Lessons from the capture of SpyEye’s mastermind

SEATTLE — The cyberunderground paused last week to note that Aleksandr Andreevich Panin, aka “Gribodemon,” had pleaded guilty to charges pegging him as the mastermind of SpyEye.

SpyEye is the tool of choice for hackers who routinely pilfer from online bank accounts. It arose in 2009 as a cheaper imitation of the pioneering banking Trojan, ZeuS, which was the creation of a brilliant, young Russian programmer who goes by the aliases Slavik, A-Z, Umbro and Monstr.

ZeuS’ creator remains on the loose.

The tale of how SpyEye overtook ZeuS could fit in any textbook on entrepreneurship. What’s more, it demonstrates how business-like and resilient the world of criminal hacking has become.

Let’s pick up the story circa 2009, with the help of Don Jackson, director of threat intelligence at security start-up PhishLabs, and Loucif Kharouni, researcher at anti-malware firm Trend Micro.

ZeuS is selling for as much as $8,000 to crime gangs expert at hijacking online bank accounts. ZeuS hacks require customized tuning of the attack code, and crews of hackers working in concert to pull off Ocean’s Eleven-like heists.

More: Anatomy of a $6 million online heist

Along comes SpyEye, a lean and modular banking Trojan selling for around $1,000. “While ZeuS was the infrastructure software for elite cybercrime crew operations, SpyEye became ZeuS for the masses,” says Jackson.

Banking Trojans infect Internet-connected computers and give the attacker full control. Early versions of SpyEye even included a command to seek out and uninstall any previous ZeuS infection.

ZeuS’ creator, Slavik, initially professed to be nonplused by the competition. “Slavik knew his software was great,” Kharouni says. “It was well coded, and he had good, loyal customers.”

After building a following, Gribodemon announced SpyEye would no longer uninstall ZeuS. “He realized it would be better for him to be seen as a straight up competitor,” Kharouni says.

If Gribodemon was bold, Slavik was cautious. A deal was struck. Slavik gave Gribodemon ZeuS’ customers and access to ZeuS’ top secret source code.

“(Slavik) was relieved of commitments to support the small-time ZeuS operators while keeping his reputation intact,” Jackson says. “The SpyEye author was handed ZeuS customers on a silver platter, backed by nothing less than an endorsement by the king of modern crimeware.”

Kharouni believes Slavik sensed law enforcement closing in. “He realized it would probably be best for him to give his source code to Gribodemon and make a lot of noise around that, so people would say, ‘He’s taking his retirement and we won’t hear from him again,'” Kharouni says.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone