Tiny Trojan Targets Turkish Users

Cybercrime gang tied to various nefarious and malicious activities now employing a powerful mini-Trojan

Dark Reading Staff, Dark Reading

September 14, 2012

2 Min Read
Dark Reading logo in a gray background | Dark Reading

It's small -- as in 20 kilobytes small -- but the tiny banking Trojan based on the infamous BlackHole crimeware kit so far has infected more than 60,000 users in Turkey.

Trend Micro and CSIS Security Group have studied the so-called Tinba, Tinybanker, or Zusy malware,and say the information-stealing Trojan is similar to other malware variants with the same purpose. But its size is what sets it most apart: The tiny footprint helps it evade detection by antivirus engines.

Tinba (as in TINy BAnker) targets Windows machines running Internet Explorer and Firefox, and can disable the Mozilla browser's warning page.

"The capabilities of this malware are broadly similar to other similarly sophisticated info-stealing malware families. Using web injects, it steals the login information from websites, particularly those located in Turkey. Some targets such as Facebook, GMX, Google, and Microsoft are hardcoded into the code of Tinba itself and are universally targeted by Tinba," Trend Micro said in a blog post today. "Other institutions are targeted based on downloaded configuration files; frequent targets include key government portals and Turkish banks/financial institutions."

Tinba appears to be the handiwork of a well-organized gang with ties to SpyEye, Zeus, Torpig and money mule operations, malicious website hosting, and pornographic sites. Trend Micro says the tiny Trojan's infrastructure is based in Russia and Lithuania. It piggybacks onto the browser and steals logins, sniffs network traffic, executes man-in-the-browser Web injection attacks, and bypasses two-factor authentication. Tinba also has been used with and other information-stealing malcode.

"It appears that the Tinba malware can be related to possibly stolen mail.ru contacts, a mule operation, a shady Web hosting provider, porn sites, and numerous other domains related to banker Trojans. CSIS and Trend Micro believe that the Tinba sample is part of a larger cyber crime gang. This is not likely to be the work of one or two people, but part of a bigger scheme. It is remarkable that this gang does not hesitate to attack Russian-speaking Internet users as well, which significantly increases the risk of apprehension (when the suspects are in Russia). As well as being traced to Russia, significant parts of the gangs' infrastructure have also been based in Lithuania," Trend and CSIS wrote in a white paper about the malware.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights