2012
05.31

Tinba is a small data stealing trojan-banker. It hooks into browsers and steals login data and sniffs on network traffic. As several sophisticated banker-trojan it also uses Man in The Browser (MiTB) tricks and webinjects in order to change the look and feel of curtain webpages with the purpose of circumventing Two factor Authentification (2FA) or tricking the infected user to give anyway additional sensitive data such as credit card data or TANs.
[…]
The code is approx 20KB in size (including config and webinjects) and comes simple and clear without any packing or advanced encryption. Antivirus detection of the analyzed samples is low.
[…]
As observed in several other Trojan-bankers and advanced malwares, Tinba utilizes a RC4 encryption algorithm when communication with its Command & Control (C&C) servers. Tinba uses four hardcoded domains for its C&C communication. This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain. Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If C&C server survives certain checks, then the before mentioned files are downloaded and executed on the infected host. C&C communication is illustrated below.
[…]

tina

CSIS: Say hello to Tinba: World’s smallest trojan-banker.

3 comments so far

Add Your Comment
  1. AFAICT you’ve coeverd all the bases with this answer!

  2. Cialis…the next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought youd have something interesting to say. All I hear is a bunch of whining about something that you coul…

  3. Jeg havde ønsket mig den lyskæde i 30 års fødselsdagssgave sidste måned men fik den desværre ikke. Ønsker mig også Rainbow, den er så fin med alle de farver

*