Thursday, June 14, 2012

Digging Inside Tinba Malware - A Walkthrough


Two weeks back, Tinba malware hit the internet. Though our team spent some time in looking at the various artifacts of Tinba malware. Zeus and SpyEye have given birth to new breed of botnets. The upcoming generation of botnets are extensively utilizing the tactics introduced by Zeus and SpyEye. Tinba is a small notorious malware that aimed specifically for stealing information from the browsers. For more details about Man-in-the-Browser (MitB), one can read our paper on FormGrabbing here - http://www.virusbtn.com/virusbulletin/archive/2011/11/vb201111-form-grabbing.

Other researchers have presented details about Tinba which can be found here - http://www.csis.dk/en/csis/news/3566/

We looked specifically at communication patterns of Tinba. As we know, bots are hooking browsers and performing Web Injects to gain control over the browser communication channel. Other interesting facts about Tinba is as follows:

  • The accompanied binary is written in MASM/TASM and having size of 20 KB. Compiling with MASM reduces the size of the binary to great extent.
  • The binary executes as : tinba.exe --- bin.exe --- readme.exe --- winver.exe The dropper actually installs the bin.exe file in the application directory and then deletes the wrapper (binary). File bin.exe resides in the directory permanently.
  • Adds run entry here - HKCU\Software\Microsoft\Window\CurrentVersion\Run
  • Tinba hooks browser processes and make them unstable, so there is a possibility that users might encounter several crashes in browsers while running or surfing internet. The browser works   fine when the system is rebooted.
  • As the tinba injects in explorer.exe, the binding occurs very fast when bot has to send SYN packet and to receive reply from the C&C server. The connection is continuous but TCPView is not fruitful in this case because the connection open and closes readily. TDIMon tools gives you the low level traffic details by inspecting the Transport Driver Interface as presented below:
explorer.exe:168    TDI_CONNECT    TCP:0.0.0.0:2552    82.165.37.127:80    SUCCESS       
explorer.exe:168    TDI_SEND    TCP:0.0.0.0:2552    82.165.37.127:80    SUCCESS-2941    Length:353    
explorer.exe:168    TDI_SEND    TCP:0.0.0.0:2552    82.165.37.127:80    SUCCESS-2942    Length:9    
explorer.exe:168    TDI_EVENT_CHAINED_RECEIVE    TCP:0.0.0.0:2552    82.165.37.127:80    SUCCESS       
explorer.exe:168    TDI_EVENT_DISCONNECT    TCP:0.0.0.0:2552    82.165.37.127:80    SUCCESS    RELEASE
explorer.exe:168    TDI_SEND    TCP:0.0.0.0:2545    82.165.37.127:80    SUCCESS    Length:353    
explorer.exe:168    TDI_SEND    TCP:0.0.0.0:2545    82.165.37.127:80    SUCCESS    Length:9    
explorer.exe:168    TDI_EVENT_RECEIVE    TCP:0.0.0.0:2545    82.165.37.127:80    SUCCESS        
explorer.exe:168    TDI_EVENT_DISCONNECT    TCP:0.0.0.0:2545    82.165.37.127:80    SUCCESS    RELEASE    

   
One can notice that the events are happening very fast. The below presented figure shows the TCP/IP pattern in injected explorer.exe process.

Tinba Hooking Explorer - TCP/IP Pattern

When forms are submitted over HTTP/HTTPS, the Firefox raises an alert box for notifying user about communication protocol in use. Internet explorer uses the concept of Zones. So we looked at this pattern in Tinba. No doubt for Internet Explorer, Tinba modifies the registry entry to disable configuration of Zones.as follows:

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Tinba also manipulates the Firefox behavior by tampering user.js (preferences) file as follows

[C] user_pref("security.warn_submit_insecure",false);
Browser does not raise an alert box when information in sent over HTTP while submitting forms.

[C]
user_pref("security.warn_viewing_mixed",false);
Remove the warning of supporting mixed content over SSL.


The aim behind this modification is to remove the ambiguity in the communication channel used by Tinba. Let's have a look at the traffic communication:


Tinba Sending POST Requests
Tinba Sending GET Requests
Encrypted Reply
The communication is encrypted and well managed in this case. Another interesting thing we noticed during analysis is that, when you reboot your infected system with Tinba, it raises windows integrity check which shows that Tinba has seriously altered the integrity of system32 files such as winver.exe


Window Integrity Check on System Infected with Tinba on Every Reboot
This adds some more information on the Tinba malware.

Some more next time !