ID: IRCNE2013112030
Date: 2013-11-30
According to "computerworld", a new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.
Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).
Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.
This helps attackers identify new financial websites to target and build scripts for the malware to interact with them.
Once attackers have the information they need to access a user's account on a website, they use a proxy server to connect to the user's computer via VNC and access the account directly. This can bypass certain account protection mechanisms enforced by websites because unauthorized actions like transferring money are done through the victim's browser.
The methods used to distribute Neverquest are similar to those used to distribute the Bredolab botnet client, which became one of the most widespread malware on the Internet in 2010.
Neverquest steals log-in credentials from FTP (File Transfer Protocol) client applications installed on infected computers. Attackers then use these FTP credentials to infect websites with the Neutrino exploit pack, which then exploits vulnerabilities in browser plug-ins to install the Neverquest malware on the computers of users visiting those sites.
The Trojan program also steals SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients and sends them back to attackers so they can be used to send spam emails with malicious attachments. "These emails are typically designed to look like official notifications from a variety of services," Golovanov said.
"We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft," Golovanov said.
- 2