Neverquest banking malware more dangerous than Zeus trojan

New Neverquest malware steals bank account logins and lets attackers access accounts through victims' computers.

For over five years, Zeus has been the undisputed king of banking malware. Once this trojan was loaded onto a victim's machine, it could:

  • Detect when the owner entered banking information into a web browser.
  • Steal passwords and other pertinent login information.
  • Encrypt the stolen information and send it to the attacker's specified servers.

Zeus was also one of the first pieces of malicious software to be sold under a license. For the right price, anyone could use it.

Zeus remains active today, but its source code was published online in 2011 and this cyberscourge has about run its course. Unfortunately, Security experts are already sounding the alarm about a new piece of malware that makes Zeus look like a simpleton. Neverquest significantly raises the bar for online banking malware.

How Neverquest works

Like Zeus, Neverquest is a Trojan. Bad guys introduce Neverquest to the victim’s computer via social media, email, or file transfer. According to the security blog Threat Post, Neverquest replicates in a manner similar to the Bredolab botnet client:

"Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet."

Before it was shuttered, the Bredolab botnet consisted of 30 million computers. Why not use something that works?

If the victim’s computer is vulnerable to an exploit targeted by Neverquest’s trojan loader; the malware is installed. Then Neverquest starts paying attention to what the user is typing into their web browser. If a predetermined financial term is recognized, Neverquest checks the website domain name. Since, Neverquest has hundreds of banking and financial institutions in its database; there’s a better than average chance Neverquest will be familiar with the banking website.

Once Neverquest recognizes a banking site, it will relay the login information back to the attackers’ command and control server. Once the victim's credentials are in the hands of the attackers, they will remotely control the victim's computer using VNC, log into the victim's banking website, and do one of the following:

  • Transfer money to different accounts
  • Change login credentials, locking out account owner
  • Write checks to money mules

And to make matters worse, banking sites are unable to distinguish the victim's login from that of the attacker using Neverquest.

One capability Neverquest has that Zeus doesn’t, is the ability to cultivate new banking sites for its database. If the malcode recognizes certain financial terms, but not the domain; Neverquest will send the information back to the command and control server which then creates a new identity, and updates every compromised computer under its control.

Neverquest in the wild

One sobering reality is that Neverquest is already for sale. Zeus, being “first of its kind” malware, required skilled controllers. Not so with Neverquest, script kiddies and malware non-experts are able to make use of the potent malware as soon as they buy it.

Next reality: standard antivirus software is not effective. Kaspersky mentions in this blog:

“Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that secures transactions. In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.”

Kaspersky also reported that:

"Neverquest is also designed to start harvesting data when an infected user visits any number of sites not related to finance, including Google, Yahoo, Amazon AWS, Facebook, Twitter, Skype and many more."

It appears that Neverquest developers are looking to diversify.

Protecting yourself

Despite Neverquest's formidable capabilities, there are several things we can do to protect ourselves. First, there is the security expert’s mantra, “Make sure the computer operating system and all applications are up-to-date.” Doing so will at least prevent malware from exploiting known weaknesses.

Second, even though I wrote the article, Online banking: How safe is it in 2009, using a LiveCD to access banking websites is still a valid method to prevent malware such as Neverquest from stealing your financial information and eventually your money.


Information is my field...Writing is my passion...Coupling the two is my mission.


This Trojan is dangerous if >>

1. Portal is only using userid and password for authentication.

2. Portal does not have any Out of band OTP token for security.

3. Portal does not alert the customers of the transactions verification and confirmation via Out of Band. 

4. Portal is offering Web based OR PC based OTP token as they can be compromised by this Trojan also. 

5. Portal is using PKI through smart card reader or USB key then these devices can be compromised in similar fashion and abused. 

Effective Protection against such Trojan is >>

1. Portal should have Out of Band OR External Independent Security above and beyond Token.

2. Portal alternatively have have risk based authentication along with transaction confirmation alerts to counter Trojan attack.

3. Portal can have Push notification based transaction approval to pre-registered mobile number and mobile app. 



Would  an anitkeylogger or password managers offset some of the security risks. Can phones be infected too??? 


Im guessing two factor authentication helps prevent unauthorized access in scenarios like this. Unless they found a way around that.


