Analyzing Tinba: Configuration Data

Post & Analysis by: Mikko Suominen

Tinba made its entrance into the malware scene a couple of years ago and at the moment, it stands as one of the most popular banking trojans out there. Amongst its noticeable features are the inclusion of preloaded configuration and the implementation of advanced encryption methods to increase its efficiency during operation and to reduce its chance of being dissected.

In this blog post, we’ll focus on the configuration data, specifically on how to extract the configuration data from process memory. The reason why we (and some of you out there) are interested in the configuration data is because this information could help us understand how it operates and who the targets are.

Cracking the XOR encryption

Tinba is known for its form-grabbing and web injection capabilities, which it uses to steal banking credentials from users who unknowingly visited compromised sites. It makes its way into a system mostly via spam emails and exploit kits.

Once downloaded, the form-grabbing and web injection configurations are stored on the disk, protected by XOR with a 4-byte key followed by RC4 and finally ApLib compression. The XOR key is the name of the folder where Tinba files are located, converted from strings to an integer. If no configuration files were downloaded, Tinba will resort to using the prebuilt configuration data from within its binary. This data uses the same encryption as the files minus the XOR encryption.

The XOR encryption is implemented to tie the configuration files to a particular machine. By using a combination of machine and botnet specific data as the XOR key, someone with no access to the infected machine would face a huge challenge in decrypting the files.

Decrypting the configuration files

However, decrypting the files might be unnecessary as Tinba’s method of hiding its configuration data is remarkably poor by modern standards. Both the form-grabbing data and web injection data are fully decrypted and decompressed to be stored permanently in the web browser memory. This is quite careless since other banking trojans tend to jealously guard their configuration data and will only decrypt the data as needed and then immediately wipe the decrypted data from memory once it is no longer needed.

Oversight in memory allocation?

To make matters even easier, Tinba’s author has coded the memory allocation for the configuration data very lazily. Instead of allocating only the necessary amount of memory for the specific data, the author decided to allocate a hard-coded amount of memory large enough to guarantee that any configuration data would fit. Consequently, the large 0x1400000 byte memory block stands out like a sore thumb in the web browser memory space. The form-grabbing configuration data is held at the beginning of the area while the web injection data can be located at the offset 0xa00000 within the area. Both blobs of data begin with the size of the configuration data.

As an example, the following is one entry for the web injection data received by this sample – 9c81cc2206c3fe742522bee0009a7864529652dd.

Tinda web injection data

This sample indicates that the target is a banking institution in Poland.

Similarity to Zeus’ format

If Tinba’s configuration data looks eerily similar to you, it is because it follows the same format used by Zeus and many other malware families. The format has apparently turned into a bit of an industry standard for crimeware because it enables the same malicious web injections to be used on different botnets.

It would be interesting to find out how different malware authors ended up using the same format for their malware’s configuration data. We can assume that the web injection data is not developed by the botnet owner but bought from a third party. If that’s the case, agreeing on a certain configuration format would require cooperation between multiple web injection developers with multiple malware developers. Perhaps it just happens organically because a few years ago Zeus had such a large market share that it make sense for other authors to use the same format to make web-injection procurement easier for customers.


Mikko Suominen is a Senior Analyst on our Remediation team.

Further reading: The Evolution Of Webinjects (VB2014 paper) by Jean-Ian Boutin.



Use iOS Restrictions For Additional Security

Apple iOS has excellent “parental control” options. But really, OS restrictions shouldn’t be limited to parental units. If you run as a limited user on your computer, then you should do the same on your mobile device. So here’s an iOS tip from our Cyber Security Services that Tomi Tuominen shared with me recently.

Use restrictions. Go to: Settings > General > Restrictions. Enable restrictions and set a passcode.

And to start: set Accounts to “Don’t Allow Changes”.

iOS 9.2 Restrictions

I also prefer to restrict “Background App Refresh” changes to ensure that newly installed apps cannot run in the background until I explicitly allow them to do so.

