New Tinba Trojan-banker Encountered, Report CSIS Experts

The Security Group CSIS lately found one fresh family of banker-Trojans that it dubbed "Tinba" meaning 'tiny banker,' as also called "Zusy."

Designed for stealing data, the banker-Trojan is rather small as it attaches itself to Web-browsers for capturing log-in details as also spying on inbound and outbound network traffic. Moreover, similar to many advanced Trojan-bankers, Tinba too applies MITB (Man-in-The-Browser) tactics followed with making web-injects so certain web-pages will appear and work in an altered way. The objective is to get past the dual-authentication mechanism alternatively deceive the contaminated end-user into divulging his credit card as well as TAN particulars.

The banker-Trojan Tinba circulates as the smallest such malware hitherto, while representing one wholly fresh family of malicious software that CSIS anticipates will fight for existence during the forthcoming months.

Tinba's code, which's about the size 20KB, -web-injects and config included- comes uncomplicated devoid of any additional package alternatively sophisticated encryption. Consequently, the identification of the malware by anti-virus software is minimal.

Significantly Tinba, on running, utilizes one obfuscated injection mechanism, which lets it bypass security programs. Thereafter it sets up Version Reporter Applet a process indicated as winvert.exe that's situated inside System folder.

Nevertheless, Tinba leverages other processes too like 'explorer' and 'svchost.'

Meanwhile, the malware uses several four-hardcoded domains to exchange messages with its central C&C systems. As a result, Tinba's operation continues despite any of the domains ceasing from reacting.

Also when hijacking a browser, Tinba uses the method of injection inside the iexlporer.exe and firefox.exe processes letting it tamper with incoming and outgoing network traffic via Application Programming Interfaces (APIs) of the browser.

Telling further about the latest malware discovery, CSIS eCrime Unit's Chief Peter Kruse stated that the formats of web-insertions were exactly the same that ZeuS utilized. In addition, they had the capability for utilizing certain important values. Interestingly, Tinba would alter captions X-FRAME-Options, thereby becoming capable of inserting unprotected non-HTTPs backed components from outside websites or servers, the expert added. Help Net Security published this dated May 31, 2012.

Conclusively, Kruse stated that albeit Tinba attacked Internet sites related to financial activities, their number was very small.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 6/6/2012