Thursday 6 October 14:00 - 14:30, Green room
Peter Kruse (CSIS)
Neverquest (a.k.a. Vawtrak/Snifula) is a complex banking trojan targeting a long list of financial institutions around the globe.
Neverquest is the offspring of Gozi, and as such it has ties to the "Hang Up Team". Gozi was one of the first banker trojans that was prevalent enough to get its own "working group" that, in cooperation with law enforcement, worked on its take-down.
Neverquest is a prevalent threat that continues to cause losses to financial institutions and that is being used as an instrument to steal valuable data from corporate networks. It has the largest target configuration file ever observed. The size of the file is approximately 2MB and it targets roughly 200 different online banking websites and an additional 150 online services. Lately, it has even begun targeting investment retirement services.
This presentation will focus on how Neverquest infects Microsoft Windows clients. Furthermore, it will provide an insight into the malware's binary code and its components.
The second part of the presentation will show parts of the C&C panel utilized by the criminals to send massive amounts of instructions to chosen clients in order to carry out hostile commands. We will, for example, look into how the VNC (virtual network control) is deployed to conduct fraudulent transactions.
Last but not least, we will document how Neverquest already controls victims with more than 1 billion dollars at their disposal. This fact could cause significant losses to corporate banking customers.
Peter Kruse co-founded the Danish IT security company CSIS in 2003 and is currently leading the eCrime department, which provides services mainly aimed at the financial sector. His ability to combine a keen appreciation of business needs and a profound technical understanding of malware has made CSIS a valued partner of clients not only in Scandinavia but also in the rest of Europe.
Today, Peter is by far the most quoted IT security expert in Denmark and considered among the most recognized in Europe. He has a long history of active participation in several closed and vetted top IT security communities and has numerous international connections in the anti-virus and banking industry, law enforcement and higher education institutions.