Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/29/2014
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SpyEye Creator Got 'Sloppy,' Then Got Nabbed

Russian national behind the infamous crimeware kit pleads guilty to conspiracy to commit wire and bank fraud in his role as primary developer and distributor of SpyEye

Turns out the key player behind the development and distribution of the infamous SpyEye data-stealing Trojan wasn't so careful about covering his tracks. Aleksandr Andreevich Panin, a.k.a. "Gribodemon" and "Harderman," inadvertently left a trail that ultimately led to his arrest last summer.

The U.S. Attorney's Office yesterday announced that Panin had pleaded guilty to charges associated with his role as the main developer and distributor of SpyEye. Panin, 24, who was arrested by U.S. authorities at Georgia's Hartsfield-Jackson Atlanta International Airport on his way back from a trip to the Dominican Republic, left clues of his identity while engaged in underground forums, and inadvertently leaked the email address of a SpyEye server's controller -- which helped investigators unmask him.

Researchers at Trend Micro who tracked Panin and other associates online were able to glean some valuable information from Panin's online postings, as well as SpyEye files that provided valuable intelligence about his identity. "Once we decrypted the files, we had access to a bunch of other files ... including a configuration file" with SpyEye customer names that Panin apparently had created, Loucif Kharouni, senior threat researcher with Trend Micro, told Dark Reading. "That was a mistake."

Panin, a Russian national, had become a bit too confident and became "sloppy" in his operations, Kharouni says.

The Trend Micro team, who assisted the FBI in the investigation, correlated key information and clues from the SpyEye configuration files with other intelligence they had on hand. They joined underground forums where Panin and his cohorts frequented, and were able to obtain their email addresses and ICQ and Jabber chat numbers that the suspects disclosed to prospective customers.

"But that was 2010 and 2011. From that point, things changed. Now you rarely see cybercriminals disclosing this type of information," says Kharouni, who posted details of Trend Micro's findings in a blog post today.

The binaries and configuration files used with the Trojan led Kharouni and his team to a key clue: The decrypted configuration files had the handle "Bx1," Panin's partner in the enterprise: Hamza Bendelladj, an Algerian national who was arrested in January 2013 in an airport in Bangkok while in transit from Malaysia to Algeria. He was extradited to the U.S. in May, and faces pending charges in the Northern District of Georgia for his alleged role in SpyEye.

Panin was definitely not as savvy as ZeuS creator Slavik, who remains at large. "Slavik wouldn't disclose that type of information in an underground forum. And he hasn't been caught yet," Kharouni says. "[Panin's] mistake was that he was [new] and wanted to make an impression, and he wasn't careful at first."

Meanwhile, Panin and Bendelladj eventually became more guarded and cautious with their online communications. "But it was too late," Kharouni says. "They didn't expect to get caught traveling."

Aside from his carelessness online, Panin -- like Bx1 -- made the mistake of traveling outside of Russia or another nation without a U.S. extradition agreement.

"Panin suffered the same fate as Bx1. He traveled and got picked up crossing borders ... Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These 'border crossing' arrests have led the Russian government to issue a rather strange travel advisory: 'If you are wanted for crimes in the United States, don't visit Extradition Friendly Countries!'" notes Malcovery researcher Gary Warner in a post today.

The SpyEye Trojan has infected more than 1.4 million computers around the world, and according to financial services industry data, more than 10,000 bank accounts were hacked via SpyEye infections in 2013. The malware -- which steals online banking credentials, credit card data, user names, passwords, PINs, and other sensitive personal information, and then sends that information to command-and-control servers -- remains in use today.

Panin and other associates in Russia developed, marketed, and sold versions of the SpyEye malware kit online between 2009 and 2011, selling the malware for anywhere from $1,000 to $8,500 to at least 150 different customers who, in turn, deployed the Trojan in cyberattacks. According to the U.S. Attorney, one of Panin's clients, known as "Soldier," reportedly netted more than $3.2 million via SpyEye in six months.

International authorities also have arrested four of Panin's SpyEye clients and associates in the U.K. and Bulgaria as a result of the investigation into his activities.

"Authoring malware today is so lucrative and easy to do that catching these criminals is just putting a finger in the dyke, and I anticipate more malware authors will always be popping up to cash in on this cybercrime gold rush," says Branden Spikes, CEO, CTO, and founder of Spikes Security. "It's reassuring to see law enforcement successfully deterring the cybercriminal, but to effectively stifle the hacker we need a paradigm shift from detection to isolation. Certainly, the prosecution of malware authors is an important effort and one that will reduce the power of botnets, DDoS attacks, and spam for a while."

The FBI in February 2011 seized a SpyEye command-and-control server run by Bendelladj in Georgia. That server had control over more than 200 bots infected with SpyEye and included stolen information from various financial institutions. In June and July of that year, FBI undercover agents were able to make contact with Panin online and purchase a version of the Trojan that steals financial information. The Trojan also includes keylogging and distributed denial-of-service features.

Panin's case likely signals the end of the SpyEye era. "Only beginners use SpyEye now. Everyone knows it's not really safe to use anymore, so most have moved on to others like Citadel," Trend Micro's Kharouni says.

[A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. See Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft .]

There are still plenty of unknowns about the SpyEye case, however. "What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody," Malcovery's Warner notes. Where are the clients who purchased SpyEye from Bx1, what are their botnets, and how much did they make, he asks.

Aside from U.S. authorities, the U.K.'s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands-National High Tech Crime Unit (NHTCU), Dominican Republic's Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria, and the Australian Federal Police (AFP) all had a hand in the investigation, as well as Trend Micro, Microsoft's Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer, and the Norwegian Security Research Team.

"As several recent and widely reported data breaches have shown, cyber attacks pose a critical threat to our nation's economic security," said U.S. Attorney Sally Quillian Yates. "Today's plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned -- you cannot hide in the shadows of the Internet. We will find you and bring you to justice."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.