Trojan Tinba – Another Financial Crimeware

Introduction:

Recently security researchers has found a smallest stealer Trojan that targets certain Financial Institutions through process injection and then injecting web inject module into the browsers, specifically in Net banking pages, similar to Zeus/SpyEye.

The samples I have used to describe Tinba is from Contagio (Thank you Mila).

Technical Details:

The size of the Tinba files are between 19 KB to 20 KB. The sample was not packed, however looking at the sample in PEID revealed, the compiler to be MASM32/TASM32. Does this mean the sample was compiled in Assembly Language?

The compiler date of the sample makes us to believe that the file was compiled somewhere in May 2012. But there are also samples that goes back to 2010 (may be wrong).

Further looking at the code in IDA Pro, the sample has used XOR algorithm to decrypt the actual Tinba code. Each sample holds different key to un-XOR. The sample that I have taken for analysis, has used the key 0xBF.

First it calls VirtualAlloc function, to allocate a space and then it changes the protection of the page to PAGE_EXECUTE_READWRITE by calling VirtualProtect API by passing 0×40 (flNewProtect) as a parameter to it. And then, it starts decrypting the code using XOR with key 0xBF and copies the decrypted routine to the newly allocated space byte by byte using STOS BYTE PTR ES:[EDI] instruction. From here the control is passed to the newly allocated space where the actual Tinba code resides.

It creates a new process winver.exe and injects the Tinba code in to the address space of winver.exe. Part of the code is below:

Finally the code is injected into the address space of explorer.exe. The Malware copies itself to %ALLUSERSPROFILE%\Application Data\bin.exe.

Similar to Zeus/SpyEye, Tinba downloads the configuration file cfg.dat and the web injection module web.dat from the remote server. There were 5 domains involved in the sample I analyzed. Those are,

• dakotavolandos.com
• dak1otavola1ndos.com
• dako22tavol2andos.com
• d3akotav33olandos.com
• d4ak4otavolandos.com

It modifies the security settings for Mozilla Firefox, to avoid the Security Warning displayed when insecure HTML pages contained in an SSL encrypted page.

• user_pref(“security.warn_submit_insecure”,false);
• user_pref(“security.warn_viewing_mixed”,false);

The web injection module seems to be similar to that of Zeus. There are other variables used by the Tinba Trojan, such as,

• %SAVEDATA_*=*%
• %BOTUID%
• %BOTDATA_*%

Uncommon feature used by Tinba is, it modifies the X-Frame-Options in the HTTP header. According to Mozilla, “X-Frame-Options is an security enhancement implemented in Firefox. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages. A website can choose to include the X-Frame-Options header to protect against malicious framing of web content by third parties.”

So the parameters should be,

• DENY
• SAMEORIGIN
• ALLOW-FROM origin

However, based on the code, the Parameter seems to be modified to “My-gj”.

Conclusion:

To be protected, update your AntiVirus application and block the domains related to Tinba Trojan.