Threat Research

Tinba Turns 64

By Raul Alvarez | October 06, 2014

A few months ago, Tinba’s source code was leaked in the wild. It is now inevitable that a different and enhanced version of it is out there. Tinba, also known as Tiny Banker, made its debut a couple of years ago. Though it is small, it is capable of doing what its big brothers can do. For more details on some of its features, you can read my article posted on Virus Bulletin.

64-bit Injected Code

As expected, we have seen some new changes added to the original malware. Tinba is now capable of injecting its code into a 64-bit running process.

The original version of Tinba is a 32-bit executable file. It is capable of running on a 32- and 64-bit Windows system. But, its code injection feature only works on a 32-bit running processes, for example, explorer.exe.

We have seen a new version of the malware that can inject its code into a 64-bit version of the explorer.exe process. It is still a 32-bit executable file. Yet once it determines that it is running on a 64-bit Windows system, it will execute a routine that will inject its code into a 64-bit explorer.exe process.

Hooking Inside Explorer.exe

In the original version, once Tinba runs in the context of explorer.exe process, it immediately executes the rest of its malicious activities. For its 64-bit counterpart, it doesn’t immediately perform the rest of its routine. Instead, it hooks some APIs and terminates the main thread.

Once the injected code in explorer.exe is activated, Tinba resolves all the needed APIs (see Figure 1). These APIs are used by the malware for the rest of its routine. Afterwards, the malware resolves another group ntdll APIs for hooking.


Figure 1. Code inside the explorer.exe process for resolving the needed APIs.

After hooking ZwCreateUserProcess, ZwResumeThread, ZwEnumerateValueKey, and ZwQueryDirectoryFile APIs, the malware terminates the main thread (see Figure 2). The injected malware code in explorer.exe is now waiting to be triggered to perform the rest of its function.


Figure 2. Code inside the explorer.exe process for hooking some _ntdll_ APIs.

Looking Forward

64-bit malware is now slowly making its way into our computing space. They are slowly morphing from 32-bit to 64-bit or a combination of both.

In the advent of an era of either enhancing existing malware or creating one from scratch, there is a call for adaptation of new skills on the side of the defenders.

Join the Discussion