I agree with the sentiment here but you have to remember these guys operate internationally, are better funded than most governments, the criminal organisation actually groom and sponsor future malware writers through university and lastly a lot of the time the malware writers wouldn't have the resources to move the money about once it has been stolen.  In essence it is the large criminal organisations that need shut down.  You shoot the malware writer and they will just find some other socially inept genius who fancies the challenge.  It is bloody difficult to get the real criminals here.  Cops don't have the skills or the funding to catch them and are hampered by boundaries.  

Protecting yourself is difficult even for people that understand the problem so the average Joe has no hope.  They have to rely on things like AV which most people believe is the magic bullet not realising that AV is only one control in a package of controls that should be applied.  Even then with the rate that things are being developed and released you can never catch everything.  That said I will still use the services if I believe the financial service is doing enough and they will cover the losses.  The benefit outweighs the risk.

I am more worried about the personal information that is being harvested.  This is infinitely more useful to them and will have the most impact on me and you personally.  Most people when you ask them what the impact of ID theft is will say "stolen money" but the reality is much worse.  Consider having your ID stolen and then it gets used in a crime.  That data is then captured on a police computer and distributed throughout the world.  The trace remains even after you have been cleared.  Say now you fancy a trip to Spain so you pack your family up and board on this once in a lifetime trip and find yourself detained and thrown in a cell for a few days once you get to Spain because the passport control picks you up on a watch list.  What will that do to your sanity not to mention your holiday.  

Its also highly likely that you will find yourself being pulled over more often because your licence details flag you as interesting.  Only an inconvenience but still it shouldn't happen.  These things can and do happen.  ID theft can ruin your life.  These trojans gather this info as well.  Maybe not this one right now but give it time.


Thanks. Great alert and as usual, well written and researched by Tech Republic's authors


In the UK to login to the online banking you now need a card reader, this generates a different code every time you want to log on to your bank account, introducing that worldwide would eliminate this threat


I do wish there were more ways to protect ourselves than what you listed. I do keep my stuff up to date (the Secunia program helps). I don't know too many people who are going to want to use a Live CD just to do banking or shopping, it's too cumbersome.

I'm with Rodo1, we need to start hanging these scum. I'm also OK with shooting them on sight. They need to be eliminated. You don't win a war by staying on the defensive.


So when are we going to start hanging these criminals instead of putting the onus on the user to have all kinds of resource sapping security software on their computers? It's time to start getting tough and rid the world of these hackers/crackers/script kiddies!

Michael Kassner
Michael Kassner


I emailed Qian Wang, the developer of KeyScrambler about your question. Here is his reply: 

"For malware that takes direct control of the user's browser, such as NeverQuest and Zeus, the effectiveness of KeyScrambler depends on the browser in question and the variant of the malware. KeyScrambler's architecture is quite straightforward. We encrypt at the kernel level, as soon as the keyboard driver receives the keystrokes from hardware. And we decrypt within the protected application, where we try to delay the decryption as much as possible. 

We can say for certain that if any malware intercepts keystrokes between these endpoints, they cannot steal any useful information. It gets more complicated if the malware is able to infiltrate the application itself. 

Some browsers, such as IE, are much "leakier" than others, and it can be very hard to secure them. So while KeyScrambler can provide a layer of defense in many cases, I can't in good conscience make any broad claims of KeyScrambler's effectiveness against NeverQuest. However, I hope to be able to make such claims later this year, as we're working on some new features that we're very excited about."


I use 2 factor authentication at Bank of America and even after I login to my account, if I setup a new payee I would be required to enter a new SafePass code a second time. In fact, I have my SafePass settings to not require a code on authenticated computers, so the bad guys wouldn't even have access to a code for a short period if time.

Michael Kassner
Michael Kassner


There is a rumor that Zeus and Neverquest types of malware have the ability to wait until the victim is logged in. And then go to work. I have not been able to verify that. 

Michael Kassner
Michael Kassner


Well said, harvesting personal information is becoming an issue due to the advances in data mining and business intelligence. The bad guys realize putting two disparate pieces of data together may then reveal an actionable identity.  

Michael Kassner
Michael Kassner


I've read that bad guys have a sneaky answer for that. Zeus (and maybe Neverquest) have a version that waits until the victim is logged in, then they go to work. I have not been able to confirm this though. 

Michael Kassner
Michael Kassner


The problem seems to be in trying to get the international community to work as one group.

Editor's Picks