The discovery of a new banking Trojan by the researchers working for CSIS Security Group has proved that a piece of malware doesn’t have to be big and complex to get the job done.
Dubbed “Tinba” (Tiny Banker) and “Zusy”, the Trojan operates by hooking into browsers in order to steal login data.
It is also able to sniff network traffic, as well as perform some Man-in-The-Browser tricks in order to inject legitimate banking sites with additional forms, which ask victims to share more confidential data (credit card numbers, TANs, authentication tokens, etc).
“Tinba is the smallest trojan-banker we have ever encountered and it belongs to a complete new family of malware which we expect to be battling in upcoming months,” researcher Peter Kruse points out.
“The code is approximately 20KB in size (including config and webinjects) and comes simple and clear without any packing or advanced encryption. Antivirus detection of the analyzed samples is low.”
Tinba receives its instructions and updates from four C&C servers, whose domains are hardcoded into the malware. If the first one is non-responsive, it moves to the second one, and so on. The communication between the Trojan and the servers is encrypted with the RC4 algorithm
“The web inject templates are identical to the ones used by ZeuS but also have capability to use special values,” the researcher shared. “An interesting observation is the fact that Tinba will modify headers X-FRAME-Options thus being able to inject insecure non HTTPS supported elements from external servers/websites.”
The only good news in all of this is that although Tinba targets financial websites, its list is very small.