The Threat of Banking Trojans–Zeus and Neverquest

I have been catching up on my reading, and came across an article on the new Neverquest banking malware on TechRepublic.  This article first discussed the Zeus Trojan exploit.  Zeus was released online in 2011, and was one of the first malware programs that required licensing.  Once installed on a victim’s machine it could detect when you went to your online banking website, record your user ID, password, and other banking procedures, and encrypt and transmit this information to control servers run by the attackers.  The good news is that Zeus has had it’s day; operating system and browser patches, and anti-malware updates have made fully updated computers pretty resistant to this attack.

Enter Neverquest.  This updated banking Trojan is introduced to the victim via social media, email, or file transfer.  Neverquest replicates some of the propagation methodology of the Bredolab botnet client, which ended up infecting 30 million systems worldwide.  The exploit software looks for a number of potential system vulnerabilities, and when it finds one on your computer, the malware is installed.  Then a keylogger component of Neverquest watches what you are typing, looking for certain financial terms.  The it compares the web site you are on to an extensive database of banking web addresses.  Once that is confirmed, your banking web address, user ID and password information are sent back to the control server.

Using a remote access component called VNC, the cyber-criminals then remotely access your own computer at a later date, open a browser, go to your banking website, and log on to your account.  From there, they can transfer money to another account, change your user credentials, effectively locking you out of your own account, or write check to money mules.

Even if your bank uses your IP address as part of the security protocols to verify your identity, because the attackers are using your own computer, the bank could never tell that the transactions weren’t legitimately coming from your computer.

Additionally, Neverquest can notice banking web addresses that are not in its database, report the new address to the control server, and once the address is verified by the attackers, an update is sent out to all infected computers that adds this address to the database.

Neverquest also starts to harvest user data when you are active on Google, Yahoo, Amazon, Facebook, Twitter, Skype, and other popular web locals.

Standard anti-malware products are not fully effective against Neverquest.  The best defense is using a dedicated banking computer system that you never use for anything else, or to use a bootable LiveCD operating environment that would not permit changes to your browser or operating environment.  This way the attackers can never gain a foothold on your computer.  Setting up secure systems for banking is not the easiest DIY project, you are better off working with a specialist in this field.  For the record, this is work that we do for our clients.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.