Tiny new banking trojan
Posted on: 05/31/2012 03:28 PM
[
Comments
]
Called Tinba, security researchers have discovered this new malware that is only 20 kb in size, yet uses a number of well-word man-in-the-browser tricks in an attempt to defeat two-factor authentication. It doesn't bother with encryption or packing, yet is slipping past a lot of desktop defenses.
Tinba injects itself into a number of running processes on the PC, including the major browser processes such as FireFox.exe. It also injects itself into explorer.exe and svchost.exe. The main focus of the malware seems to be stealing online banking and credit card info, but it also makes each infected machine a part of a botnet that reports to one of four known command-and-control servers, according to an analysis of Tinba by CSIS in Denmark.
"As observed in several other Trojan-bankers and advanced malwares, Tinba utilizes a RC4 encryption algorithm when communication with its Command & Control (C&C) servers. Tinba uses four hardcoded domains for its C&C communication. This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain. Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If C&C server survives certain checks, then the before mentioned files are downloaded and executed on the infected host. C&C communication is illustrated below," Peter Kruse, a security specialist at CSIS, wrote in his analysis.
Although the list of financial web sites it targets is fairly small, it has the ability to modify secure web sessions by injecting insecure elements into those pages. "The web inject templates are identical to the ones used by ZeuS but also have capability to use special values e.g. %BOTUID% equals to volume serial number," Kruse said.
Tinba is the latest in a long line of banking trojans that are meant to specifically relieve you of your money by either monitoring online banking or modifying web pages. Its small size seems to indicate that the attackers didn't want to waste any time or add any bits of extraneous features, only being interested in robbing and stealing.
"Tinba is the smallest trojan-banker we have ever encountered and it belongs to a complete new family of malware which we expect to be battling in upcoming months," Kruse said.
As always, if you are infected, visit the Malware team at MajorGeeks.com
Tinba injects itself into a number of running processes on the PC, including the major browser processes such as FireFox.exe. It also injects itself into explorer.exe and svchost.exe. The main focus of the malware seems to be stealing online banking and credit card info, but it also makes each infected machine a part of a botnet that reports to one of four known command-and-control servers, according to an analysis of Tinba by CSIS in Denmark.
"As observed in several other Trojan-bankers and advanced malwares, Tinba utilizes a RC4 encryption algorithm when communication with its Command & Control (C&C) servers. Tinba uses four hardcoded domains for its C&C communication. This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain. Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If C&C server survives certain checks, then the before mentioned files are downloaded and executed on the infected host. C&C communication is illustrated below," Peter Kruse, a security specialist at CSIS, wrote in his analysis.
Although the list of financial web sites it targets is fairly small, it has the ability to modify secure web sessions by injecting insecure elements into those pages. "The web inject templates are identical to the ones used by ZeuS but also have capability to use special values e.g. %BOTUID% equals to volume serial number," Kruse said.
Tinba is the latest in a long line of banking trojans that are meant to specifically relieve you of your money by either monitoring online banking or modifying web pages. Its small size seems to indicate that the attackers didn't want to waste any time or add any bits of extraneous features, only being interested in robbing and stealing.
"Tinba is the smallest trojan-banker we have ever encountered and it belongs to a complete new family of malware which we expect to be battling in upcoming months," Kruse said.
As always, if you are infected, visit the Malware team at MajorGeeks.com
Comments
