The source code for the smallest but sophisticated banking Trojan Tinba has been leaked through an online post in an underground forum, which make it available for anyone who knows where to look for free malware generation tools.
The files posted on the closed russian underground forum turned out to be the source code of Tinba version1, which was discovered around mid-2012 and they say it is the original, privately sold version of the crimeware kit that infected thousands of computers in Turkey.
Tinba, also known as Zusy, is a tiny but deadly banking Trojan that comprises just 20 Kilobytes of code that gives it ability to slip past detection by some antivirus engines and uses a number of well-word man-in-the-browser tricks in an attempt to defeat two-factor authentication. It infects systems without any advanced encryption or packing and has capability to hook into browsers and steal login data and sniff on network traffic.
Last week, researchers at CSIS in Denmark found a post in an underground cybercrime forum that contained an attachment that turned out to be the source code for Tinba, and after analyzing and investigating the files, CSIS got to know that the source code found was for version one of Tinba banking trojan.
The leaked source code would be a golden opportunity for those who always look for these kind of opportunity as these types of malware programs are only offered for sale in underground forums. Researchers believe that the source code of the malware was likely sold, modified and improved by other attackers.
Despite the older version of the banking Trojan, it works without any difficulties. Members of the closed underground forum can download the source code of Tinda version 1 for free of cost.
“So, our research on this malware and the group behind it proves to have been correct. Sometimes around 2012, the Tinba version 1 source code was taken over by new criminals and it is precisely the version 1 source code which has now been made available to the public and not the code being used in current and ongoing attacks,” Peter Kruse, security specialist at CSIS, said in a blog post.
“The Tinba leaked source code comes with a complete documentation and full source code. It is nicely structured and our initial analysis proves that the code works smoothly and compiles just fine.”
The source code for an online banking Trojan, very well known as Zeus
, was leaked in 2011, which also opened up an opportunity for a wider range of cybercriminals to develop more sophisticated and powerful commercial crimeware-kits.
“We don’t expect the source code of Tinba to become a major inspiration for IT-criminals as it was the case for ZeuS. However, making the code public increases the risk of new banker Trojans to arise based partially on Tinba source code,” Kruse said.