June 20, 2012

Early June 2012 saw many media reports concerning the discovery of "the smallest known banking Trojan", dubbed by security experts as Tinba (short for “tiny banker”). In this news brief, the Russian anti-virus company, Doctor Web, offers a technical overview of this threat.

Written in Assembly, Tinba is a very compact piece of malware occupying as little as 20KB. To date, at least five modifications of this Trojan horse are known. Despite the fact that news agencies and some anti-virus developers reported the discovery of Tinba only on June 5, 2012, Dr.Web anti-virus software detects this malware as Trojan.Hottrend, and the first records concerning this Trojan family were added to the Dr.Web virus databases as early as late April 2012.

Once launched in the infected system, Tinba decrypts its code, copies the winver.exe program (the standard program displaying Windows version information), injects its code into the file, and launches it. Then the Trojan searches for the explorer.exe process and also injects its code into it. One of the malware versions detected by Dr.Web as Trojan.DownLoader6.12974 injects its code into all running processes on the infected computer.

The Trojan registers itself in the registry branch responsible for the automatic launching of applications and copies itself to the bin.exe file. Tinba then changes the Internet connection settings so that the browser can display mixed content, which enables the Trojan to tamper with HTTPS traffic. If Firefox is installed on the infected computer, the Trojan also saves the user.js file to a separate folder. The file contains JavaScript code that disables the browser's security alerts. Files used by the Trojan horse to connect to a control server are also stored on the disk.

Control server addresses are hardcoded into the Trojan file. Tinba connects to a server, uses the POST routine to send it encrypted data, and waits for a reply. The main purpose of this malware is to monitor Internet traffic to intercept sensitive (including banking) information and send it to criminals.

Curiously, another small malicious program dubbed Trojan.PWS.Banker.64540 was discovered by Doctor Web shortly after the first Tinba warnings appeared in the media. It is much "bigger" than Trojan.Hottrend — about 80 KB—and it is not written in Assembly but in C++. This Trojan is a two-component program incorporating a DLL file and an executable. It stores its data in the registry and in a file placed into the system temporary folder — we already described this malicious program in one of our most recent publications.

The information presented here once again proves that analysts were right to assume that criminals would be very interested in small banking Trojans. Indeed, the types and modifications of such programs are constantly increasing in number.