Domain generation algorithm included as fallback mechanism

Sep 24, 2014 14:54 GMT  ·  By

The leaked source code for Tinba Trojan, also known as Tinybanker and Zusy, has been modified by cybercriminals, who fitted it with user-mode rootkit capabilities and a verification process to make sure that the messages are sent from an authentic bot master.

The new strain of the malware also includes a domain generation algorithm (DGA) as a fallback when the hard-coded command and control (C&C) server has been taken down.

The Trojan has made it to fame because, despite its small size, it includes features that rival those of much larger banking malware.

Discovered in 2012, when it affected users in Turkey, its source code leaked in July 2014, and a short while later it was spotted in an attack targeting customers of banks in the Czech Republic.

At the moment, the list of users expands beyond these countries, as infections have been detected in other parts of the world, United States and Canada included.

Tinba authenticates the C&C server, has built-in configuration file

Malware authors have picked up the source code of the Trojan and added a domain generation algorithm (DGA), as a fallback for contacting active command servers for instructions if the hard-coded ones are taken down, according to researchers from Trusteer who analyzed the new sample.

The new strain relies on the crypt32 Windows library to authenticate the server. “The infected machine sends a request comprising several time stamp counters (counting the number of CPU cycles since reset) concatenated together. This technique ensures a unique challenge is sent every time, so intercepting one challenge does not suffice to impersonate as the C&C server,” Assaf Regev from Trusteer said.

Next, a hash (SHA1) of the message is encrypted with a private key on the server side and delivered to the compromised machine. The reply is checked by Tinba with a public key available in the code; if authentication fails, communication interrupts.

The authors prepared this variant with a configuration file that is used when the browser is launched, and a new configuration cannot be downloaded.

Dynamic webinjects applied

Trusteer researchers found that the configuration of the new Tinba features webinjects of external malicious Javascript code that changes dynamically to match the look and feel of the original page.

For this, the cybercriminals use an Automatic Transfer System Engine panel, which is also employed by the latest versions of Zeus. This makes Tinba an even more sophisticated threat than it was before.

“These dynamic webinjects are part of the ATSEngine infrastructure that enables the attacker to collect multiple data elements, such as the victims’ credit card type (credit, debit), CVV, PIN and SSN,” Trusteer says.

Seculert published an analysis of its own late last week, noting that in the new form, every sample of Tinba comes with a hard-coded domain and a seed. “These parameters are fed into the DGA producing 1000 domains unique to that sample. This makes it easier to generate a variety of new domains, helping the malware avoid detection,” Aviv Raff, head researcher at Seculert said.

He also observed that the latest variants of the banking Trojan can inject code into 64-bit processes, an ability that extends the number of machines it can compromise.

Although security experts are keeping a close eye on new developments of this malware family, cybercriminals will not stop improving the old code or developing new threats.