Tinba
Tinba short form of Tiny
banker, is a banking Trojan targeted to steal banking details like personal
information, login credentials or requests to perform a funds transfer.
When Tinba infects a computer
and the user tries to log in to one of the targeted banks, Tinba’s webinjects
are launched into action. Depending on the targeted bank, victims are presented
with fake Web forms asking for personal information, login credentials or
requests to perform a funds transfer. The notice may even try to
convince the victim that a certain amount is deposited accidently and it must
be refunded immediately.
This Trojan targets a large scope of banks
like Bank of America, ING Direct, and HSBC. The fake web form may look
something like this.
Mechanism
- The victim visits a website infected with the Tinba Exploit kit aka Rig Exploit Kit(Flash or Silverlight exploit). If the victim system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
- When the Trojan is executed, it copies itself to the following location:
- Then Trojan modifies the following file to disable Mozilla Firefox warnings when visiting insecure sites:
- Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
- It then modifies the following registry entry to alter Internet Explorer settings:
- Next, the Trojan injects itself into the following processes:
a. svchost.exe
b. explorer.exe·
- It then injects code into the following browsers:
chrome.exe
iexplore.exe
firefox.exe
- The Trojan then ends the following processes:
svchost.exe
explorer.exe
- Next, the Trojan then monitors network traffic and the records information in the following file: %SystemDrive%\Documents and Settings\All Users\Application Data\default\web.dat
- The stolen information is then sent to one of the following command-and-control (C&C) servers
[http://]d3akotav33olandos.com
[http://]dakotavolandos.com
[http://]dakotavolandos.com
[http://]dak1otavola1ndos.com
[http://]dako22tavol2andos.com
[http://]d4ak4otavolandos.com
Recommendations
- · Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- · Use a firewall to block all incoming connections from the Internet. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
- · Always use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
- · Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders.
- · Disable Autoplay.exe to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
- · Turn off and remove unnecessary services.
- · If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- · Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
- · ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources
- · Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files..
No comments:
Post a Comment