The source code for a version of the Tinba malware was published last week on a private underground forum, Denmark-based CSIS Security Group reported on Thursday.
According to the security firm, the source code is roughly 2 Mb in size and its distributed along with complete documentation for the Trojan. It’s properly structured and it compiles without errors, they said. However, the source code is for version 1 of Tinba, which was circulated around 2011 and 2012, and has not been used in recent attacks.
“We don’t expect the source code of Tinba to become a major inspiration for IT-criminals as it was the case for ZeuS. However, making the code public increases the risk of new banker Trojans to arise based partially on Tinba source code,” Peter Kruse, the CTO of CSIS and the head of the company’s eCrime Unit, wrote in a blog post.
Tinba, which is also known as Tinybanker and Zusy, caught the attention of security companies in mid-2012 mainly due to it’s small size (approximately 20Kb, including Web injects and configuration). Similar to other banking Trojans, Tinba uses Man-in-the-Browser (MitB) tactics and injects code into webpages in an effort to trick users into handing over sensitive information.
In 2012, CSIS and Trend Micro published a research paper detailing a campaign aimed at users in Turkey.The attack, which targeted Turkish financial institutions, resulted in over 60,000 unique infections.
CSIS believes that at one point in 2012, the source code for version 1 of Tinba was sold or made public. New malware developers took over the project and made several improvements to the Trojan.
Tinba is not the only piece of malware whose source code has been made available. Threats such as Zeus, Carberp, BlackPOS, and Pony have all been improved after their source code was published. In some cases, the criminals combine code from two Trojans to create a new one ̶ a perfect example is the recently identified Zberp, which is a combination between Carberp and Zeus.