Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye. Trend Micro was a key part of this investigation and has been working with the FBI on this case for quite some time. It took considerable effort for all parties involved to bring this investigation to a successful conclusion.
One of Panin’s accomplices was Hamza Bendelladj, who went by the alias bx1. Both Panin and Bendelladj were involved in creating and setting up various SpyEye domains and servers, which was how we were able to obtain information on the pair. While SpyEye was created in such a way that few of these files were publicly available, we were still able to obtain these and acquire the information in these files, which included (for example) the email address of a server’s controller.
We correlated the information obtained from these configuration files with information we had gathered elsewhere. For example, we infiltrated various underground forums where both Panin and Bendelladj were known to visit. Just by reading their posts, they would inadvertently disclose information like their email address, ICQ number, or Jabber number – all information that might reveal their actual identities.
For example, we discovered the C&C server lloydstsb.bz, as well as the associated SpyEye binaries and configuration files. The decrypted configuration files included the handle bx1. A configuration file on that server also contained the email address firstname.lastname@example.org. A second configuration file – also using the bx1 name – was found which contained login credentials for virtest, a detection-testing service used by cybercriminals.
Figure 1. Configuration files
The following post in an underground forum shows that Bendelladj’s involvement in SpyEye was more in-depth than he claimed in public:
Figure 2. Underground forum post
This graph shows the some of the relationships among various websites, email addresses, and malware used by Bendelladj:
(Click above to enlarge)
Figure 3. Diagram showing the relationships among related websites, email addresses, and malware
We carried out the same kind of investigation to look into Panin. As with his partner in crime, we found that Panin was linked to various domain names and email addresses.
While Panin believed that he was very good at hiding his tracks, it’s now obvious that he wasn’t as good as he thought he was. Around the time he was selling SpyEye, he also became very sloppy and not particularly careful; despite using multiple handles and email addresses, Trend Micro, working together with the FBI, found his real identity.
Panin started selling SpyEye in 2009, and it quickly became a well-regarded competitor to the more well-known ZeuS. At the time, it was popular due to its lower cost and the ability to add custom plug-ins, something ZeuS didn’t offer. In late 2010, in two posts, we took a very good look at SpyEye’s control panels.
Some cybercriminals were not particularly fond of SpyEye due to its poor coding compared with ZeuS, while others liked the features that SpyEye brought to the table. Whatever the case, SpyEye was well-known enough in the cybercrime community that when ZeuS creator Slavik left, he gave the code to Panin.
Panin used this code to create a new version of SpyEye which combined features of both the older versions of SpyEye and ZeuS. In addition, he outsourced some of the coding to his accomplices (like Bendelladj) in order to improve SpyEye’s quality. Later versions showed significant changes to the underlying code, including reusing code from ZeuS.
This arrest shows how security companies, working closely with law enforcement agencies, can deliver results. By going after the cybercriminals themselves instead of their servers, we ensured that permanent damage was done to the whole underground, instead of relatively quick and easily repairable damage caused by takedowns. We believe that this is the way to attack cybercrime and make the Internet safer for all users.