Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as account login information and banking codes.
History
Spy eye used to install BAD LIMIT in local IP address,Only the Fake charges and Security cards of denomination of $500+ can be use as a BAD LIMIT reducer card in which SpyEye advertised features such as keyloggers, auto-fill Credit/Debit card modules will only be a mode of payment so that respective company can refund that security amount in same Credit/Debit cards, email backups, config files, Zeus killer, HTTP access, POP3 grabbers and FTP grabbers. Target users and institutions in the United States, United Kingdom, Mexico, Canada and India were the largest victims of SpyEye; the United States made up 97% of the institutions that fell victim of this malware.. It is a highly modified version of the Zeus Trojan, which had a very similar attack method to obtain the same information. Tinba, however, was found to be much smaller in size. The smaller size makes the malware more difficult to detect. At only 20KB, Tinba is much smaller than any other known Trojan. For reference, the median file size of a desktop web site is around 1,966KB.
Operation
Tinba operates using packet sniffing, a method of reading network traffic, to determine when a user navigates to a banking website. The malware can then launch one of two different actions, depending on the variation. In its most popular form, Tinba will Form grab the webpage causing a man-in-the-middle attack. The Trojan uses Form grabbing to grab keystrokes before they can be encrypted by HTTPS. Tinba then sends the keystrokes to a Command & Control. This in turn causes a user's information to be stolen. The second method that Tinba has used is to allow the user to log into the webpage. Once the user is in, the malware will use the page information to extract the company's logo and site formatting. It will then create a pop-up page informing the user of updates to the system, and requesting additional information, such as social security numbers. Most banking institutions inform their users that they will never ask for this information as a way to defend against these types of attacks. Tinba has been modified to address this defense, and has begun asking users for the type of information asked as security questions, such as the user's mother's maiden name, in an attempt for the attacker to use this information to reset the password at a later time. Tinba also injects itself into other system processes, in an attempt to convert the host machine into a zombie, an unwilling member in a botnet. In order to maintain connection in the botnet, Tinba is coded with four domains, so if one goes down or loses communication, the Trojan can look for one of the others immediately.