Home | Press | Contact da en
Heimdal
Heimdal Security protects against
banker trojan malware.
Press Contact

Peter Kruse
Partner & Security Specialist
pkr@csis.dk
PGP Key ID: 0x49006F37

News
2014-07-10 16:49:23 |

In 2011, the source code for the ZeuS crimekit was leaked on the Internet. CSIS was the first to report this and the blog can be found here: https://www.csis.dk/en/csis/blog/3229/. As a direct result of the ZeuS source code leak, several IT-criminals have been inspired and have even improved the code for newer and more powerful commercial crimekits such as Citadel. Later in mid 2012, we broke the news about the smallest Trojan banker ever discovered, which we dubbed "Tinba" (aka Tinybanker) because of its small size (only approximately 20KB in size).

Last week we found an interesting post on a closed underground forum. It came with a source code, which after further analyses and investigations turned out to be the source code of the version 1 of Tinba from 2011/2012.


This is the code that our first information about Tinba was based upon: https://www.csis.dk/en/csis/news/3566/

Just a few weeks ago, CSIS gave a presentation on FIRST in Boston, USA with the title “Outside of Tinba, looking in”. The presentation has not been released to the public, but it clearly documents how the Tinba code was likely sold or made public and since then reworked and improved by more individuals than were originally involved in version 1. In 2012, we released a joint technical paper with our friends from Trendmicro named "W32.Tinba (Tinybanker) The Turkish Incident" which is available here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf

So, our research on this malware and the group behind it proves to have been correct. Sometimes around 2012, the Tinba version 1 source code was taken over by new criminals and it is precisely the version 1 source code which has now been made available to the public and not the code being used in current and ongoing attacks.

The Tinba leaked source code comes with a complete documentation and full source code. It is nicely structured and our initial analysis proves that the code works smoothly and compiles just fine.


We don't expect the source code of Tinba to become a major inspiration for IT-criminals as it was the case for ZeuS. However, making the code public increases the risk of new banker Trojans to arise based partially on Tinba source code.

The complete Tinba source code is approx. 2MB.