Other researchers have presented details about Tinba which can be found here - http://www.csis.dk/en/csis/news/3566/
We looked specifically at communication patterns of Tinba. As we know, bots are hooking browsers and performing Web Injects to gain control over the browser communication channel. Other interesting facts about Tinba is as follows:
- The accompanied binary is written in MASM/TASM and having size of 20 KB. Compiling with MASM reduces the size of the binary to great extent.
- The binary executes as : tinba.exe --- bin.exe --- readme.exe --- winver.exe The dropper actually installs the bin.exe file in the application directory and then deletes the wrapper (binary). File bin.exe resides in the directory permanently.
- Adds run entry here - HKCU\Software\Microsoft\Window\CurrentVersion\Run
- Tinba hooks browser processes and make them unstable, so there is a possibility that users might encounter several crashes in browsers while running or surfing internet. The browser works fine when the system is rebooted.
- As the tinba injects in explorer.exe, the binding occurs very fast when bot has to send SYN packet and to receive reply from the C&C server. The connection is continuous but TCPView is not fruitful in this case because the connection open and closes readily. TDIMon tools gives you the low level traffic details by inspecting the Transport Driver Interface as presented below:
explorer.exe:168 TDI_SEND TCP:0.0.0.0:2552 82.165.37.127:80 SUCCESS-2941 Length:353
explorer.exe:168 TDI_SEND TCP:0.0.0.0:2552 82.165.37.127:80 SUCCESS-2942 Length:9
explorer.exe:168 TDI_EVENT_CHAINED_RECEIVE TCP:0.0.0.0:2552 82.165.37.127:80 SUCCESS
explorer.exe:168 TDI_EVENT_DISCONNECT TCP:0.0.0.0:2552 82.165.37.127:80 SUCCESS RELEASE
explorer.exe:168 TDI_SEND TCP:0.0.0.0:2545 82.165.37.127:80 SUCCESS Length:353
explorer.exe:168 TDI_SEND TCP:0.0.0.0:2545 82.165.37.127:80 SUCCESS Length:9
explorer.exe:168 TDI_EVENT_RECEIVE TCP:0.0.0.0:2545 82.165.37.127:80 SUCCESS
explorer.exe:168 TDI_EVENT_DISCONNECT TCP:0.0.0.0:2545 82.165.37.127:80 SUCCESS RELEASE
One can notice that the events are happening very fast. The below presented figure shows the TCP/IP pattern in injected explorer.exe process.
Tinba Hooking Explorer - TCP/IP Pattern |
When forms are submitted over HTTP/HTTPS, the Firefox raises an alert box for notifying user about communication protocol in use. Internet explorer uses the concept of Zones. So we looked at this pattern in Tinba. No doubt for Internet Explorer, Tinba modifies the registry entry to disable configuration of Zones.as follows:
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Tinba also manipulates the Firefox behavior by tampering user.js (preferences) file as follows
[C] user_pref("security.warn_submit_insecure",false);
Browser does not raise an alert box when information in sent over HTTP while submitting forms.
[C] user_pref("security.warn_viewing_mixed",false); :
Remove the warning of supporting mixed content over SSL.
The aim behind this modification is to remove the ambiguity in the communication channel used by Tinba. Let's have a look at the traffic communication:
Tinba Sending POST Requests |
Tinba Sending GET Requests |
Encrypted Reply |
Window Integrity Check on System Infected with Tinba on Every Reboot |
Some more next time !