World's smallest banking trojan discovered

By on
World's smallest banking trojan discovered

Pint sized malware packs a punch.

The world's smallest banking trojan has been detected.

Named 'Tinba' (Tiny Banker) or 'Zusy', it is a 20KB data-stealing banking trojan that hooks into browsers, steals login data and sniffs network traffic. It also uses man-in-the-browser (MiTB) techniques and web injections in order to change the look and feel of curtain webpages with the purpose of circumventing two-factor authentication or to trick the infected user to give away additional sensitive data. 

According to CSIS, which detected Tinba, this is the smallest banking trojan it has ever encountered and it belongs to a completely new family of malware which it said it expects to be battling in upcoming months.

Peter Kruse, partner & security specialist at CSIS, said anti-virus detection of the analysed samples is low and the code (including config and web injects) does not have any packaging or advanced encryption.

Asked if it is hard to spot as it is so small, Kruse told SC Magazine that it hides well on the system and was found during a forensic search.

“Tinba is utilising an injection routine upon execution which is obfuscated to primarily avoid anti-virus detection,” he said.

“It allocates new memory space where this specific injection function is stored and injects itself into the newly created process 'winvert.exe' (Version Reporter Applet) which is dropped into the Windows system folder. Tinba also injects itself into both 'explorer.exe' and 'svchost.exe processes.”

Research by CSIS found that Tinba uses four different libraries during its runtime: ntdll.dll; advapi32.dll; ws2_32.dll; and user32.dll.

As observed in several other banking trojans and advanced malware, Tinba utilises a RC4 encryption algorithm when communicating with its command and control (C&C) servers, using four hard-coded domains for its communications.

“Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If the C&C server survives certain checks, then files are downloaded and executed on the infected host. When successfully injected, Tinba reads settings from the configuration files (cfg.dat and web.dat) and intercepts and manipulates traffic through several browser APIs.”

He also commented that the web inject templates are identical to the ones used by Zeus, but also have the capability to use special values, while it will modify headers and be able to inject insecure non-HTTPS-supported elements from external servers and websites," Kruse said.

“Tinba, like its equals, targets financial websites, but only a very small list of specific URLs. Yes, Tinba proves that malware with data-stealing capabilities does not have to be 20MB in size,” he said.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?