.dll
"Content-Type: application/octet-stream"
Status
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
"[%s - X32 EQ PID: %u TID: %u] "
DebugMEssage
Transfer-Encoding
chunked
Content-Length
Content-Encoding
ntCoent-Length
X-Content-Security-Policy
X-Frame-Options
X-WebKit-CSP
gzip
Content-Type
"HTTP/1.1 200 OK"
"Content-Length: %u"
"Connection: close"
"GET /robots.txt HTTP/1.1"
"Connection: close"
Authorization
ocsp
NSPR4.DLL
nss3.dll
PR_GetError
PR_GetOSError
PR_SetError
OpenInputDesktop
USER32.DLL
SwitchDesktop
GetKeyState
GetKeyboardState
GetAsyncKeyState
GetMessagePos
GetCursorPos
SetCursorPos
SetCapture
ReleaseCapture
GetCapture
GetMessageA
GetMessageW
PeekMessageA
PeekMessageW
iexplore.exe
firefox.exe
outlook.exe
127.0.0.1
POST
POST
"[VNC] New Client"
"[VNC] Fail init BC"
"[VNC] Fail addr proto BC"
"[VNC] Fail connect BC"
"[VNC] Fail init work: %u"
"[VNC] Start Sever"
"VNC Already started"
"[VNC] Parse param error: %s"
_hrc
\regsvr32.exe
"[VNC] Fail create  process: %u"
"[VNC] Fail inject to process: %u"
*.*
All
*.*
open
"user_pref(""layers.acceleration.disabled"", true);"
"user_pref(""gfx.direct2d.disabled"", true);"
prefs.js
IEXPLORE.EXE
about:blank
"-extoff about:blank"
"-private about:blank"
FIREFOX.EXE
OUTLOOK.EXE
EXPLORER.EXE
CMD.EXE
TASKMGR.EXE
#32768
SysShadow
ToolbarWindow32
DirectUIHWND
%0.8x:%0.8x
application/octet-stream
"HTTP/1.1 200 OK"
"Content-Length: %u"
"Content-Type: application/octet-stream"
"Content-Type: application/x-www-form-urlencoded"
id=%0.8X%0.8X%0.8X%0.4X%0.4X
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X
"Query Config"
%0.8x
ADVAPI32.DLL
PR_Read
PR_Write
PR_Close
SOFTWARE\AppDataLow\
InternetConnectA
WININET.DLL
InternetConnectW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
InternetCloseHandle
InternetReadFile
InternetReadFileExA
InternetQueryDataAvailable
HttpQueryInfoA
HttpOpenRequestA
HttpOpenRequestW
InternetWriteFile
HttpEndRequestA
HttpEndRequestW
InternetQueryOptionA
InternetQueryOptionW
InternetSetOptionA
InternetSetOptionW
CreateProcessW
kernel32.dll
CreateProcessA
CreateProcessAsUserW
CreateProcessAsUserA
SeCreateGlobalPrivilege
SeShutdownPrivilege
SeDebugPrivilege
"Init in Browser = %u"
"Init in Shell = %u"
"[Socks] New Client"
"[Socks] Failt Init BC"
"[Socks] Fail add proto BC"
"[Socks] Failt connect BC [%s:%u]"
_proxy
"[Socks] Fail parse param: %s"
"Install Update"
%ws
Software\Microsoft\Windows\CurrentVersion\Run
.dat
"Update Installed"
"[Pony] Fail Get Pass"
.exe
"DL_EXEC Status [Pipe]: %u-%u-%u"
"DL_EXEC Status[Local]: %u"
"%u   "
PROCESS_LIST
LOG
"Start Socks addr: %s"
"Start Socks Status[Pipe]: %u-%u-%u"
"Start Socks Status[Local]: %u"
"Start VNC addr: %s"
"Start VNC Status[Pipe]: %u-%u-%u"
"Start VNC Status[Local]: %u"
msvcrt.dll
vsprintf
%0.8X%0.8X0
"COMMAND: %s"
%0.8X%0.8X%c
"URL: %s"
"INFO: %s"
%0.8X%0.8X2
"URL: %s"
%0.8X%0.8X1
"URL: %s"
"LOGIN: %s"
"PASS: %s"
%0.8X%0.8X5
"URL: %s"
"KEYWORD: %s"
%0.8X%0.8X6
"URL: %s"
%0.8X%0.8X7
%0.8X%0.8X8
%0.8X%0.8X9
%0.8X%0.8XA
/forumdisplay.php?fid=%u
/post.aspx?forumID=%u
/post.aspx?messageID=%u
"Software\Microsoft\Internet Explorer\Main"
NoProtectedModeBanner
TabProcGrowth
"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"
2500
http://
https://
"Software\Microsoft\Windows\CurrentVersion\Internet Settings"
"User Agent"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
GET
%0.4X%0.4X-%0.4X-%0.4X-%0.4X-%0.4X%0.4X%0.4X
{%0.4X%0.4X-%0.4X-%0.4X-%0.4X-%0.4X%0.4X%0.4X}
\\.\pipe\
"000000 "
"000755 "
"        "
%0.11u
"ustar  "
%0.7u
././@LongLink
dbghelp.dll
MiniDumpWriteDump
.tmp
Host
User-Agent
iexplore.exe
firefox.exe
explorer.exe
chrome.exe
"PID: %u [%0.2u:%0.2u:%0.2u] "
"[BC] Cmd Ver Error"
"[BC] Wait Ping error %u[%u]"
"[BC] Fail Connect"
"[BC] Fail send auth"
"[BC] Fail read cmd"