Happy configuring to you!



January 13th – Advanced Persistent Threat Meetup

Winter has finally arrived in Helsinki…

F-Secure HQ 2016-01-05

Come and experience it for yourself.

How?

Join our APT Meetup on January 13th!

Advanced Persistent Threat Meetup

Speakers will include Frode Hommedal and Artturi Lehtiö.

And here’s your opportunity: F-Secure will cover the costs for 2 to 3 people, from anywhere in the world. But time is limited, the event is Wednesday of next week. So don’t delay, act now, contact Sami Lappeteläinen and tell him why you should be chosen to participate.



H0H 0H0

Today I was testing iOS 9 “Split View” multitasking with Freedome and KEY

…and discovered that we have a new Freedome exit node?

iPad Air 2 Multitasking with Freedome & KEY

A happy Festivus to us all!



Senator Wyden’s Questions About Crypto-Ransomware

On December 15th, US Senator Ron Wyden sent a letter to FBI Director James Comey regarding crypto-ransomware. The reported costs are quite surprising.

Victims of ransomware attacks are reporting payments between $200 and $10,000 to get their personal or business-related data back.

$10,000? My guess is that this is due to multiple computers being hit rather than one overall fee.

Here are Wyden’s questions.

Wyden's questions to the FBI.

Hopefully the FBI will provide a detailed reply sooner than later.


Update: you can find the reply here.



SEE: Sandboxed Execution Environment

Available from F-Secure GitHub: SEE

Introduction:

Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.

The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.

Plugins can be added to a Test Environment which provides an Event mechanism synchronisation for their interaction. Users can enable and configure the plugins through a JSON configuration file.

Link: https://github.com/F-Secure/see



The Online Arms Race

The Online Arms Race

Mikko at Web Summit 2015.



Did iOS 9 Really Improve Passcode Security?

I’ve been doing some password research and was recently reminded of this iOS 9 feature.

Apple: “The default for passcodes on your Touch ID–enabled iPhone and iPad is now six digits instead of four. If you use Touch ID, it’s a change you’ll hardly notice. But with one million possible combinations — instead of 10,000 — your passcode will be a lot tougher to crack.” (Emphasis mine.)

iOS 9 Improved Security

Six digits instead of four? Translation: there’s now room for your year of birth, too! So instead of “1101” it’s now “110160”. (Tim Cook was born November 1, 1960.)

It’s entirely anecdotal, but I’ve already met somebody doing this. And I have little doubt that many others are doing so as well.

But at least a six digit passcode discourages the use of certain four letter words…

5683 = LOVE on a telephone keypad.

Recommendation: change your passcode to a “Custom Alphanumeric Code” and create a good passphrase. On your iOS device, go to: Settings > Passcode > Change Passcode > Enter Old Passcode > Passcode Options.



The Case Of A Flash Redirector From A Brute Force Password Attack

We noticed an unusual spike in “Flash redirector” detection hits during October. The source was compromised websites.

RedirectorHits

Figure 1. Flash Redirector Detection Hits

The compromised websites had an injected code which loaded a malicious flash object that attempted to redirect users to the Angler exploit kit.

InjectedCode

Figure 2. Injected Code

This flash redirector is not a new thing. It was written about by MalwareBytes a year ago. However, the sudden spike we observed during October got our attention and prompted us to look at it a bit closer.

It was interesting to see that the URL pattern didn’t change much from what MalwareBytes saw, except that we didn’t see the use of the URL shortener us.to. The actors behind the attacks take advantage of free domains and unusual Top Level Domains.

RedirectorURLs2014

Figure 3. Flash Redirector URLs from 2014

RedirectorURLs2015

Figure 4. Flash Redirector URLs from 2015

While looking into how the websites were compromised, we noticed that all of them were built using WordPress. Our initial thought was that these websites were attacked via a vulnerable plugin.

