TinyBanker banking Trojan source code leaked online

A few years ago, our colleagues from CSIS Security Group were the first to write about the smallest banking Trojan “Tiny Banker” (aka Tinba, Zusy), which was known at that time. The size of the executable file is only about 20KB, as the authors used assembler for writing. Like many banking trojans, it uses the technique of injecting (injecting) its code into the browser and intercepts the necessary API calls there to steal confidential banking data through the form grabbing and web injection mechanism (the so-called Man-in-the-Browser attack ) Found ESET: Win32 / Tinba , Microsoft: Trojan: Win32 / Tinba.A , Symantec: Trojan.Tinba .

Recently, in one of the underground forums, information appeared that the texts of the first version of Tinba are available for download. The archive includes the source code of the bot, as well as the control panel, which attackers can use to obtain information about the operation of the bots. Tinba is focused on the popular web browsers MS Internet Explorer, Mozilla Firefox and Google Chrome, which is confirmed by the source code.


Fig. Tinba bot source code. You can see the files responsible for the form grabbing browsers.


Fig. Information about the sources in a closed forum.

It is hard to overestimate the consequences of revealing such source codes of malicious programs, as this will enable attackers to create modified versions of this trojan using an open source code base. Last summer wethey wrote about the leak of the giant Carberp source archive, on the basis of which a number of new malicious programs have already been created.

One of the first versions of the malicious program based on these sources:

SHA256: 8cc5050f513ed22780d4e85857a77a1fb2a3083d792cd550089b64e1d2ef58e9
File size: 19968 bytes