Tiny New Tinba Banker Trojan Found Stealing Financial Data

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:32:08


Security researchers have discovered a tiny new banking Trojan that comprises just 20 KB of code and uses a number of well-word man-in-the-browser tricks in an attempt to defeat two-factor authentication. Known as Tinba, the new malware doesn’t bother with any encryption or packing and yet is slipping past a lot of desktop defenses.

Once executed on a new machine, Tinba will inject itself into a number of running processes on the PC, including the major browser processes such as firefox.exe. It also will inject itself into other processes running on the machine, including explorer.exe and svchost.exe. The primary focus of the malware seems to be stealing online banking and credit card information during sessions on compromised computers, but Tinba also makes each infected machine part of a botnet that reports in to one of four known command-and-control servers, according to an analysis of Tinba by CSIS in Denmark.

“As observed in several other Trojan-bankers and advanced malwares, Tinba utilizes a RC4 encryption algorithm when communication with its Command & Control (C&C) servers. Tinba uses four hardcoded domains for its C&C communication. This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain. Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If C&C server survives certain checks, then the before mentioned files are downloaded and executed on the infected host. C&C communication is illustrated below,” Peter Kruse, a security specialist at CSIS, wrote in his analysis.

The list of financial Web sites that Tinba targets once it’s on a machines is fairly small, Kruse said, but it has the ability to modify supposedly secure Web sessions by injecting insecure elements into those pages. There’s another interesting twist to the Tinba malware that may provide some indications of its genealogy.

“The web inject templates are identical to the ones used by ZeuS but also have capability to use special values e.g. %BOTUID% equals to volume serial number,” Kruse said.

Tinba is the latest in a long and distinguished line of banker Trojans that are designed specifically to relieve victims of their money through background monitoring of online banking sessions or modification of Web pages. Its small size suggests that the attackers behind the malware didn’t want to waste any time or bits on extraneous features. They were interested solely in accomplishing the goal at hand: robbing and stealing.

“Tinba is the smallest trojan-banker we have ever encountered and it belongs to a complete new family of malware which we expect to be battling in upcoming months,” Kruse said.