Tiny Banker Trojan

Tiny Banker Trojan (A.K.A. Tinba) is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC and Bank of America.[1] It is designed to steal users sensitive data, such as account login information and banking codes.

History

Tiny Banker, otherwise known as Tinba for short, was first discovered in 2012, when it was found to have infected thousands of computers in Turkey. After it was discovered, the original source code for the malware was leaked online and began undergoing individual revisions, making the process of detecting it harder for the institutions.[2] It is a highly modified version of the Zeus Trojan, which had a very similar attack method to obtain the same information. Tinba, however, was found to be much smaller in size. The smaller size makes the malware more difficult to detect. At only 20KB, Tinba is much smaller than any other known Trojan. For reference, the average file size of a web site is around 1,000KB, so the difference between an infected web page and a clean one is very difficult for anti-malware programs to recognize.

Operation

Tinba operates using packet sniffing, a method of reading network traffic, to determine when a user navigates to a banking website. The malware can then launch one of two different actions, depending on the variation. In its most popular form, Tinba will spoof the webpage using a man-in-the-browser attack. The Trojan will use HTTP injection to force the user's computer to believe that it is on the bank's website. This spoof page will look and function just as the real one. The user then enters their information to log on, at which point Tinba can launch the bank webpage's "incorrect login information" return, and redirect the user to the real website. This is to trick the user into thinking they had entered the wrong information and proceed as normal, although now Tinba has captured the credentials and sent them to its host.

The second method that Tinba has used is to allow the user to log in to the webpage. Once the user is in, the malware will use the page information to extract the company's logo and site formatting. It will then create a pop-up page informing the user of updates to the system, and requesting additional information, such as social security numbers.[3] Most banking institutions inform their users that they will never ask for this information as a way to defend against these types of attacks. Tinba has been modified to address this defense, and has begun asking users for the type of information asked as security questions, such as the user's mother's maiden name, in an attempt for the attacker to use this information to reset the password at a later time.[4]

Tinba also injects itself into other system processes, in an attempt to convert the host machine into a zombie, an unwilling member in a botnet. In order to maintain connection in the botnet, Tinba is coded with four domains, so if one goes down or loses communication, the Trojan can look for one of the others immediately.[5]

See also

References

  1. Virgillito, Dan. "‘Tiny Banker’ Malware Attempted At Customers Of US Banks". Massive Alliance. Retrieved 2016-02-28.
  2. "Modified Tiny Banker Trojan Found Targeting Major U.S. Banks - Entrust, Inc.". Entrust, Inc. Retrieved 2016-02-28.
  3. "'Tiny banker' malware targets US financial institutions". PCWorld. Retrieved 2016-02-28.
  4. "‘Tiny Banker’ Malware Targets Dozens of Major US Financial Institutions | The State of Security". The State of Security. Retrieved 2016-02-28.
  5. "Tiny 'Tinba' Banking Trojan Is Big Trouble". msnbc.com. Retrieved 2016-02-28.
This article is issued from Wikipedia - version of the Sunday, May 01, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.