Further investigation on the compromised servers revealed that one of the attacker’s tactics was a simple brute force password attack. The attacker attempted to enumerate WordPress usernames by accessing URLs such as these.

http://www.samplewebsite.com/?author=1
http://www.samplewebsite.com/?author=2
http://www.samplewebsite.com/?author=3

Below is a snippet of the access log that shows the author scanning.

accesslog1

After obtaining the username, the only thing that the attacker would need to figure out is the password. The tool used by the attacker attempted around 1200 passwords before it was able to successfully login.

accesslog2

After gaining access to an admin account, the attacker proceeded to upload malicious scripts onto the server. Such scripts included a backdoor, and even a spammer component.

accesslog3

The compromising of websites is one of the most effective ways for cybercriminals to deliver malware. Being creatures of habit, users typically visit their favorite websites without any thought that their machines might get infected. And so the owners of these websites have an important role in making this threat less prevalent. One of the things that has always been advised is to make sure that all tools running on your server are up-to-date to lessen the possibility of being attacked via vulnerabilities. However, in the case of this particular attack, we cannot stress enough how important it is to protect your username and the importance of using a strong unique password. Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything. You can also add this code in .htaccess to block author enumeration attempts.

# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://yoursite.com/somepage/? [L,R=301]

You can find more information here: Block WordPress User Enumeration, Secure WordPress Against Hacking



Wonknu: A Spy For The 3rd ASEAN-US Summit

In the era of APT’s, it feels like something is amiss when there is a forum of governments and no malware arises. But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint.

A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre (ARC) was compromised. Malicious code was appended to the compromised script file, which redirected a visitor to 43.240.119.35. (At the moment, this malicious script is not accessible.)

Redirection Traffic

Redirection Traffic

While still compromised, the ARC website also hosted an archive with the filename: the 3rd ASEAN Defence Ministers’ Meeting.rar. This contained malware that we detect as Backdoor:W32/Wonknu.A.

Wonknu is signed by Awarebase Corp., an information management solutions company whose customers include those from the Defense sector.

Wonknu Cert

Wonknu Cert

The malware drops a copy of itself to the system as c:\programdata\kav.exe. It then connects to 43.240.119.40:443 and functions as a backdoor that is able to accept the following commands:

  • GetsSysteminfo – Retrieve version information.
  • GetDiskInfo – Retrieve disk drive information.
  • GetFileList – Retrieve directory listing.
  • DownloadFile – Download file.
  • UpFile – Upload file.
  • RunExeFile – Run an executable file.
  • FileData – Write data to file.
  • DelFile – Delete a file.
  • NewDir – Create a directory.
  • CmeShell – Run a command from the shell.
  • Terminate Process
  • Enumerate Process

We tried to search for similar samples and found another one that used the same certificate.

Signed downloader

Signed downloader

This malware was first seen sometime around early August of this year. During that time, it could be downloaded from sft.spiritaero.com (Spirit AeroSystems is one of the largest producers of commercial aerostructures).

This malware pretends to be a Java file, Javaw.exe Version 6.0.0.105 to be exact. The original Java file was modified to include malicious code that downloads a file from 178.79.181.246. The downloaded file will be saved as Java_Down.exe on the affected machine. This URL is also currently inaccessible.

Downloader Code

Downloader Code

In addition, we’ve also found that this particular IP hosted Jquery.js, similar to the case above, but at the moment we are unable to obtain a copy of it as well.

URLs and IPs:
43.240.119.40:443
http://arc.asean.org/the%203rd%20ASEAN%20Defence%20Ministers'%20Meeting.rar
http://43.240.119.35/arc/Jquery.js
http://178.79.181.246/microsoft/Java_Down.exe
http://178.79.181.246/microsoft/jquery.js
https://sft.spiritaero.com/java/javaws.exe
Filenames:
the 3rd ASEAN Defence Ministers' Meeting.rar
the 3rd ASEAN Defence Ministers' Meeting.exe
c:\programdata\kav.exe
Java_Down.exe
Hashes:
a096a44aee0f0ff468c40488eab176d648b1c426
068fa495aa6f5d6b4e0f45c90042a81eecdaec2c
Detections:
Backdoor:W32/Wonknu.A
Trojan-Downloader:W32/Wonknu.B


Oops!… Dell Did It Again

Bad news: Dell has installed a rogue root CA on customer PCs. Dell ships laptops with rogue root CA. https://t.co/70LCd9JAoZ #reddit #DellRoot pic.twitter.com/25QhJTRzZs — Mikko Hypponen (@mikko) November 23, 2015 Why is it bad? Because it’s trivial to perform man-in-the-middle attacks against any computer with the cert installed. Dan Goodin has an excellent writeup here. […]

2015-11-24

Paper: C&C-As-A-Service

Artturi Lehtiö, a researcher on our Threat Intelligence team, recently presented a paper on abusing third-party web services as C&C channels at VB2015. Here’s the abstract: A secure, reliable and undetectable method of communicating with and controlling malware is essential for modern malware operations. But designing, implementing and maintaining your own communication infrastructure isn’t an […]

2015-11-17

Security Cloud White Paper: How Do We Handle Customer Data?

How F-Secure Labs handles customer data is of the utmost importance for those of us who work here. We would therefore like to invite you to read our latest white paper which details our back end technology a.k.a. “Security Cloud” [PDF]. The paper explains the purpose, function and benefits of our technology and explains the […]

2015-11-13

Linux.Encoder.1: We Are Accept Only Bitcoins

There’s a new crypto-ransom scheme currently in-the-wild targeting Linux-based systems. It’s called “Linux.Encoder.1” by the folks at Dr.Web. Basically, instead of setting up phishing sites or exploit kit redirects on vulnerable web-servers, the Linux.Encoder.1 extortionists are targeting the web-server owners directly by encrypting their content. As a consequence, Google is indexing numerous victims. Google finds […]

2015-11-10

Halloween RAT: NanoCore Served Via PageFair Service

Over the weekend, PageFair, a counter ad-block solutions provider, was compromised via a spearphishing attack. The attackers performed a password reset which gave them access to PageFair’s account on a Content Distribution Network (CDN) service. The attackers then replaced PageFair’s Javascript to a malicious one: This is what was shown to visitors of websites that used this PageFair service: […]

2015-11-02

The Contents Of This CryptoWall Zip File Cost $1,000

“Payment is made successfully.” This is CryptoWall’s Decrypter Service after ransom has been paid. And this (decrypt.zip) is what you get for your money Bitcoin. It’s really not much to look at. But without a copy of your keys… you’ll never decrypt your files. Which is probably why the FBI says: “To be honest, we […]

2015-10-28

SLocker Versus Marshmallow

Android ransomware SLocker recently began taking advantage of Android Lollipop flaws in a very serious (and devious) way. But how does SLocker fare against Android Marshmallow? First, let’s take look at SLocker versus Lollipop. Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”. Typically all-too-common sorts […]

2015-10-22

Dridex Takedown

The UK National Crime Agency together with the FBI and the US Department of Justice recently filed charges against the author of Bugat/Cridex/Dridex. Andrey Ghinkul was arrested on August 28, 2015 in Cyprus and the US is now seeking his extradition. Dridex has reportedly caused multi-million dollar losses to financial institutions and businesses globally. Dridex […]

2015-10-15

Marshmallow Moves Android Towards iOS-like Permissions

Android 6.0 a.k.a. “Marshmallow” is now rolling out and its best new feature, from my point of view, is the introduction of a new permissions model. Well-crafted applications can now ask for permissions as they are needed, rather than all at once during installation. Apps designed for older versions of Android will still ask for […]

2015-10-06

VB2015

Mikko missed VB2015 this year… allegedly. I've been to every Virus Bulletin conference since 1993 but missed #VB2015. Except according to this video I didn't… http://t.co/elfsizCn9B — Mikko Hypponen (@mikko) October 2, 2015

2015-10-05