• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Eyeing SpyEye

Eyeing SpyEye

  • Posted on:January 29, 2014 at 1:19 am
  • Posted in:Malware
  • Author:
    Loucif Kharouni (Senior Threat Researcher)
0

Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye.

Trend Micro was a key part of this investigation and has been working with the FBI on this case for quite some time. In particular, information provided by Trend Micro (such as the online “handles” and accounts used) was used to help find the real identities of Panin and his accomplices. It took considerable effort for all parties involved to bring this investigation to a successful conclusion.

Our investigation

One of Panin’s accomplices was Hamza Bendelladj, who went by the alias bx1. Both Panin and Bendelladj were involved in creating and setting up various SpyEye domains and servers, which was how we were able to obtain information on the pair. While SpyEye was created in such a way that few of these files were publicly available, we were still able to obtain these and acquire the information in these files, which included (for example) the email address of a server’s controller.

We correlated the information obtained from these configuration files with information we had gathered elsewhere. For example, we infiltrated various underground forums where both Panin and Bendelladj were known to visit. Just by reading their posts, they would inadvertently disclose information like their email address, ICQ number, or Jabber number – all information that might reveal their actual identities.

For example, we discovered the C&C server lloydstsb.bz, as well as the associated SpyEye binaries and configuration files. The decrypted configuration files included the handle bx1. A configuration file on that server also contained the email address. A second configuration file – also using the bx1 name – was found which contained login credentials for virtest, a detection-testing service used by cybercriminals.

spyeye1_1 spyeye2_2

Figure 1. Configuration files

The following post in an underground forum shows that Bendelladj’s involvement in SpyEye was more in-depth than he claimed in public:

Figure 2. Underground forum post

This graph shows the some of the relationships among various websites, email addresses, and malware used by Bendelladj:

(Click above to enlarge)

Figure 3. Diagram showing the relationships among related websites, email addresses, and malware

Investigating Gribodemon

We carried out the same kind of investigation to look into Panin. As with his partner in crime, we found that Panin was linked to various domain names and email addresses.

While Panin believed that he was very good at hiding his tracks, it’s now obvious that he wasn’t as good as he thought he was. Around the time he was selling SpyEye, he also became very sloppy and not particularly careful; despite using multiple handles and email addresses, Trend Micro, working together with the FBI, found his real identity.

Panin started selling SpyEye in 2009, and it quickly became a well-regarded competitor to the more well-known ZeuS. At the time, it was popular due to its lower cost and the ability to add custom plug-ins, something ZeuS didn’t offer. In late 2010, in two posts, we took a very good look at SpyEye’s control panels.

Some cybercriminals were not particularly fond of SpyEye due to its poor coding compared with ZeuS, while others liked the features that SpyEye brought to the table. Whatever the case, SpyEye was well-known enough in the cybercrime community that when ZeuS creator Slavik left, he gave the code to Panin.

Panin used this code to create a new version of SpyEye which combined features of both the older versions of SpyEye and ZeuS. In addition, he outsourced some of the coding to his accomplices (like Bendelladj) in order to improve SpyEye’s quality. Later versions showed significant changes to the underlying code, including reusing code from ZeuS.

This arrest shows how security companies, working closely with law enforcement agencies, can deliver results. By going after the cybercriminals themselves instead of their servers, we ensured that permanent damage was done to the whole underground, instead of relatively quick and easily repairable damage caused by takedowns. We believe that this is the way to attack cybercrime and make the Internet safer for all users.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: BendelladjcybercriminalGribodemonlaw enforcementPaninSpyEyeZBOTZeuS

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.