Archive for the 'Uncategorized' Category

Spam Runs In Switzerland Spreading Tinba (Fake MMS and Job Applications)

Since yesterday there has been some massive spam runs that are distributing Tinba in Switzerland. Tinba (also known as Tinybanker, Illi and Zusy) is an ebanking Trojan that has been around for a few years now. While most of the Tinba versions I usually come across of are utilising a Domain Generation Algorithm (DGA) to calculate the current botnet Command&Control (C&C) domain, the version of Tinba that has been spread in Switzerland since yesterday is using hard-coded botnet C&C domains.

Since yesterday, I have observed three distinct spam runs in Switzerland. The first one started on Jan 27, 2015 in the morning:

Tinba Spamrun 1

The spam emails pretend to be from generic email addresses ( is a big free email service provider in Switzerland). However, if you look at the email headers its clear that the email is not coming from itself, but from broadband lines all over the world (likely a botnet). The subject line looked like this:

  • BildXXXXXX

… where X refers to a random digit, for example IMG402302 and IMG402302.

The first spam run of today pretended to be from a Swiss Telecom provider called Orange (

Tinba Spamrun 2

Just like the spam run from yesterday, the emails are not really originating from, but from broadband lines located all over the world. The spammers used different subjects:

  • Multimedia-Nachricht: XXXXXX
  • MMS-Nachricht: XXXXXX
  • Multimedianachricht: XXXXXX

… where X refers to a random digit, for example Multimedia-Nachricht: 415465 and MMS Id: 446869.

The most recent spam run I could observe today was a bit different. Instead of pretending to be an MMS from Orange, the spam emails claims to be an application for an open job position:

Tinba Spamrun 3

Obviously, these spammers have a some difficulties with the Umlaute (öäü) used in German, which makes the email quite suspect. This time, the spam emails were forged to look like they were sent from (another big free email service in Switzerland and Germany). The subject line looks like this:

  • an sekretariat
  • AW: an sekretariat
  • AW: Bewerbung
  • Bewerbung
  • Fwd: an sekretariat
  • Re: an sekretariat
  • sekretariat
  • WG: an sekretariat
  • WG: Bewerbung

Let’s take a closer look at the sending IP addresses. If we match them against Spamhaus CBL it turns out that they are all Cutwail infected IPs:

$ grep -F -f ips.txt spamhaus_ecbl,AS9299,PH,cutwail,AS45899,VN,cutwail,AS4750,TH,cutwail,AS21309,IT,cutwail,AS23520,US,cutwail,AS9121,TR,cutwail,AS21309,IT,cutwail

If we take a look at the attachments spread using these spam runs, we see that multiple malware binaries have been spread: MD5 dededad4a9979aa4f23b56bf2c038e17
-> IMG_8703219_27_01_2015.jpeg.exe MD5 2b31753f4650673f76dc17c251d21e71 MD5 f399947a97bcaf1b561b196e9966639d
-> IMG-27012014-WA0015.jpg.exe MD5 5b4d91a1e98f8fdbbfd210d91a8435f9 MD5 5d2d057c4913be8e1ddb7187ea254491
-> Doc_Bewerbung-Januar2015.docx.exe MD5 5b4d91a1e98f8fdbbfd210d91a8435f9

As mentioned earlier in this post, the malware that is being spread through these spam runes appears to be a non-DGA version of Tinba. The malware itself calls out to one of the following botnet Command&Control Servers (C&Cs):

hXXp:// ( – AS44050 PIN-AS, Russia)
hXXp:// (sinkholed)
hXXp:// ( – AS44050 PIN-AS, Russia)
hXXp:// (sinkholed)

I recommend to block the mentioned domains (, and IPs (, at your networks edge. I general, looks quite suspect. So you may want to block the whole netblock. In addition, it would be a good advise to block filenames with multiple file extentions (e.g. .docx.exe and on your email gateway. Running On New Hardware

What most people don’t know is that for the most part is a “one-man-show”. I run and associated projects by myself in my spare time. In addition to, I have a full-time job that is very demanding. I run for non-profit: I do not sell any data or information. Hence I have to rely on donations and “good-will” from third parties in order to keep my projects up and running.

On December 15 2014, I had to suspend services for and ZeuS Tracker due to some major server issues. The backend server that was hosting those services crashed unexpectedly several times. Due to this, a database got corrupted – this in turn caused irreparable damages to a few database tables.

The backend server that crashed was running on very old hardware. I was not able to locate the cause of these crashes, so I figured that getting the services up and running again on the old hardware would be a really bad idea. To prevent further irreparable damages on the databases, I decided to temporarily suspend the services and look for a new home for and ZeuS Tracker.

In the past days I have been busy with searching for a new home for and ZeuS Tracker. I have to say that I was overwhelmed with the vast amount of people that offered me help. I had never imagined that so many people enjoy and rely on the services offered on Hence it wasn’t too difficult to find a sponsor for new servers. On December 19 2014, I was able to restore services for both, and ZeuS Tracker, on new hardware sponsored by PhishLabs and ThreatSTOP. I would like to thank both of them for their great support.

I also want to take the opportunity and thank all the organisations and security researchers that I work with regularly and that support my efforts to make the internet a safer place. Some of them decided to remain anonymous and hence do not wish to get named in public. For all others I’ve set up the page “Friends of”. You can find the list of supporters of here.

The vast amount of positive feedback I have received in the past days motivates me even more to continue my fight against cybercrime and providing data and information about cyberthreats to the internet community for the good.

I wish you all a Merry Christmas and a Happy New Year!

Follow on Twitter: