The source code of its first version Tinba, the smallest bank Trojan ever developed, is released online.
Malicious software is also known as Tinybanker or zusy, and is only 20KB. It was first discovered in the middle of 2012 when it targeted specific people in Turkey. Then more than 60.000 unique infections were detected.
What immediately drew the attention of the security researchers who discovered it was its small size and its great functionality that competes with much larger Trojans.
Researchers from the CSIS Security Group, in Denmark, discovered a post on a closed underground forum. After careful analysis, found that the source code contained in the post was for the first version of the malware released in 2011-2012.
Read more about Tinba from paper (PDF) by Trend Micro.
Tinba is created to spy on the program tourand to collect login information. Despite being only 20KB in size, the malware uses man-in-the-browser (MitB) and web-injection techniques to intercept and send data to its creator. This activity is usually carried out by special and complex malware.
The release of the source code to Internet increases the risk of new trojans that are based in part on Tinba's source code.
The code is accompanied by full documentation and it looks like all of its developers are published. CSIS researchers note that everything is very well structured and that during their analysis they were able to compile the code without any problems.
Once the malware is installed, it develops a fuzzy injection routine that allows it to avoid detection by antivirus.
Researchers say it was possible to turn off the phishing web alarm in Mozilla Firefox so that the user does not suspect anything if he surfs on infected sites.
The communication with the administration server and control it is encrypted with RC4 and used in a series of four domains. These it tries to contact to send information and pings until it gets a response.