"[BC] cmd error: %u"
"[BC] Cmd need disconnect"
S:smileysad:ML;;NW;;;LW)
D:smileysad:A;OICI;GA;;;WD)
ntdll.dll
LdrLoadDll
NtGetContextThread
NtProtectVirtualMemory
\System32\kernel32.dll
\System32\kernelbase.dll
CreateRemoteThread
"regsvr32.exe /s ""%s"""
"regsvr32.exe /s ""%s"""
"Microsoft Base Cryptographic Provider v1.0"
NtWow64ReadVirtualMemory64
NtWow64WriteVirtualMemory64
IsWow64Process
gdiplus.dll
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipSaveImageToFile
GdipDisposeImage
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
UninstallString
DisplayName
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
"Working Directory"
"Software\RIT\The Bat!"
ProgramDir
Default
"Software\RIT\The Bat!\Users depot"
Count
"Dir #%u"
\BatMail
"\The Bat!"
.oeaccount
Salt
"Software\Microsoft\Windows Live Mail"
"\Microsoft\Windows Live Mail"
"Software\Microsoft\Windows Mail"
"\Microsoft\Windows Mail"
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
Software\IncrediMail
abe2869f-9b47-4cd9-a358-c22904dba7f7
"Software\Microsoft\Internet Explorer\IntelliForms\Storage2"
Microsoft_WinInet_*
"Internet Explorer"
WininetCacheCredentials
"MS IE FTP Passwords"
"DPAPI: "
PWDFILE0
1.0
PKDFILE0
"Last Server Type"
"Last Server Path"
"Last Server Port"
"Last Server User"
"Last Server Host"
"Last Server Pass"
Server.Port
Server.User
Server.Host
Server.Pass
"Server Type"
Line
Password
HostName
User
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
"Software\Far Manager\Plugins\FTP\Hosts"
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
"Software\Far Manager\SavedDialogHistory\FTPHost"
Sites\
.ini
\win.ini
DIR
WS_FTP
DEFDIR
\Ipswitch\WS_FTP
\Ipswitch
QCHistory
\GlobalSCAPE\CuteFTP
sm.dat
"\GlobalSCAPE\CuteFTP Pro"
"\GlobalSCAPE\CuteFTP Lite"
\CuteFTP
CUTEFTP
"Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar"
\Sites.dat
\Quick.dat
\History.dat
\FlashFXP\3
\FlashFXP\4
InstallerDathPath
Software\FlashFXP\3
path
Software\FlashFXP
"Install Path"
DataFolder
Software\FlashFXP\4
"\BulletProof Software"
.dat
.bps
LastSessionFile
"Software\BPFTP\Bullet Proof FTP\Main"
"Software\BulletProof Software\BulletProof FTP Client\Main"
SitesDir
"Software\BPFTP\Bullet Proof FTP\Options"
"Software\BulletProof Software\BulletProof FTP Client\Options"
InstallDir1
Software\BPFTP
\SmartFTP
.xml
Favorites.dat
History.dat
installpath
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Username
HostDirName
"Software\CoffeeCup Software\Internet\Profiles"
Login
InitialPath
PasswordType
profiles.xml
"\FTP Explorer"
Buttons
"Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224"
"Software\FTP Explorer\Profiles"
FtpSite.xml
\Frigate3
\VanDyke\Config\Sessions
"Config Path"
Software\VanDyke\SecureFX
\Sessions
RushSite.xml
\FTPRush
bitkinex.ds
\BitKinex
NDSites.ini
\NetDrive
AppDir
Software\LeechFTP
bookmark.dat
LocalDir
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
"\Global Downloader"
FTP++.Link\shell\open\command
.fpl
.xfp
\NetSarang
NppFTP.xml
\Notepad++
DataDir
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
UltraFXP
\sites.xml
"\GPSoftware\Directory Opus"
.oxc
.oll
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
"\CoffeeCup Software"
\32BitFtp.ini
FTPCON
"FTP CONTROL"
\Profiles
.prf
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
\RhinoSoft
SiteInfo.QFP
Odin
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
.SMF
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastAddress
LastUser
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
\SiteDesigner
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
"FTP Now"
FTPShell
ftpshell.fsi
NexusFile
ftpsite.ini
"FastStone Browser"
FTPList.db
"My FTP"
project.ini
Software\RimArts\B2\Settings
Mailbox.ini
DataDirBak
"FTP Navigator"
"FTP Commander"
ftplist.txt
