Source Code Leaked For Tinba Banking Trojan

← Back to Stories (view on slashdot.org)

Source Code Leaked For Tinba Banking Trojan

Posted by timothy on Saturday July 12, 2014 @03:43PM from the small-can-be-potent dept.

msm1267 (2804139) writes "The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit. Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of "tiny banker," and researchers say that it's only about 20 KB in size."

31 of 75 comments (clear)

Min score:

Reason:

Sort:

20k by Anonymous Coward · 2014-07-12 15:51 · Score: 5, Funny

this makes the trojan the least bloaty program on the average windows PC.
1. Re:20k by CaptnZilog · 2014-07-12 16:25 · Score: 5, Insightful
  
  If we could get the hired at MS maybe windows could run on a 256M machine. :P
2. Re:20k by buckfeta2014 · 2014-07-12 17:00 · Score: 2
  
  With a size that small, I have to assume the security hole in windows is either really huge, or the virus is written in assembly.
  
  --
  Buck Feta. You know what to do.
3. Re:20k by Anonymous Coward · 2014-07-12 22:21 · Score: 1
  
  It's both.
  TFA confirms that it's written in assembly and saying that the security holes in Windows are really huge, well, that's just common knowledge.
The Gay Mafia? by Anonymous Coward · 2014-07-12 16:12 · Score: 2, Funny

Hold me closer Tiny Banker...
Tinba! by Anonymous Coward · 2014-07-12 16:22 · Score: 4, Funny

His arms wide...
Re:Kudos to Dennis Fisher by Anonymous Coward · 2014-07-12 16:27 · Score: 3, Insightful

You're already on it.
Windows DLL injection attack vector. by Animats · 2014-07-12 19:38 · Score: 5, Interesting

Remind me again why Windows has the capability to "inject" a new DLL into a running process from outside the process.
1. Re:Windows DLL injection attack vector. by Anonymous Coward · 2014-07-12 19:48 · Score: 5, Insightful
  
  I'm sure the NSA will let us know is due course.
2. Re:Windows DLL injection attack vector. by Anonymous Coward · 2014-07-12 20:35 · Score: 2, Interesting
  
  One reason could be to have the ability to extend the functionality of other programs. For example, back in the MSN Messenger/Windows Live Messenger days, there was a program called Messenger Plus!, which added lots of functionality to MSN/WLM. I don't think it would had been possible without DLL injection.
3. Re:Windows DLL injection attack vector. by SeaFox · 2014-07-12 20:38 · Score: 4, Informative
  
  Remind me again why a free, "superior" operating system couldn't gain any appreciable market share in the consumer space
  Because consumers will generally buy what they're convinced they should by marketing before they get off their butts and actually do research and then make choices. Windows has a major corporation pushing out advertising backing it. Whereas for much of Linux's existence it's coding was a volunteer effort, let alone having paid marketing. Why did Betamax, the superior video cassette tape format, lose to beta? The consumer space was flooded by JVC pushing licensing to anyone, unlike the more restrictive Sony -- gee, kinda like IBM/PC vs Macintosh.
4. Re: Windows DLL injection attack vector. by Anonymous Coward · 2014-07-12 21:45 · Score: 1
  
  Doesn't even need to be a DLL. You can allocate memory in a remote process via virtualalloc and the put you malicious code in the other processesemory. From there you just use createremotethread and bobs your uncle, your running your code from inside another application with full access to its memory space.
5. Re:Windows DLL injection attack vector. by stderr_dk · 2014-07-12 22:32 · Score: 1
  
  Why did Betamax, the superior video cassette tape format, lose to beta?
  Uh! I know this one! Because "Fuck Beta"?
  
  --
  alias sudo="echo make it yourself #" ; # https://pipedot.org/~stderr & http://soylentnews.org/~stderr
6. Re:Windows DLL injection attack vector. by Anonymous Coward · 2014-07-12 22:34 · Score: 1
  
  Since it is useful for extending programs you do not have the source of. We use it a lot in our company to make measurement software write to an OML database without having to screenscrape its windows.
  You can do this with linux too, via /dev/(k)mem, but it is much less clean.
7. Re:Windows DLL injection attack vector. by Anonymous Coward · 2014-07-12 23:03 · Score: 1
  
  no need for that. you just use LD_PRELOAD.
8. Re:Windows DLL injection attack vector. by JonathanR · 2014-07-12 23:23 · Score: 1
  
  As it happens, the fucks were on VHS.
9. Re:Windows DLL injection attack vector. by penix1 · 2014-07-12 23:56 · Score: 1
  
  I am agreeing with what you said putting aside the beta/VHS blunder....
  But there is a more direct way it happened that Windows got more market share... Namely, it is what comes with most, if not all, new consumer x86 based computers. It is just about impossible to get a supported Linux computer and by supported I mean one that will solve problems with the programming not just the hardware.
  So to recap, it isn't solely marketing that gives MS their dominance but their partnering with OEMs and to a lesser extent their abuse of their monopoly to keep competing operating systems off new machines.
  
