Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/29/2014
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SpyEye Creator Got 'Sloppy,' Then Got Nabbed

Russian national behind the infamous crimeware kit pleads guilty to conspiracy to commit wire and bank fraud in his role as primary developer and distributor of SpyEye

Turns out the key player behind the development and distribution of the infamous SpyEye data-stealing Trojan wasn't so careful about covering his tracks. Aleksandr Andreevich Panin, a.k.a. "Gribodemon" and "Harderman," inadvertently left a trail that ultimately led to his arrest last summer.

The U.S. Attorney's Office yesterday announced that Panin had pleaded guilty to charges associated with his role as the main developer and distributor of SpyEye. Panin, 24, who was arrested by U.S. authorities at Georgia's Hartsfield-Jackson Atlanta International Airport on his way back from a trip to the Dominican Republic, left clues of his identity while engaged in underground forums, and inadvertently leaked the email address of a SpyEye server's controller -- which helped investigators unmask him.

Researchers at Trend Micro who tracked Panin and other associates online were able to glean some valuable information from Panin's online postings, as well as SpyEye files that provided valuable intelligence about his identity. "Once we decrypted the files, we had access to a bunch of other files ... including a configuration file" with SpyEye customer names that Panin apparently had created, Loucif Kharouni, senior threat researcher with Trend Micro, told Dark Reading. "That was a mistake."

Panin, a Russian national, had become a bit too confident and became "sloppy" in his operations, Kharouni says.

The Trend Micro team, who assisted the FBI in the investigation, correlated key information and clues from the SpyEye configuration files with other intelligence they had on hand. They joined underground forums where Panin and his cohorts frequented, and were able to obtain their email addresses and ICQ and Jabber chat numbers that the suspects disclosed to prospective customers.

"But that was 2010 and 2011. From that point, things changed. Now you rarely see cybercriminals disclosing this type of information," says Kharouni, who posted details of Trend Micro's findings in a blog post today.

The binaries and configuration files used with the Trojan led Kharouni and his team to a key clue: The decrypted configuration files had the handle "Bx1," Panin's partner in the enterprise: Hamza Bendelladj, an Algerian national who was arrested in January 2013 in an airport in Bangkok while in transit from Malaysia to Algeria. He was extradited to the U.S. in May, and faces pending charges in the Northern District of Georgia for his alleged role in SpyEye.

Panin was definitely not as savvy as ZeuS creator Slavik, who remains at large. "Slavik wouldn't disclose that type of information in an underground forum. And he hasn't been caught yet," Kharouni says. "[Panin's] mistake was that he was [new] and wanted to make an impression, and he wasn't careful at first."

Meanwhile, Panin and Bendelladj eventually became more guarded and cautious with their online communications. "But it was too late," Kharouni says. "They didn't expect to get caught traveling."

Aside from his carelessness online, Panin -- like Bx1 -- made the mistake of traveling outside of Russia or another nation without a U.S. extradition agreement.

"Panin suffered the same fate as Bx1. He traveled and got picked up crossing borders ... Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These 'border crossing' arrests have led the Russian government to issue a rather strange travel advisory: 'If you are wanted for crimes in the United States, don't visit Extradition Friendly Countries!'" notes Malcovery researcher Gary Warner in a post today.

The SpyEye Trojan has infected more than 1.4 million computers around the world, and according to financial services industry data, more than 10,000 bank accounts were hacked via SpyEye infections in 2013. The malware -- which steals online banking credentials, credit card data, user names, passwords, PINs, and other sensitive personal information, and then sends that information to command-and-control servers -- remains in use today.

Panin and other associates in Russia developed, marketed, and sold versions of the SpyEye malware kit online between 2009 and 2011, selling the malware for anywhere from $1,000 to $8,500 to at least 150 different customers who, in turn, deployed the Trojan in cyberattacks. According to the U.S. Attorney, one of Panin's clients, known as "Soldier," reportedly netted more than $3.2 million via SpyEye in six months.

International authorities also have arrested four of Panin's SpyEye clients and associates in the U.K. and Bulgaria as a result of the investigation into his activities.

"Authoring malware today is so lucrative and easy to do that catching these criminals is just putting a finger in the dyke, and I anticipate more malware authors will always be popping up to cash in on this cybercrime gold rush," says Branden Spikes, CEO, CTO, and founder of Spikes Security. "It's reassuring to see law enforcement successfully deterring the cybercriminal, but to effectively stifle the hacker we need a paradigm shift from detection to isolation. Certainly, the prosecution of malware authors is an important effort and one that will reduce the power of botnets, DDoS attacks, and spam for a while."

The FBI in February 2011 seized a SpyEye command-and-control server run by Bendelladj in Georgia. That server had control over more than 200 bots infected with SpyEye and included stolen information from various financial institutions. In June and July of that year, FBI undercover agents were able to make contact with Panin online and purchase a version of the Trojan that steals financial information. The Trojan also includes keylogging and distributed denial-of-service features.

Panin's case likely signals the end of the SpyEye era. "Only beginners use SpyEye now. Everyone knows it's not really safe to use anymore, so most have moved on to others like Citadel," Trend Micro's Kharouni says.

[A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. See Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft .]

There are still plenty of unknowns about the SpyEye case, however. "What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody," Malcovery's Warner notes. Where are the clients who purchased SpyEye from Bx1, what are their botnets, and how much did they make, he asks.

Aside from U.S. authorities, the U.K.'s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands-National High Tech Crime Unit (NHTCU), Dominican Republic's Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria, and the Australian Federal Police (AFP) all had a hand in the investigation, as well as Trend Micro, Microsoft's Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer, and the Norwegian Security Research Team.

"As several recent and widely reported data breaches have shown, cyber attacks pose a critical threat to our nation's economic security," said U.S. Attorney Sally Quillian Yates. "Today's plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned -- you cannot hide in the shadows of the Internet. We will find you and bring you to justice."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13817
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
CVE-2020-13818
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
CVE-2020-6640
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
CVE-2020-9292
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
CVE-2019-16150
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...