As Shylock Shuts Down, Tinba Rises to the Occasion

Much like the mythical Hydra of Ancient Greece, the malware rings of the Internet never stop spawning new ways to crack into people’s computers and banking systems to get themselves an easy payday.

As the head of Shylock falls to the ground, bloodied and beaten by a joint task force of security professionals and government officials from around the globe, a small hacker ring out of Russia has just released their source code for the latest threat to all our pocketbooks: Tinba.

Tinba is not exactly new on the scene, and first took the stage over two years ago when it was discovered by researchers from the netsec outfit CSIS.

Back then, the code was only offered up on a closed underground forum for a premium, and was preferred by many hacker rings for its flexibility, usability, and perhaps most importantly, its size.

With some versions weighing in at a mere 20kb, the file responsible for launching the program could be easily and quickly distributed over all but the slowest of Internet connections, making it especially popular in areas that were struggling to get themselves into the age of broadband and still had to rely on 56k modems and satellite connections to run their operations from abroad.

“Sometime around 2012, the Tinba version 1 source code was taken over by new criminals and it is precisely the version 1 source code which has now been made available to the public and not the code being used in current and ongoing attacks,” Peter Kruse, a partner and eCrime specialist at CSIS, explained in a blog post.

Researchers tasked to the project of tracking Tinba can’t say for sure what triggered the recent change of heart on behalf of its developers to move from a pay-per-license model to offering up the whole shebang for the low upfront cost of free-99, however a few believe it could have something to do with the publication of its original creators name in a recent analysis posted by Trend Micro on their website earlier this year.

Tinba isn’t all too exciting when it comes to the actual nuts and bolts of its implementation, and works much like you’d expect a standard trojan of its caliber to. It starts its attack by sneaking in through the back of a user’s computer, either through an email attachment or dodgy software download, then tracks their daily movements for any indication of credit card information or banking logins that might pop up while it’s still in action.

For now both Trend Micro and CSIS believe that the spread of the infection is constrained to Turkey and several other countries in the Middle East, affecting around 60,000 machines in total.

“We don’t expect the source code of Tinba to become a major inspiration for IT criminals as was the case for ZeuS. However, making the code public increases the risk of new banker Trojans to arise based partially on Tinba source code,” Kruse added in his post.