  --
  This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
10. Re:Windows DLL injection attack vector. by Anonymous Coward · 2014-07-13 00:11 · Score: 1
  
  You missed the point. Notice the word "superior" was in quotes. Linux is only considered superior by Linux zealots and FOSS advocates. While the kernel itself is reliable and effect enough to be considered acceptable, the desktop environment and software ecosystem is a fucking disaster that literally screams, "this is amateur shit!", largely because it is crafted by volunteers. Note that 75% of Linux kernel development is done by paid developers.
11. Re:Windows DLL injection attack vector. by ComputerGeek01 · 2014-07-13 02:04 · Score: 4, Informative
  
  Damn it, you're going to make me burn the mod points I have already spent in this thread to educate the other *nix fan boys like you. First of all Windows offers a boat load more process memory protection then most other major Linux distros out there which is why DLL injection is necessary in the first place where as in Linux I can just dump the data I want from any memory page I damn well please once I'm running on the remote system. UAC may have been a bit late to the game but it's here now. However despite this solid protections scheme Windows must still remain functional for developers, so the WinAPI is forced to offer some method of run-time debugging for most processes (it does NOT allow this for all of them; things like csrss and lsass are off limits). DLL injection is accomplished by first locating the load point of the Kernel32 DLL in the target process and then going to the offset where the exported GetProcAddress() and LoadLibrary() functions are and invoking them through CreateRemoteThread(). Before even that occurs though the strings that all three of those functions rely on have to already be present in the remote process, this is done with first allocating the memory with VirtualAllocEx() and then writing to it with WriteProcessMemory(). In order for any part of this operation to be possible the end user would have had to of allowed the infection to enable the SeDebug privilege for the malicious process in the first place. Meaning that at some point the end user f***ed the pooch all on their own without Evil Old Microsoft having done anything stupid. Further more absolutely NONE of this would be in the slightest bit relevant if the information was encrypted in process to begin with and that is the fault of the banking systems software vendor. So get off of your wooden high horse, a well documented API being utilized by incompetent third parties is not an insecure one.
12. Re:Windows DLL injection attack vector. by EvilJoker · 2014-07-13 06:28 · Score: 1
  
  What defines "superior" and "good" vary by user. While there are many who point out that Beta had better picture quality, the feature that most users wanted was length of recording. Therefore, the "better" option was VHS.
  The purpose of marketing is to sell a product, specifically the product you are marketing. There is plenty of counter-marketing, and people will generally decide based on that. While JVC (etc) were promoting a cheaper machine, with a longer recording time, Beta was promoted for picture quality. Consumers chose the former.
  Most end-users are given the options of buying a Mac (ready to go), buying a Windows PC (ready to go), or building a PC, installing Linux themselves, and hoping it all goes well, and then having very little support if it doesn't. For people that just want to do e-mail and web-browsing, this is going to be a very tough sell.
13. Re:Windows DLL injection attack vector. by Anonymous Coward · 2014-07-13 08:06 · Score: 1
  
  Sounds like swe have a faggot M$ $hill here. Someone downmod this faggot. I disagree.
14. Re:Windows DLL injection attack vector. by Nkwe · 2014-07-13 09:38 · Score: 1
  
  Remind me again why Windows has the capability to "inject" a new DLL into a running process from outside the process.
  Because if you have root you can do anything (technically possible).
15. Re:Windows DLL injection attack vector. by Calavar · 2014-07-13 17:39 · Score: 1
  
  Proponents of the Linux desktop can't use the marketing excuse anymore: Ubuntu is commercially backed with plenty of advertising money, but it has not taken the desktop by storm. Why? Usability. The Linux ecosystem was designed by programmers for programmers, so Linux apps are built with a command line interface that works perfectly and a GUI that's tacked on as an afterthought.
  Sure, you and I don't have a problem with messing ifconfig if the Wicd GUI crashes, but what about your grandma? Forget that, what about your non-programmer cousin? And let's not ignore the fact that the Wicd GUI, despite being a GUI, is still pretty complicated compared to the Windows network manager. If you want to connect to a network in Windows, you go to Networks and Sharing, click on the network you want, enter the password, and boom, you're done. With Wicd, the first option you see when you select a WPA network is "WPA Supplicant Driver" and below that you see "Use dBm to measure signal strength." When you enter the password, there is a box to "Use these settings for all networks sharing this essid." That's an awful lot of jargon, and it scares laypeople away.
  Linux excels where usability for the layperson is not an issue. That's why it dominates the server market: sysadmins feel most at home on the terminal.
That IS a great question... apk by Anonymous Coward · 2014-07-12 22:58 · Score: 1

