CSIS Security Group researchers have discovered what they are calling the “World’s smallest trojan-banker,” a piece of malware that proves dangerous things can come in small packages. Given the hype surrounding Flame and its massive size of 20MB, the discovery of something one thousand times smaller, and still quite dangerous, puts things in perspective.
Researchers from CSIS Security Group have discovered a banking Trojan they are calling Tinba (tiny banker), also known as Zusy. It’s 20KB in size, but contains all the code needed to perform browser injections, circumvent two-factor authentication, and compromise financial data.
The browser injection templates used by Tinba are identical to those used by Zeus, and they can be modified to include special identifiers such as a bot-id. It has the ability to inject non-HTTPS elements into an HTTPS rendered webpage, and can intercept / manipulates traffic through several browser APIs.
“Yes, Tinba proves that malware with data stealing capabilities does not have to be 20MB of size,” commented Peter Kruse on the CSIS blog.
“Tinba is the smallest trojan-banker we have ever encountered and it belongs to a complete new family of malware which we expect to be battling in upcoming months. The code is approx 20KB in size (including config and webinjects) and comes simple and clear without any packing or advanced encryption. Antivirus detection of the analyzed samples is low.”
According to Kruse, Tinba targets just a short list of specific financial websites currently, but as he suggested, expect more to come from similar-style malware and variants that would expand that target list.