The creator of the banking malware SpyEye, Aleksandr Andreevich Panin, has just been sentenced to 9 ½ years in federal prison on charges related to creating and distributing SpyEye. This is the latest development in a saga that first saw the arrest of Panin in 2013. In early 2014, he had pleaded guilty to charges related to creating and distributing SpyEye.
The arrest was the result of a collaboration among the FBI, Trend Micro, and other law enforcement agencies and industry partners. Information provided by Trend Micro (such as the online “handles” and accounts used) was used to help find the real identities of Panin and his accomplices.
The ‘History’ of SpyEye
SpyEye first made its way into the landscape as the “ZeuS killer.” It was heralded as malware that could possibly take on ZeuS/ZBOT in a bot war. Like ZBOT, SpyEye is notorious for stealing user information related to banking and finance websites. It also has rootkit capabilities, which enable the malware to hide processes and files from victims.
Since being released in the wild, we have seen several versions of the malware make an appearance in the landscape. One major development occurred when ZeuS’ author, known as “Slavik” or “Monstr,” left the cybercrime scene and handed over ZeuS’ source code to Panin (known as “Gribodemon” or “Harderman”).
Trend Micro has been involved with SpyEye-related investigations prior to Panin’s arrest. In 2011, we revealed the findings of an investigation: one cybercriminal (called “Soldier”) used SpyEye to get more than US$3.2 million in six months. This attack mainly targeted US users and some of those affected were large enterprises and institutions such as the US government and military.
Panin’s arrest and sentencing is the final result of an investigation that monitored the movements of Panin and his associate, Hamza Bendelladj (known as “Bx1”). For example, our researchers infiltrated various underground forums where both Panin and Bendelladj were known to visit. Their posts would inadvertently disclose information like their email address, ICQ number, or Jabber number – all information that might reveal their actual identities.
This information was shared with the FBI; together with the results of their investigation this led to the arrests of both Panin and Bendelladj. Bendelladj was arrested at Bangkok’s Suvarnabhumi Airport while en route from Malaysia to Egypt in January 2013 and extradited in May of the same year. Panin was arrested in July 2013 while transiting at Hartsfield-Jackson Atlanta International Airport. Bendelladj has been sentenced to 15 years alongside Panin.
As an aside, Bendelladj has become something of a cult hero within the Arabic-speaking hacking community. Soon after his arrest, it was claimed that he had stolen hundreds of millions of dollars and donated this money to Palestinian charities; in addition it was also said that he faced the death penalty in the United States. US officials have denied both of these claims (cybercrime is not a capital crime in the United States).
In May of 2014, a British cybercriminal named James Bayliss was arrested. Bayliss worked closely with Panin in coding the ccgrabber plugin for SpyEye. This plugin was used to collect credit card numbers and CVV’s by analyzing POST requests made by the infecting machine. This apprehension was also a result of our efforts to work with law enforcement in the United Kingdom.
The Importance of Collaboration
These numerous arrests and takedowns highlight the importance of working with law enforcement in taking down cybercrime. This partnership is crucial as neither group, working alone, can protect users and stop cybercrime.
The partnership is beneficial for both. The security community can provide the technical knowledge and skills that law enforcement agencies may lack, while law enforcement agencies can help make sure that cybercriminals behind attacks wind up behind bars. Taking down infrastructures and servers is but a short-term solution to the problem of cybercrime; to truly address cybercrime, the perpetrators themselves must be stopped.