Attacks/Breaches
1/29/2014
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SpyEye Creator Got 'Sloppy,' Then Got Nabbed

Russian national behind the infamous crimeware kit pleads guilty to conspiracy to commit wire and bank fraud in his role as primary developer and distributor of SpyEye

Turns out the key player behind the development and distribution of the infamous SpyEye data-stealing Trojan wasn't so careful about covering his tracks. Aleksandr Andreevich Panin, a.k.a. "Gribodemon" and "Harderman," inadvertently left a trail that ultimately led to his arrest last summer.

The U.S. Attorney's Office yesterday announced that Panin had pleaded guilty to charges associated with his role as the main developer and distributor of SpyEye. Panin, 24, who was arrested by U.S. authorities at Georgia's Hartsfield-Jackson Atlanta International Airport on his way back from a trip to the Dominican Republic, left clues of his identity while engaged in underground forums, and inadvertently leaked the email address of a SpyEye server's controller -- which helped investigators unmask him.

Researchers at Trend Micro who tracked Panin and other associates online were able to glean some valuable information from Panin's online postings, as well as SpyEye files that provided valuable intelligence about his identity. "Once we decrypted the files, we had access to a bunch of other files ... including a configuration file" with SpyEye customer names that Panin apparently had created, Loucif Kharouni, senior threat researcher with Trend Micro, told Dark Reading. "That was a mistake."

Panin, a Russian national, had become a bit too confident and became "sloppy" in his operations, Kharouni says.

The Trend Micro team, who assisted the FBI in the investigation, correlated key information and clues from the SpyEye configuration files with other intelligence they had on hand. They joined underground forums where Panin and his cohorts frequented, and were able to obtain their email addresses and ICQ and Jabber chat numbers that the suspects disclosed to prospective customers.

"But that was 2010 and 2011. From that point, things changed. Now you rarely see cybercriminals disclosing this type of information," says Kharouni, who posted details of Trend Micro's findings in a blog post today.

The binaries and configuration files used with the Trojan led Kharouni and his team to a key clue: The decrypted configuration files had the handle "Bx1," Panin's partner in the enterprise: Hamza Bendelladj, an Algerian national who was arrested in January 2013 in an airport in Bangkok while in transit from Malaysia to Algeria. He was extradited to the U.S. in May, and faces pending charges in the Northern District of Georgia for his alleged role in SpyEye.

Panin was definitely not as savvy as ZeuS creator Slavik, who remains at large. "Slavik wouldn't disclose that type of information in an underground forum. And he hasn't been caught yet," Kharouni says. "[Panin's] mistake was that he was [new] and wanted to make an impression, and he wasn't careful at first."

Meanwhile, Panin and Bendelladj eventually became more guarded and cautious with their online communications. "But it was too late," Kharouni says. "They didn't expect to get caught traveling."

Aside from his carelessness online, Panin -- like Bx1 -- made the mistake of traveling outside of Russia or another nation without a U.S. extradition agreement.

"Panin suffered the same fate as Bx1. He traveled and got picked up crossing borders ... Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These 'border crossing' arrests have led the Russian government to issue a rather strange travel advisory: 'If you are wanted for crimes in the United States, don't visit Extradition Friendly Countries!'" notes Malcovery researcher Gary Warner in a post today.

The SpyEye Trojan has infected more than 1.4 million computers around the world, and according to financial services industry data, more than 10,000 bank accounts were hacked via SpyEye infections in 2013. The malware -- which steals online banking credentials, credit card data, user names, passwords, PINs, and other sensitive personal information, and then sends that information to command-and-control servers -- remains in use today.

Panin and other associates in Russia developed, marketed, and sold versions of the SpyEye malware kit online between 2009 and 2011, selling the malware for anywhere from $1,000 to $8,500 to at least 150 different customers who, in turn, deployed the Trojan in cyberattacks. According to the U.S. Attorney, one of Panin's clients, known as "Soldier," reportedly netted more than $3.2 million via SpyEye in six months.

International authorities also have arrested four of Panin's SpyEye clients and associates in the U.K. and Bulgaria as a result of the investigation into his activities.

"Authoring malware today is so lucrative and easy to do that catching these criminals is just putting a finger in the dyke, and I anticipate more malware authors will always be popping up to cash in on this cybercrime gold rush," says Branden Spikes, CEO, CTO, and founder of Spikes Security. "It's reassuring to see law enforcement successfully deterring the cybercriminal, but to effectively stifle the hacker we need a paradigm shift from detection to isolation. Certainly, the prosecution of malware authors is an important effort and one that will reduce the power of botnets, DDoS attacks, and spam for a while."

The FBI in February 2011 seized a SpyEye command-and-control server run by Bendelladj in Georgia. That server had control over more than 200 bots infected with SpyEye and included stolen information from various financial institutions. In June and July of that year, FBI undercover agents were able to make contact with Panin online and purchase a version of the Trojan that steals financial information. The Trojan also includes keylogging and distributed denial-of-service features.

Panin's case likely signals the end of the SpyEye era. "Only beginners use SpyEye now. Everyone knows it's not really safe to use anymore, so most have moved on to others like Citadel," Trend Micro's Kharouni says.

[A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. See Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft .]

There are still plenty of unknowns about the SpyEye case, however. "What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody," Malcovery's Warner notes. Where are the clients who purchased SpyEye from Bx1, what are their botnets, and how much did they make, he asks.

Aside from U.S. authorities, the U.K.'s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands-National High Tech Crime Unit (NHTCU), Dominican Republic's Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria, and the Australian Federal Police (AFP) all had a hand in the investigation, as well as Trend Micro, Microsoft's Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer, and the Norwegian Security Research Team.

"As several recent and widely reported data breaches have shown, cyber attacks pose a critical threat to our nation's economic security," said U.S. Attorney Sally Quillian Yates. "Today's plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned -- you cannot hide in the shadows of the Internet. We will find you and bring you to justice."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-7839
Published: 2014-11-25
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVE-2014-8001
Published: 2014-11-25
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8002
Published: 2014-11-25
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?