The source code for the first version of Tinba, the smallest banking Trojan ever, has been discovered by researchers on an underground forum.

Also known as Tinybanker or Zusy, the malware is just 20KB in size and has been first discovered at the middle of 2012, when it targeted individuals in Turkey. More than 60,000 unique infections were identified.

Apart from this, what immediately captured the attention of the security researchers was its small size and its functionality rivaling much larger Trojans.

Researchers at CSIS Security Group of Denmark found it in a post on a closed underground forum. After close analysis, they determined that the code was for the first version of the malware from 2011/2012.

Tinba has been created to hook into the web browser and capture login data. Despite being 20KB in size, the malicious software uses the man-in-the-browser (MitB) and web-injection techniques to carry out the thieving task it has been built for. This activity is specific to complex malware.

As it often happens with malawre source code being made available publicly, a surge in cyber-attacks is expected. “We don't expect the source code of Tinba to become a major inspiration for IT-criminals as it was the case for ZeuS. However, making the code public increases the risk of new banker Trojans to arise based partially on Tinba source code,” says CSIS CTO, Peter Kruse.

It looks like the code is accompanied by full documentation and no parts of the code were left out by the publishers. CSIS notes that everything is nicely structured and that during their analysis, code could be compiled with no trouble.

In 2012, CSIS released a joint report with the security researchers from TrendMicro, where they analyzed how Tinba worked and the damage it could do.

Once launched, the malicious software would deploy an obfuscated injection routine that allowed it to avoid detection by antivirus solutions.

The paper says that among its capabilities was disabling the warning page in Mozilla Firefox, so that the user could land on compromised pages without being restricted or alerted in any way of the dangers ahead.

Communication with the command and control server was encrypted with RC4 and it relied on a number of four domains, switching through them until a reply was received.

CSIS says that the version whose source code has been made available is not the same as the one that is currently used in attacks. Nevertheless, malware developers often rely on borrowed code to come up with new information-stealing pieces.
Kepler Reviewed by Kepler on . Source Code for the Smallest Banking Trojan Published http://i1-news.softpedia-static.com/images/news-700/Source-Code-For-the-Smallest-Banking-Trojan-Published.jpg The source code for the first version of Tinba, the smallest banking Trojan ever, has been discovered by researchers on an underground forum. Also known as Tinybanker or Zusy, the malware is just 20KB in size and has been first discovered at the middle of 2012, when it targeted individuals in Turkey. More than 60,000 unique infections were identified. Apart from this, Rating: 5