World's smallest banking trojan discovered

Powered by SC Magazine
 

Pint sized malware packs a punch.

The world's smallest banking trojan has been detected.

Named 'Tinba' (Tiny Banker) or 'Zusy', it is a 20KB data-stealing banking trojan that hooks into browsers, steals login data and sniffs network traffic. It also uses man-in-the-browser (MiTB) techniques and web injections in order to change the look and feel of curtain webpages with the purpose of circumventing two-factor authentication or to trick the infected user to give away additional sensitive data. 

According to CSIS, which detected Tinba, this is the smallest banking trojan it has ever encountered and it belongs to a completely new family of malware which it said it expects to be battling in upcoming months.

Peter Kruse, partner & security specialist at CSIS, said anti-virus detection of the analysed samples is low and the code (including config and web injects) does not have any packaging or advanced encryption.

Asked if it is hard to spot as it is so small, Kruse told SC Magazine that it hides well on the system and was found during a forensic search.

“Tinba is utilising an injection routine upon execution which is obfuscated to primarily avoid anti-virus detection,” he said.

“It allocates new memory space where this specific injection function is stored and injects itself into the newly created process 'winvert.exe' (Version Reporter Applet) which is dropped into the Windows system folder. Tinba also injects itself into both 'explorer.exe' and 'svchost.exe processes.”

Research by CSIS found that Tinba uses four different libraries during its runtime: ntdll.dll; advapi32.dll; ws2_32.dll; and user32.dll.

As observed in several other banking trojans and advanced malware, Tinba utilises a RC4 encryption algorithm when communicating with its command and control (C&C) servers, using four hard-coded domains for its communications.

“Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If the C&C server survives certain checks, then files are downloaded and executed on the infected host. When successfully injected, Tinba reads settings from the configuration files (cfg.dat and web.dat) and intercepts and manipulates traffic through several browser APIs.”

He also commented that the web inject templates are identical to the ones used by Zeus, but also have the capability to use special values, while it will modify headers and be able to inject insecure non-HTTPS-supported elements from external servers and websites," Kruse said.

“Tinba, like its equals, targets financial websites, but only a very small list of specific URLs. Yes, Tinba proves that malware with data-stealing capabilities does not have to be 20MB in size,” he said.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


World's smallest banking trojan discovered
 
 
 
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  25%
TOTAL VOTES: 417

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  55%
 
No
  45%
TOTAL VOTES: 196

Vote