07-11-2014 06:05 AM
The program, known as "Tinba" or "Zusy," was discovered around mid-2012 and infected tens of thousands of computers in Turkey. It is notable for having a very small code base -- just 20K -- but capabilities similar to malware much larger in size.
07-11-2014 12:39 PM
An update with a bit more information.
By paganinip on July 11th, 2014
"Tinba is a small data stealing Trojan-banker, as many other banking trojans it implements Man in the Browser (MiTB) technique to inject code into victims’ browsers to change the content of certain Web pages. Tinba has data stealing capabilities and is also able to sniff network traffic.
“Its purpose is to circumvent Two Factor Authentication (2FA) or to trick the infected user into providing additional sensitive data such as credit card data.” reports a joint study of CSIS and Trend Micro conducted on Tinba.
The blog post explains that Tinba second iteration, differently from version one, was improved to be sold as a crime-as-a-service inside closed criminal communities.
“The second version, which also includes a lot of changes to the panel/interface, appears to be sold as a crime as a service but only through closed channels. The second version indicates that the code was indeed sold in 2012 and then reworked by other it-criminals,” reports the blog post."
07-11-2014 12:47 PM - edited 09-16-2014 02:14 PM
Another scary underground Trojan... as this quote states in article:
Tinba is a small data stealing Trojan-banker, as many other banking trojans it implements Man in the Browser (MiTB) technique to inject code into victims’ browsers to change the content of certain Web pages. Tinba has data stealing capabilities and is also able to sniff network traffic.
Thank you Jasper for the news..Great information!!
Helpful Webroot Links:
09-16-2014 02:13 PM
The following article is a update on Tinba Bankng Malware(Tinba Banking Malware Expands Target List) By Brian Prince on September 16, 2014
A Trojan spotted earlier this year targeting banks in the Czech Republic has expanded its target list and become more global.
According to researchers at Avast, an analysis of the payload for the Rig Exploit kit identified a payload known as Tinba that is targeting financial institutions across the world, including Bank of America, HSBC and ING Direct.
Also known as the Tinybanker Trojan, the malware is being delivered via sites infected by the exploit kit, which targets vulnerabilities in Adobe Flash Player and Microsoft Silverlight, explained Avast virus analyst David Fiser. If the user's system is vulnerable, the exploit executes malicious code that downloads and executes the Tinba Trojan.
When the infected user tries to log in to one of the targeted banks, webinjects are used to trick the victim into filling out a form with his or her personal data - including social security numbers, address and credit card information. If the victim does this, the data is sent to the attackers.
"In the case of the Tinba “Tiny Banker” targeting Czech users, the payload was simply encrypted with a hardcoded RC4 password," Fiser blogged. "However, in this case, a few more steps had to be done."
At first, the researchers located the folder with the installed banking Trojan, Fiser continued. This folder contained an executable file and the configuration file.
SecurityWeek/ full article here/ http://www.securityweek.com/tinba-banking-malware-
10-06-2014 12:07 PM
by Raul Alvarez | October 06, 2014
A few months ago, Tinba’s source code was leaked in the wild. It is now inevitable that a different and enhanced version of it is out there. Tinba, also known as Tiny Banker, made its debut a couple of years ago. Though it is small, it is capable of doing what its big brothers can do. For more details on some of its features, you can read my article posted on Virus Bulletin.
As expected, we have seen some new changes added to the original malware. Tinba is now capable of injecting its code into a 64-bit running process.