The malware is more than 1,000 times smaller than the 20MB Flame

May 31, 2012 13:40 GMT  ·  By

CSIS Security Group have discovered Tinba, what they believe to be “the world’s smallest Trojan-banker.” The malicious element belongs to a new malware family and it’s designed to steal sensitive information by attaching itself to the web browser and intercepting network traffic.

Before we explain how the 20 kilobyte Trojan works, we would like to refer to a clever observation made by F-Secure’s Chief Research Officer Mikko Hypponen regarding the size of Tinba compared to the one of Flame, the recently uncovered brother of Stuxnet and Duqu.

“To put Flame's size of 20MB into perspective, here's a full-blown banking trojan in 20kB. Flame is 1024 times larger,” he wrote on Twitter.

That being said, let’s take a look at what the Tiny Banker, also known as Zusy, can actually do and how it operates.

Similar to other banking Trojans, Tinba also utilizes webinjects and Man-in-the-Brower attacks in order to trick the potential victim into handing over transaction authentication numbers (TAN), two factor authentication codes, and other valuable details.

When executed, it uses an obfuscated injection routine that allows it to avoid being detected by security solutions. After that, it creates a new process called Version Reporter Applet (winvert.exe), which is located in the System folder.

However, that’s not the only process leveraged by Tinba. It also injects itself into processes such as svchost and explorer.

There are a number of 4 hardcoded domains used by the malware for communicating with its command and control servers. This allows it to continue operating even if one of the domains fails to respond.

In order to compromise the web browsers, the Trojan injects itself into processes like firefox.exe and iexplorer.exe, allowing it to manipulate network traffic through the web browser’s APIs.

“An interesting observation is the fact that Tinba will modify headers X-FRAME-Options thus being able to inject insecure non HTTPS supported elements from external servers/websites. Tinba, like its equals, targets financial websites, but only a very small list of specific URLs,” Peter Kruse, partner and security specialist at CSIS explained.

Finally, the expert also shares the same beliefs as Mikko Hypponen, stating that a piece of malware doesn’t necessarily have to be 20 megabytes in size to be effective.