Researchers have spotted a new banking Trojan subbed ‘Tinba’ that appears to have hit on a simple tactic for evading security – be as small as possible.
An astonishing 20KB in size, Tinba (‘Tiny Banker’) retains enough sophistication to match almost anything that can be done by much larger malware types.
Its main purpose is to burrow into browsers in order to steal logins, but it can also use ‘obfuscated’ (i.e disguised) web injection and man-in-the-browser to attempt to finesse two-factor web authentication systems.
A particularly interesting feature is the way it tries to evade resident security, injecting itself into the Windows svchost.exe and explorer.exe processes, as well as Internet Explorer and Firefox to give itself access to traffic passing through those.
The malware connects to one or more of four command & control domains on an RC4-encrypted channel.
None of this is particularly unusual as malware goes but the getting this sort of feature set out of 20kb (including all injection routines) is the work of a developer that believes size matters and the smaller the better.
Reminiscent of the old-school viruses written in x86 assembler two decades ago, low detection rates among antivirus programs suggest that the technique could herald a new wave of diminutive malware attacks.
Infection levels are unknown but banking malware is often almost invisible until it suddenly isn’t as victims come to light.
“Yes, Tinba proves that malware with data stealing capabilities does not have to be 20MB of size,” said Peter Kruse of the Danish security firm CSIS that first noticed Tinba.
Kruse is referring, of course, to another piece of malware being celebrated for its enormous size, Flame. Publicised in the same few days, the contrast between little and large is apt - and sobering.