Skip to comments.'Tinba' Bank Trojan Burrows into Browsers to Steal Logins
Posted on 06/04/2012 8:25:11 AM PDT by Perseverando
Researchers have spotted a new banking Trojan subbed 'Tinba' that appears to have hit on a simple tactic for evading security - be as small as possible.
An astonishing 20KB in size, Tinba ('Tiny Banker') retains enough sophistication to match almost anything that can be done by much larger malware types.
Its main purpose is to burrow into browsers in order to steal logins, but it can also use 'obfuscated' (i.e disguised) web injection and man-in-the-browser to attempt to finesse two-factor web authentication systems.
A particularly interesting feature is the way it tries to evade resident security, injecting itself into the Windows svchost.exe and explorer.exe processes, as well as Internet Explorer and Firefox to give itself access to traffic passing through those.
The malware connects to one or more of four command & control domains on an RC4-encrypted channel.
None of this is particularly unusual as malware goes but the getting this sort of feature set out of 20kb (including all injection routines) is the work of a developer that believes size matters and the smaller the better.
Reminiscent of the old-school viruses written in x84 assembler two decades ago, low detection rates among antivirus programs suggest that the technique could herald a new wave of diminutive malware attacks.
Infection levels are unknown but banking malware is often almost invisible until it suddenly isn't as victims come to light.
"Yes, Tinba proves that malware with data stealing capabilities does not have to be 20MB of size," said Peter Kruse of the Danish security firm CSIS that first noticed Tinba.
Kruse is referring, of course, to another piece of malware being celebrated for its enormous size, Flame. Publicised in the same few days, the contrast between little and large is apt - and sobering.
See more like this: online security, internet, trojan horses, malware, viruses, encryption, browsers
What do we need to do?
Couldn’t recall m’s screenname...
Yes what do we need to do and how does it infect a computer? Is it detected by anti virus programs like AVG?
I guess we need to hope our security software providers come up with a fix in the near future.
Cyber warfare is a never ending battle against the tech criminals (including criminal governments, etc.) to try and stay ahead of them and create better cyber security software.
That is a scary one.
Great. Just great. Now what?
Hold me closer, Tiny Banker.
I had the same thought.
Ping for reference
It also means that just, because an AV scanner says you’re pc/laptop is clean, doesn’t mean that it is.
The article doesn’t say whether or not Opera is affected, but just in case, I added the list of websites given on the article page, to my blocked sites list.
I don’t use other browsers so I don’t know if they have a function available to block sites, but if they do, it’s a good idea to add the list. IE used to have a restricted sites list you could add to.
Also might consider adding them to a hosts file, or to a program like spywareblaster.
“What do we need to do?”
Avoid Windows. Unless Tinba can infect FireFox running on Linux, I don’t have to do anything.
I prefer my panic to be measured and leisurely ;-)
If in trouble or in doubt,
Run in circles, scream and shout.
Publicly execute whoever wrote this and released it into the wild.
The Problems Tinba Causes.
Tinba will usually enter into the system at first through a stealthy Trojan infection, as is typical for rogue anti-virus programs. Alternately, Tinba may also be embedded in malicious ads online, which can install the rogue anti-virus program after a simple click. Once this trial version is installed and running, Tinba will engage in a number of actions that are both unprofessional and will directly threaten the safety of your computer. Other problems Tinba creates on the PC:
* Tinba will prompt for and initiate fake scans that in actuality do nothing for your computer, presenting a mere appearance of security. The only purpose these scans have is to nudge you into buying the full version of Tinba.
* Fake warnings will appear in your web browser that redirects you towards dangerous websites. These warnings imitate official Internet Explorer warnings for unsafe websites, and so one should remain alert to avoid mistaking the fakes for the real thing.
* Tinba will disable the proper running of many different programs, including such harmless ones as Notepad. This may include actual anti-malware software that you need to maintain system security. If you notice your older security software not working, suspicion should be immediately cast on any new, lesser-known security programs you might have installed.
* Many different general system infection warnings will occur even if the only infection on your computer is Tinba itself! This is done strictly to create a state of terror in the user, as well as a dependency on Tinba supposed functions. Such warnings wont correspond to the results given by legitimate anti-malware scanning software.
* Tinba may also cripple your Internet connection to prevent you from gaining easy access to tools that could remove it.