Source Code Leaked For Tinba Banking Trojan 75
msm1267 (2804139) writes "The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit. Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of "tiny banker," and researchers say that it's only about 20 KB in size."
20k (Score:5, Funny)
this makes the trojan the least bloaty program on the average windows PC.
Re:20k (Score:5, Insightful)
If we could get the hired at MS maybe windows could run on a 256M machine. :P
Re: (Score:2)
Re: (Score:1)
It's both.
TFA [www.csis.dk] confirms that it's written in assembly and saying that the security holes in Windows are really huge, well, that's just common knowledge.
Kudos to Dennis Fisher (Score:1)
Even if it does appear on a page with a prominent link to another article which misuses the term 'hackers' in its very title. I am sure that was beyond his personal control.
Also it sounds like some really good programming! 20kb compiled, and full functional. From <a href="https://www.csis.dk/en/csis/news/4303/">this report</a> it appears that it's written in assembler. Does anyone have a link to the actual code?
Re: (Score:3, Insightful)
You're already on it.
The Gay Mafia? (Score:2, Funny)
Hold me closer Tiny Banker...
Who leaked it? (Score:1)
Tinba! (Score:4, Funny)
His arms wide...
Windows DLL injection attack vector. (Score:5, Interesting)
Remind me again why Windows has the capability to "inject" a new DLL into a running process from outside the process.
Re:Windows DLL injection attack vector. (Score:5, Insightful)
I'm sure the NSA will let us know is due course.
Re:Windows DLL injection attack vector. (Score:5, Informative)
Remind me again why a free, "superior" operating system couldn't gain any appreciable market share in the consumer space
Because consumers will generally buy what they're convinced they should by marketing before they get off their butts and actually do research and then make choices. Windows has a major corporation pushing out advertising backing it. Whereas for much of Linux's existence it's coding was a volunteer effort, let alone having paid marketing. Why did Betamax, the superior video cassette tape format, lose to beta? The consumer space was flooded by JVC pushing licensing to anyone, unlike the more restrictive Sony -- gee, kinda like IBM/PC vs Macintosh.
Re: (Score:1)
Why did Betamax, the superior video cassette tape format, lose to beta?
Uh! I know this one! Because "Fuck Beta"?
Re: (Score:2)
As it happens, the fucks were on VHS.
Re: (Score:2)
I am agreeing with what you said putting aside the beta/VHS blunder....
But there is a more direct way it happened that Windows got more market share... Namely, it is what comes with most, if not all, new consumer x86 based computers. It is just about impossible to get a supported Linux computer and by supported I mean one that will solve problems with the programming not just the hardware.
So to recap, it isn't solely marketing that gives MS their dominance but their partnering with OEMs and to a lesser exte
Re: (Score:1)
You missed the point. Notice the word "superior" was in quotes. Linux is only considered superior by Linux zealots and FOSS advocates. While the kernel itself is reliable and effect enough to be considered acceptable, the desktop environment and software ecosystem is a fucking disaster that literally screams, "this is amateur shit!", largely because it is crafted by volunteers. Note that 75% of Linux kernel development is done by paid developers.
Re: (Score:2)
Proponents of the Linux desktop can't use the marketing excuse anymore: Ubuntu is commercially backed with plenty of advertising money, but it has not taken the desktop by storm. Why? Usability. The Linux ecosystem was designed by programmers for programmers, so Linux apps are built with a command line interface that works perfectly and a GUI that's tacked on as an afterthought.
Sure, you and I don't have a problem with messing ifconfig if the Wicd GUI crashes, but what about your grandma? Forget that, what
Re: (Score:2)
What defines "superior" and "good" vary by user. While there are many who point out that Beta had better picture quality, the feature that most users wanted was length of recording. Therefore, the "better" option was VHS.
The purpose of marketing is to sell a product, specifically the product you are marketing. There is plenty of counter-marketing, and people will generally decide based on that. While JVC (etc) were promoting a cheaper machine, with a longer recording time, Beta was promoted for picture q
Re: (Score:2, Interesting)
One reason could be to have the ability to extend the functionality of other programs. For example, back in the MSN Messenger/Windows Live Messenger days, there was a program called Messenger Plus!, which added lots of functionality to MSN/WLM. I don't think it would had been possible without DLL injection.
Re: Windows DLL injection attack vector. (Score:1)
Doesn't even need to be a DLL. You can allocate memory in a remote process via virtualalloc and the put you malicious code in the other processesemory. From there you just use createremotethread and bobs your uncle, your running your code from inside another application with full access to its memory space.
Re: (Score:1)
Since it is useful for extending programs you do not have the source of. We use it a lot in our company to make measurement software write to an OML database without having to screenscrape its windows.
You can do this with linux too, via /dev/(k)mem, but it is much less clean.
Re: (Score:1)
no need for that. you just use LD_PRELOAD.
That IS a great question... apk (Score:1)
One I've often wondered about myself. Makes NO sense coming from an EXTERNAL process (ala viruses), since yes, the DLL is sensible to have around in & of itself (to extend a program AND entire OS with an "object-oriented" if not "object request broker" style statndardized function set that's proven paradigm, via say, the LoadLibrary API function (not sure if THAT is the Win16/32/64 PE call specifically, especially out of kernelmode native API that is (even NTDLL has LoadLibrary though iirc... however, I
Re: (Score:1)
Another Paranoid Kook
Re:Windows DLL injection attack vector. (Score:5, Informative)
Damn it, you're going to make me burn the mod points I have already spent in this thread to educate the other *nix fan boys like you. First of all Windows offers a boat load more process memory protection then most other major Linux distros out there which is why DLL injection is necessary in the first place where as in Linux I can just dump the data I want from any memory page I damn well please once I'm running on the remote system. UAC may have been a bit late to the game but it's here now. However despite this solid protections scheme Windows must still remain functional for developers, so the WinAPI is forced to offer some method of run-time debugging for most processes (it does NOT allow this for all of them; things like csrss and lsass are off limits). DLL injection is accomplished by first locating the load point of the Kernel32 DLL in the target process and then going to the offset where the exported GetProcAddress() and LoadLibrary() functions are and invoking them through CreateRemoteThread(). Before even that occurs though the strings that all three of those functions rely on have to already be present in the remote process, this is done with first allocating the memory with VirtualAllocEx() and then writing to it with WriteProcessMemory(). In order for any part of this operation to be possible the end user would have had to of allowed the infection to enable the SeDebug privilege for the malicious process in the first place. Meaning that at some point the end user f***ed the pooch all on their own without Evil Old Microsoft having done anything stupid. Further more absolutely NONE of this would be in the slightest bit relevant if the information was encrypted in process to begin with and that is the fault of the banking systems software vendor. So get off of your wooden high horse, a well documented API being utilized by incompetent third parties is not an insecure one.
Re: (Score:1)
Sounds like swe have a faggot M$ $hill here. Someone downmod this faggot. I disagree.
Re: (Score:2)
Remind me again why Windows has the capability to "inject" a new DLL into a running process from outside the process.
Because if you have root you can do anything (technically possible).
Re: (Score:2)
Legally, you're probably correct. However, for that to be an issue, someone would have to come forward and claim ownership of the code. This would open the author to all sorts of criminal charges.
I suspect the source is not linked, for the same reason that MythBusters won't show all of their stuff. It doesn't really improve the report, and it would only help copycats looking to exploit it for personal gain. Anyone with a professional interest would find it quickly enough anyway.
So 640k... (Score:2)
is plenty after all.
And? (Score:2)
It's not difficult to write a malicious program that can steal data as the user it runs. In fact, it's trivially easy, and your homebrew program will almost certainly avoid every antivirus signature with the minimum of tweaking and testing.
Exploiting holes is harder, but there's always a PoC code somewhere if you dig enough, especially if you are subscribed to security lists. And there you might have to do a little tweaking/testing but with VM's and debugging toolkits, it's not hard for any proficient pro
For those who are interested (Score:2)
Re: (Score:1)
For those who are interested, here is a link [opensc.ws] to the post on opensc that contains the source code download. You will need to register for an account before downloading.
That URL is incorrect to the source. Correct URL is: https://www.opensc.ws/leaked-s... [opensc.ws]
"Only" 20 KB? (Score:2)
What's wrong with those Trojan authors nowadays? There are whole programming language implementations that run in less than 20KB!
Don't they code in assembler any more?