Doctor Web Analyzed Smallest Banking Trojan
OREANDA-NEWS. June 27, 2012. Early June 2012 saw many media reports concerning the discovery of "the smallest known banking Trojan", dubbed by security experts as Tinba (short for “tiny banker”). In this news brief, the Russian anti-virus company, Doctor Web, offers a technical overview of this threat.
Written in Assembly, Tinba is a very compact piece of malware occupying as little as 20KB. To date, at least five modifications of this Trojan horse are known. Despite the fact that news agencies and some anti-virus developers reported the discovery of Tinba only on June 5, 2012, Dr.Web anti-virus software detects this malware as Trojan.Hottrend, and the first records concerning this Trojan family were added to the Dr.Web virus databases as early as late April 2012.
Once launched in the infected system, Tinba decrypts its code, copies the winver.exe program (the standard program displaying Windows version information), injects its code into the file, and launches it. Then the Trojan searches for the explorer.exe process and also injects its code into it. One of the malware versions detected by Dr.Web as Trojan.DownLoader6.12974 injects its code into all running processes on the infected computer.
Control server addresses are hardcoded into the Trojan file. Tinba connects to a server, uses the POST routine to send it encrypted data, and waits for a reply. The main purpose of this malware is to monitor Internet traffic to intercept sensitive (including banking) information and send it to criminals.
Curiously, another small malicious program dubbed Trojan.PWS.Banker.64540 was discovered by Doctor Web shortly after the first Tinba warnings appeared in the media. It is much "bigger" than Trojan.Hottrend — about 80 KB—and it is not written in Assembly but in C++. This Trojan is a two-component program incorporating a DLL file and an executable. It stores its data in the registry and in a file placed into the system temporary folder — we already described this malicious program in one of our most recent publications.
The information presented here once again proves that analysts were right to assume that criminals would be very interested in small banking Trojans. Indeed, the types and modifications of such programs are constantly increasing in number.