World's smallest banking trojan discovered

Powered by SC Magazine

Pint sized malware packs a punch.

The world's smallest banking trojan has been detected.

Named 'Tinba' (Tiny Banker) or 'Zusy', it is a 20KB data-stealing banking trojan that hooks into browsers, steals login data and sniffs network traffic. It also uses man-in-the-browser (MiTB) techniques and web injections in order to change the look and feel of curtain webpages with the purpose of circumventing two-factor authentication or to trick the infected user to give away additional sensitive data. 

According to CSIS, which detected Tinba, this is the smallest banking trojan it has ever encountered and it belongs to a completely new family of malware which it said it expects to be battling in upcoming months.

Peter Kruse, partner & security specialist at CSIS, said anti-virus detection of the analysed samples is low and the code (including config and web injects) does not have any packaging or advanced encryption.

Asked if it is hard to spot as it is so small, Kruse told SC Magazine that it hides well on the system and was found during a forensic search.

“Tinba is utilising an injection routine upon execution which is obfuscated to primarily avoid anti-virus detection,” he said.

“It allocates new memory space where this specific injection function is stored and injects itself into the newly created process 'winvert.exe' (Version Reporter Applet) which is dropped into the Windows system folder. Tinba also injects itself into both 'explorer.exe' and 'svchost.exe processes.”

Research by CSIS found that Tinba uses four different libraries during its runtime: ntdll.dll; advapi32.dll; ws2_32.dll; and user32.dll.

As observed in several other banking trojans and advanced malware, Tinba utilises a RC4 encryption algorithm when communicating with its command and control (C&C) servers, using four hard-coded domains for its communications.

“Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If the C&C server survives certain checks, then files are downloaded and executed on the infected host. When successfully injected, Tinba reads settings from the configuration files (cfg.dat and web.dat) and intercepts and manipulates traffic through several browser APIs.”

He also commented that the web inject templates are identical to the ones used by Zeus, but also have the capability to use special values, while it will modify headers and be able to inject insecure non-HTTPS-supported elements from external servers and websites," Kruse said.

“Tinba, like its equals, targets financial websites, but only a very small list of specific URLs. Yes, Tinba proves that malware with data-stealing capabilities does not have to be 20MB in size,” he said.

This article originally appeared at

Copyright © SC Magazine, UK edition

World's smallest banking trojan discovered
Top Stories
Australia's godfather of agile
Few technology leaders have seen the forces of digital disruption so repeatedly and at such close quarters than Nigel Dalton, CIO of the REA Group.
Photos: Innovation sprouts up among the lettuces
Inside the 21st Century farms managed from a smartphone.
Slow progress in Turnbullistan
[Blog post] How has the NBN moved ahead since regime change?
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx