Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Dangerous New Banking Trojan Neverquest Is an Evolution of an Older Threat

Created: 04 Dec 2013 11:25:59 GMT • Updated: 23 Jan 2014 18:02:32 GMT • Translations available: 日本語
Symantec Security Response's picture
+2 2 Votes
Login to vote
There has been recent media coverage around a new online banking Trojan, publicly known as Neverquest. Once Neverquest infects a computer, the malware can modify content on banking websites opened in certain Internet browsers and can inject rogue forms into these sites. This allows attackers to steal login credentials from users. The threat can also let attackers take control of a compromised computer through a Virtual Network Computing (VNC) server. Neverquest can replicate itself by stealing login details and spamming out the Neverquest dropper, by accessing FTP servers to take credentials in order to distribute the malware with the Neutrino Exploit Kit and by obtaining social networking credentials to spread links to infected websites. 
 
Symantec’s analysis of the Neverquest Trojan has found that the malware is the ongoing evolution of a threat family that Symantec detects as Snifula, which was first seen back in 2006. Our analysis of the Neverquest Trojan’s code has shown similarities with older samples of the Snifula family (in particular Backdoor.Snifula.D). We have also observed that network infrastructure found to be used previously by Snifula has close ties to the Neverquest Trojan. Symantec can confirm that we already had protection in place for this new threat under various different generic detection names from when we first encountered the malware back in mid-April 2013. Detection has since been broken out for this threat as Trojan.Snifula
 
Similarities
As mentioned, the code of Trojan.Snifula (also known as Neverquest) shows similarities with older samples of the Snifula family. The executables of the two threats have a different structure and functionality, but they do share some unique pieces of code that link them together. For example, the following pictures illustrate the code used to send eight bytes of data on the network, where the first four bytes contain the specific marker “26A6E848.”
 
figure1_5.png
Figure 1. Trojan.Snifula (Neverquest) code related to outbound network traffic
 
figure2_2.png
Figure 2. Backdoor.Snifula.D version of the same code from Figure 1
 
The code is nearly identical and the marker is unique, meaning that this code was not taken from a publicly available source. This is not the only resemblance of course; you can find many other similarities.
 
figure3_2.png
Figure 3. Trojan.Snifula (Neverquest) code for logging the current process ID
 
figure4_1.png
Figure 4. Same code from Backdoor.Snifula.D.
 
This code logs the malicious process ID along with the current time. Both the code and the string are identical in the two threats, which also make use of the CRC and Aplib algorithms and several common strings. 
 
Command-and-control infrastructure
We also got hints of a connection between the two threats by looking at the command-and-control (C&C) network infrastructure used by Trojan.Snifula (Neverquest). The IP address 195.191.56.245 was used as a C&C server by Trojan.Snifula. One of only two domains known to be hosted on that IP address is FyXqgFxUmihXClZo.org. This domain is known to be owned by Aster Ltd. In total, we know that Aster Ltd owns the following 26 domains.
  • accman.com.tw
  • afg.com.tw
  • amosw.com.tw
  • aster.net
  • asterdon.ru
  • asterltd.com
  • astervent.ru
  • bestsid.com.tw
  • countdown.com.tw
  • durpal.com.tw
  • facestat.com.tw
  • fforward.com.tw
  • fyxqgfxumihxclzo.org
  • geobiz.net
  • makumazna.com.tw
  • maskima.com.tw
  • maxward.com.tw
  • miison.com.tw
  • mssa.com.tw
  • parti.com.tw
  • pluss.com.tw
  • sparkys3.com
  • sparkys3.net
  • tdaster.ru
  • thehomeofficecatalogue.net
  • thehomeofficecatalogue.org
 
The Aster Ltd domains Pluss.com.tw and Countdown.com.tw are hosted on the IP address 195.210.47.173. Symantec has linked this IP address to an active C&C server used by Backdoor.Snifula.D in February and March of 2013. Other domains owned by Aster Ltd, such as Sparkys3.net and Facestat.com.tw, are being hosted on the IP address 195.137.188.59, another known C&C IP address for Trojan.Snifula.  
 
The Snifula family
Symantec has encountered numerous new variants of the Snifula family over the years. The arrival of Trojan.Snifula, which uses more sophisticated techniques to grow and to steal from victims, was an expected evolution of the Snifula family. Given that the Snifula threat family has been evolving and growing for years now, we don’t expect the malware to leave the threat landscape anytime soon.  
 
To protect against this threat, Symantec also has the following Intrusion Prevention System (IPS) signature.
  • System Infected: Trojan.Snifula Activity
 
Symantec will continue to monitor the Snifula threat family to ensure that the best possible protection is in place for this threat. We recommend using Norton Internet Security or Symantec Endpoint Protection to best protect against attacks of this kind.