Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The world's smallest banking trojan has been detected.
Named 'Tinba' (Tiny Banker) or 'Zusy', it is a 20KB data-stealing banking trojan that hooks into browsers, steals login data and sniffs network traffic. It also uses man-in-the-browser (MiTB) techniques and web injections in order to change the look and feel of curtain webpages with the purpose of circumventing two-factor authentication or to trick the infected user to give away additional sensitive data.
According to CSIS, which detected Tinba, this is the smallest banking trojan it has ever encountered and it belongs to a completely new family of malware which it said it expects to be battling in upcoming months.
Peter Kruse, partner & security specialist at CSIS, said anti-virus detection of the analysed samples is low and the code (including config and web injects) does not have any packaging or advanced encryption.
Asked if it is hard to spot as it is so small, Kruse told SC Magazine that it hides well on the system and was found during a forensic search.
“Tinba is utilising an injection routine upon execution which is obfuscated to primarily avoid anti-virus detection,” he said.
“It allocates new memory space where this specific injection function is stored and injects itself into the newly created process 'winvert.exe' (Version Reporter Applet) which is dropped into the Windows system folder. Tinba also injects itself into both 'explorer.exe' and 'svchost.exe processes.”
Research by CSIS found that Tinba uses four different libraries during its runtime: ntdll.dll; advapi32.dll; ws2_32.dll; and user32.dll.
As observed in several other banking trojans and advanced malware, Tinba utilises a RC4 encryption algorithm when communicating with its command and control (C&C) servers, using four hard-coded domains for its communications.
“Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If the C&C server survives certain checks, then files are downloaded and executed on the infected host. When successfully injected, Tinba reads settings from the configuration files (cfg.dat and web.dat) and intercepts and manipulates traffic through several browser APIs.”
He also commented that the web inject templates are identical to the ones used by Zeus, but also have the capability to use special values, while it will modify headers and be able to inject insecure non-HTTPS-supported elements from external servers and websites," Kruse said.
“Tinba, like its equals, targets financial websites, but only a very small list of specific URLs. Yes, Tinba proves that malware with data-stealing capabilities does not have to be 20MB in size,” he said.
This article originally appeared at scmagazineuk.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.