As the security industry debates a 20MB worm, the world's smallest banking Trojan has been detected.
Named 'Tinba' (Tiny Banker) or 'Zusy', it is a 20KB data-stealing banking Trojan that hooks into browsers, steals login data and sniffs network traffic. It also uses man-in-the-browser (MiTB) techniques and web injections in order to change the look and feel of curtain webpages with the purpose of circumventing two-factor authentication or to trick the infected user to give away additional sensitive data.
According to CSIS, which detected Tinba, this is the smallest banking Trojan it has ever encountered and it belongs to a completely new family of malware which it said it expects to be battling in upcoming months.
Peter Kruse, partner & security specialist at CSIS, said anti-virus detection of the analysed samples is low and the code (including config and web injects) does not have any packaging or advanced encryption.
Asked if it is hard to spot as it is so small, Kruse told SC Magazine that it hides well on the system and was found during a forensic search.
“Tinba is utilising an injection routine upon execution which is obfuscated to primarily avoid anti-virus detection,” he said.
“It allocates new memory space where this specific injection function is stored and injects itself into the newly created process 'winvert.exe' (Version Reporter Applet) which is dropped into the Windows system folder. Tinba also injects itself into both 'explorer.exe' and 'svchost.exe processes.”
Research by CSIS found that Tinba uses four different libraries during its runtime: ntdll.dll; advapi32.dll; ws2_32.dll; and user32.dll. As observed in several other banking Trojans and advanced malware, Tinba utilises a RC4 encryption algorithm when communicating with its command and control (C&C) servers, using four hard-coded domains for its communications.
Kruse said: “Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If the C&C server survives certain checks, then files are downloaded and executed on the infected host.
“When successfully injected, Tinba reads settings from the configuration files (cfg.dat and web.dat) and intercepts and manipulates traffic through several browser APIs.”
He also commented that the web inject templates are identical to the ones used by Zeus, but also have the capability to use special values, while it will modify headers and be able to inject insecure non-HTTPS-supported elements from external servers and websites.
“Tinba, like its equals, targets financial websites, but only a very small list of specific URLs. Yes, Tinba proves that malware with data-stealing capabilities does not have to be 20MB in size,” he said.