HostAddr
UserName
RemoteDir
CredentialSalt
Software\Sota\FFFTP
CredentialCheck
Software\Sota\FFFTP\Options
PthR
SSH
Software\FTPWare\COREFTP\Sites
Server
FtpPort
Software\Cryer\WebSitePublisher
_Password
Directory
"Software\NCH Software\ClassicFTP\FTPAccounts"
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
"SOFTWARE\NCH Software\Fling\Accounts"
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
RemoteDirectory
PortNumber
FSProtocol
"Software\Martin Prikryl"
PassWord
Url
RootDirectory
ServerType
"Software\South River Technologies\WebDrive\Connections"
Pass
"Remote Dir"
"Software\LinasFTP\Site Manager"
TerminalType
Software\SimonTatham\PuTTY\Sessions
"FTP destination password"
"FTP destination server"
"FTP destination port"
"FTP destination user"
"FTP destination catalog"
"FTP profiles"
"Software\CoffeeCup Software"
Msi.dll
MsiGetComponentPathA
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
Path
\PocoSystem.ini
DataPath
Program
accounts.ini
"Software\Poco Systems Inc"
\Pocomail
InstallPath
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
SOFTWARE\LeapWare
FtpIniName
"Software\Ghisler\Windows Commander"
"Software\Ghisler\Total Commander"
wcx_ftp.ini
\GHISLER
InstallDir
\sitemanager.xml
\recentservers.xml
\filezilla.xml
\FileZilla
Software\FileZilla
Install_Dir
"Software\FileZilla Client"
Hostname
"""password"" : """
"""password"":"""
Software\ExpanDrive\Sessions
ExpanDrive_Home
Software\ExpanDrive
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
MRU
wiseftpsrvs.ini
wiseftp.ini
wiseftpsrvs.bin
\AceBIT
Software\AceBIT
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
Settings
\Sites
.ftp
"\Visicom Media"
ServerName
UserID
InitialDirectory
"FTP Count"
"FTP File%u"
SOFTWARE
Robo-FTP
SOFTWARE\%s\FTPServers
\Scripts
"<setting name="""
"value="""
\Cyberduck
user.config
.duck
"SiteServer %u\Host"
"SiteServer %u\WebUrl"
"SiteServer %u\Remote Directory"
"SiteServer %u-User"
"SiteServer %u-User PW"
"SiteServer %u\SFTP"
Keychain
SiteServers
Software\Adobe\Common
"winex="""
"""/>"
Site
xflags
Folder
.wjf
"Software\Nico Mak Computing\WinZip\FTP"
"Software\Nico Mak Computing\WinZip\mru\jobs"
NSS_Init
NSS_Shutdown
NSSBase64_DecodeBuffer
SECITEM_FreeItem
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_FreeSlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
"SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins"
ftp.
ftp://
signons.sqlite
\profiles.ini
Profile
IsRelative
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Flock\Browser\
Flock
\Mozilla\Profiles\
Mozilla
\K-Meleon
K-Meleon
\Epic\Epic
Epic
\Thunderbird
Thunderbird
TERMSRV/
TERMSRV/*
username:s:
"password 51:b:"
"full address:s:"
.rdp
"SMTP Password"
"HTTPMail Password"
"NNTP Password"
"IMAP Password"
"POP3 Password"
"SMTP Password2"
"HTTPMail Password2"
"NNTP Password2"
"IMAP Password2"
"POP3 Password2"
"IMAP Port"
"SMTP Port"
"POP3 Port"
"SMTP User"
"HTTPMail Server"
"HTTPMail User Name"
"IMAP User"
"POP3 User"
"HTTP Server URL"
"HTTP User"
Email
"IMAP User Name"
"IMAP Server"
"NNTP Server"
"NNTP User Name"
"NNTP Email Address"
"SMTP User Name"
"POP3 User Name"
"POP3 Server"
"SMTP Server"
"SMTP Email Address"
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
identification
identitymgr
"inetcomm server passwords"
"outlook account manager passwords"
identities
"Software\Microsoft\Internet Account Manager\Accounts"
"\Software\Microsoft\Internet Account Manager\Accounts"
Identities
Outlook
"Software\Microsoft\Internet Account Manager"
\Accounts
"Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts"
"Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings"
"Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook"
%2.2X
Pstorec.dll
PStoreCreateInstance
RSDS
T:\Develop\EQ2\bin\tmp\client_32.pdb
wsprintfA
wvsprintfA
MessageBoxA
OpenDesktopA
GetWindowThreadProcessId
PostMessageA
IsWindow
SendMessageA
CreateDesktopA
GetThreadDesktop
GetUserObjectInformationA
IsRectEmpty
PrintWindow
SetWindowPos
ReleaseDC
IntersectRect
GetDC
GetWindowInfo
GetClassNameA
MapWindowPoints
GetSystemMetrics
SendMessageTimeoutW
GetWindowLongA
GetAncestor
GetWindowLongW
GetClassLongW
GetParent
PostMessageW
GetWindowRect
CloseDesktop
wsprintfW
GetForegroundWindow
CreateCompatibleDC
SelectObject
GdiFlush
DeleteDC
SetViewportOrgEx
DeleteObject
RegNotifyChangeKeyValue
RegCloseKey
SHGetFolderPathA
ShellExecuteA
CoInitializeEx
StrStrIA
StrCmpNIA
StrToIntA
StrChrA
PathFindFileNameA
StrCmpIW
StrStrA
InternetSetStatusCallbackA
InternetQueryOptionA
InternetSetOptionA
InternetAttemptConnect
DeleteUrlCacheEntry
AccessibleObjectFromPoint
SetClipboardData
OpenClipboard
EmptyClipboard
GetClipboardData
CloseClipboard
GetWindow
SendMessageTimeoutA
SetWindowLongA
WindowFromPoint
GetTopWindow
GetCursorPos
GetWindowDC
CreateCompatibleBitmap
GetDIBits
CreateDIBSection
GetStockObject
CreatePen
Ellipse
BitBlt
GetSaveFileNameA
GetOpenFileNameA
IsTextUnicode
RegSetValueExA
RegQueryValueExA
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
RegDeleteValueA
RegSetValueExW
OpenProcessToken
GetUserNameW
GetTokenInformation
LookupPrivilegeValueA
ConvertStringSecurityDescriptorToSecurityDescriptorA
AdjustTokenPrivileges
InitiateSystemShutdownExA
CryptReleaseContext
CryptAcquireContextA
CryptImportKey
CryptCreateHash
CryptDestroyKey
CryptVerifySignatureA
CryptDestroyHash
CryptHashData
CredFree
CredEnumerateA
RegEnumValueA
RegOpenKeyA
CryptGetHashParam
SHGetFolderPathW
CoCreateInstance
OleInitialize
CoTaskMemFree
StgOpenStorage
CertOpenSystemStoreA
CertCloseStore
CertEnumCertificatesInStore
PFXExportCertStoreEx
CryptUnprotectData
NetUserGetInfo
StrStrIW
StrRChrIA
PathFindFileNameW
HttpSendRequestExA
HttpQueryInfoA
InternetConnectA
InternetQueryDataAvailable
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
InterlockedExchange
lstrcmpiA
DeleteFileA
lstrlenA
lstrcatA
lstrcpyA
ExitProcess
GetModuleHandleA
lstrcpyW
GetLastError
SetLastError
GetModuleFileNameA
GetCurrentThreadId
GetCurrentProcessId
IsBadReadPtr
GetProcAddress
LoadLibraryA
TlsGetValue
TlsSetValue
GetModuleFileNameW
TlsAlloc
TlsFree
TerminateThread
Sleep
loseHandle
CreateThread
IsBadWritePtr
OpenProcess
TerminateProcess
OpenEventA
IsBadCodePtr
SetEvent
GetSystemDirectoryA
CreateFileA
GetWindowsDirectoryA
lstrcmpA
WaitForSingleObject
SignalObjectAndWait
GetTickCount
CreateEventA
ResetEvent
SetInformationJobObject
CreateJobObjectA
MoveFileExA
GetTempPathA
ResumeThread
WinExec
KERNEL32.dll
_except_handler3
MSVCRT.dll
LocalAlloc
LocalFree
FreeLibrary
RaiseException
InitializeCriticalSection
WideCharToMultiByte
LeaveCriticalSection
MultiByteToWideChar
lstrlenW
EnterCriticalSection
DeleteCriticalSection
HeapReAlloc
HeapAlloc
HeapFree
VirtualFree
HeapCreate
VirtualAlloc
SetFilePointer
ExpandEnvironmentStringsA
lstrcatW
GetFileSize
WriteFile
ReadFile
CreateFileW
FindFirstFileA
RemoveDirectoryA
FindClose
FindNextFileA
SetUnhandledExceptionFilter
GetCurrentProcess
Process32First
GetModuleHandleW
ReadProcessMemory
VirtualProtectEx
Process32Next
lstrcmpiW
CreateToolhelp32Snapshot
WriteProcessMemory
SetErrorMode
GetVolumeInformationA
GetSystemInfo
GetVersionExA
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
InterlockedIncrement
InterlockedDecrement
VirtualProtect
GetLocalTime
GlobalSize
GlobalLock
GlobalAlloc
GlobalUnlock
GlobalFree
GetCurrentDirectoryA
VirtualFreeEx
VirtualAllocEx
SuspendThread
GetThreadContext
CreateRemoteThread
GetWindowsDirectoryW
allNamedPipeA
onnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
GetPrivateProfileStringA
GetPrivateProfileIntA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA

 

Above info was retrieved from Kernelmode.info

 

 

Please use plain text.
explanoit
Posts: 833
Topics: 58
Kudos: 487
Ideas: 50
Registered: ‎01-11-2013

Re: Trojan program 'Neverquest' a new threat to online banking users, researchers say

[ Edited ]

The in-depth investigations and white-papers certainly gave PrevX street-cred and the brand recognition in the field it was targeting: professionals passionate about (and desperate for) finding ways to augment AV technology which was seriously falling behind. Discussions about the end of antivirus were mainstream. I think that's actually how I/we initially discovered PrevX. The early TDL3 days were a very scary time to be a defender.

 

I have no doubt that the team could dig deep but I understand it takes a whole lot of work with minimal audience unless you're busting open a big new thing. And if you're running a blog consumers are supposed to read then throwing out long screencaps of assembly are a great way to get them to stop reading. But I sure miss it a lot.

 

@TripleHelix 

Marco left and started up his own company. Unfortunately doesn't seem to blog much anymore.

http://www.saferbytes.it/2012/10/08/common-preventive-and-reactive-approaches-to-mitigate-exploit-at...

 

 

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise and WSAWSS administrator of 1400+ computers
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Please use plain text.
TripleHelix
Posts: 5,331
Topics: 399
Kudos: 3,233
Ideas: 5
Registered: ‎02-03-2012

Re: Trojan program 'Neverquest' a new threat to online banking users, researchers say

Yes I knew Marco got his own Company but I thought it was still behind the Webroot label. But I see that has changed http://www.saferbytes.it/about-the-team/ great guy!

 

Daniel

coollogo_com-133794099.gif


asapvip.png   SigSVIP.png    Sr.Expert Advisor Jan 23 2014.png


Webroot® SecureAnywhere™ Internet Security Complete 2014 Beta Tester v8.0.4.70 on my main system Windows 7 Ultimate 64bit & on Win XP 32bit, Win Vista 32bit, Win 7 32bit, Win 8.1 Pro 32bit & 64bit all on VM's. 


MVP.gif.pngMicrosoft® MVP Consumer Security


New to the Community? Register now and start posting!

Please use plain text.