Attackers could start to aggressively distribute this malware in the near future, Kaspersky Lab researchers warn.
A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.
The malware was first advertised on a private cybercrime forum in July, according to malware researchers from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.
"By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world," said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a blog post. "This threat is relatively new, and cybercriminals still aren't using it to its full capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could increase considerably over a short period of time."
Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).
However, this Trojan program also has some features that make it stand out.
Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.
Full Topic
I wish Webroot still deep deep-dives as detailed as this. I miss the PrevX blog =(
Good stuff still years later.
http://www.prevx.com/blog.asp
http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf
In the TDL3/4 days it was my lighthouse.
Good stuff still years later.
http://www.prevx.com/blog.asp
http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf
In the TDL3/4 days it was my lighthouse.
Thanks for posting, Jasper! This is definitely one we have our eye on. Maybe @ can even chime in.
And@ - we do still have a Threat Research blog where we showcase our findings: The Webroot Threat Blog
Marco Guiliani has even contributed to it. It just has a new location. If you have any feedback on it though, please share with@ .
And
Marco Guiliani has even contributed to it. It just has a new location. If you have any feedback on it though, please share with
Where is Marco's Blog located now if you read his past blog's that's the kind we like reading when he breaks down malware and shows his detailed analysis!@ wrote:
Thanks for posting, Jasper! This is definitely one we have our eye on. Maybe@ can even chime in.
And@ - we do still have a Threat Research blog where we showcase our findings: The Webroot Threat Blog
Marco Guiliani has even contributed to it. It just has a new location. If you have any feedback on it though, please share with@ .
Daniel
Marco has actually moved on, but his posts can be found here. I'm sure the current members of the Threat Blog team will be able to take this feedback and apply it to some of their posts moving forward.
Nowadays, the team tends to focus on "Here's what we found and here's how to remove it" like this recent blog from@ . 🙂
Nowadays, the team tends to focus on "Here's what we found and here's how to remove it" like this recent blog from
The in-depth investigations and white-papers certainly gave PrevX street-cred and the brand recognition in the field it was targeting: professionals passionate about (and desperate for) finding ways to augment AV technology which was seriously falling behind. Discussions about the end of antivirus were mainstream. I think that's actually how I/we initially discovered PrevX. The early TDL3 days were a very scary time to be a defender.
I have no doubt that the team could dig deep but I understand it takes a whole lot of work with minimal audience unless you're busting open a big new thing. And if you're running a blog consumers are supposed to read then throwing out long screencaps of assembly are a great way to get them to stop reading. But I sure miss it a lot.
@
Marco left and started up his own company. Unfortunately doesn't seem to blog much anymore.
http://www.saferbytes.it/2012/10/08/common-preventive-and-reactive-approaches-to-mitigate-exploit-attacks/
I have no doubt that the team could dig deep but I understand it takes a whole lot of work with minimal audience unless you're busting open a big new thing. And if you're running a blog consumers are supposed to read then throwing out long screencaps of assembly are a great way to get them to stop reading. But I sure miss it a lot.
Marco left and started up his own company. Unfortunately doesn't seem to blog much anymore.
http://www.saferbytes.it/2012/10/08/common-preventive-and-reactive-approaches-to-mitigate-exploit-attacks/
Yes I knew Marco got his own Company but I thought it was still behind the Webroot label. But I see that has changed http://www.saferbytes.it/about-the-team/ great guy!
Daniel
Daniel
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.