One I've often wondered about myself. Makes NO sense coming from an EXTERNAL process (ala viruses), since yes, the DLL is sensible to have around in & of itself (to extend a program AND entire OS with an "object-oriented" if not "object request broker" style statndardized function set that's proven paradigm, via say, the LoadLibrary API function (not sure if THAT is the Win16/32/64 PE call specifically, especially out of kernelmode native API that is (even NTDLL has LoadLibrary though iirc... however, I just use it through compiler's individual commandsets mostly as is & don't GENERALLY pay attention to the "origination area" particulars, unless I require speed and minimimalizing context switching overheads between usermode & kernelmode, vs. message passing overheads etc. - I just use what works best, for what's needed @ the time (screw technical esoterica, in other words, lol!)).
HOWEVER, WHY WHAT YOU SAID?
This poster made a great point on that (missed buffer overflow usage imo but did a good job of it) -> http://yro.slashdot.org/commen... and his "Bob's Your Uncle" gave him away CLEARLY as a "limey" (but his insight shows he's a credit to the brits imo).
It *may* have to do with COM/DCOM/OLE etc. though (specifically REMOTE types though, not straight local OLE or COM, but more DCOM)... see, that is where I get "dim" on it myself (admittedly), though however?
THERE it *might* make sense to have it available!
I.E.-> to be ABLE to remotely (in distributed computing using DCOM) inject and enhance the remote OTHER running EXTERNAL process on ANOTHER remote system!
(apartment multithread types)
Since apartment type doesn't use windows messaging I noted above, AND, dealing in "out of process" execution models, vs. IN PROCESS types.
May have less overheads, better extensibility, etc.
APK
P.S.=> That's a great question of yours, & it might take a better coder than ME to answer it right is all - I can only speculate a bit here pointing out what i did... Hope I didn't sound TOO "fuzzy" there, since I am only speculating on what I DO know & use, regularly... I don't do a LOT of DCOM work is why! apk
So 640k... by JonathanR · 2014-07-12 23:20 · Score: 1

is plenty after all.
And? by ledow · 2014-07-13 00:37 · Score: 1

It's not difficult to write a malicious program that can steal data as the user it runs. In fact, it's trivially easy, and your homebrew program will almost certainly avoid every antivirus signature with the minimum of tweaking and testing.
Exploiting holes is harder, but there's always a PoC code somewhere if you dig enough, especially if you are subscribed to security lists. And there you might have to do a little tweaking/testing but with VM's and debugging toolkits, it's not hard for any proficient programmer.
Quite what the news is here, I don't know. Almost every virus in existence has "variants" that aren't made by the same author - people take and either hexedit or have access to enough source-code to outright clone a virus. It's all out there if you look hard enough.
But, honestly, if you want to write one, a teenager could do it. Whether it "goes viral" is more to do with how easily it spreads and how many people you can get to run it before it gets noticed. I work in schools, and "viruses" written by the bright kids can spread through the school in a matter of days.
Given that, the number of viruses used with actual malicious intent is extremely low.
Go ahead - write a program with viral attributes and compile it with a random compiler. Guarantee you you could infect your workplace, not show up on an anti-virus signature, and do much nastier things than steal some data that passes through memory in plaintext.
Which is why we should be running a permissions-based security, or at worst a signature whitelist and NOT a signature blacklist like AV operates on. The very existence of AV still makes me laugh at humanity.
Re:Addendum/small correction... apk by Anonymous Coward · 2014-07-13 00:44 · Score: 1

Another Paranoid Kook
For those who are interested by Fnord666 · 2014-07-13 04:36 · Score: 1

For those who are interested, here is a link to the post on opensc that contains the source code download. You will need to register for an account before downloading.

--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
1. Re:For those who are interested by xeroized · 2014-07-14 02:38 · Score: 1
  
  For those who are interested, here is a link to the post on opensc that contains the source code download. You will need to register for an account before downloading.
  That URL is incorrect to the source. Correct URL is: https://www.opensc.ws/leaked-s...
"Only" 20 KB? by aaaaaaargh! · 2014-07-13 05:59 · Score: 1

What's wrong with those Trojan authors nowadays? There are whole programming language implementations that run in less than 20KB!
Don't they code in assembler any more?
Re:So where is the source then? by EvilJoker · 2014-07-13 06:33 · Score: 1

Legally, you're probably correct. However, for that to be an issue, someone would have to come forward and claim ownership of the code. This would open the author to all sorts of criminal charges.
I suspect the source is not linked, for the same reason that MythBusters won't show all of their stuff. It doesn't really improve the report, and it would only help copycats looking to exploit it for personal gain. Anyone with a professional interest would find it quickly enough anyway.