The cyberunderground paused [to note] that Aleksandr Andreevich Panin, aka "Gribodemon," had pleaded guilty to charges pegging him as the mastermind of SpyEye.
SpyEye is the tool of choice for hackers who routinely pilfer from online bank accounts. It arose in 2009 as a cheaper imitation of the pioneering banking Trojan, ZeuS, which was the creation of a brilliant, young Russian programmer who goes by the aliases Slavik, A-Z, Umbro and Monstr.
ZeuS' creator remains on the loose.
The tale of how SpyEye overtook ZeuS could fit in any textbook on entrepreneurship. What's more, it demonstrates how business-like and resilient the world of criminal hacking has become.
Let's pick up the story circa 2009, with the help of Don Jackson, director of threat intelligence at security start-up PhishLabs, and Loucif Kharouni, researcher at anti-malware firm Trend Micro.
ZeuS is selling for as much as $8,000 to crime gangs expert at hijacking online bank accounts. ZeuS hacks require customized tuning of the attack code, and crews of hackers working in concert to pull off Ocean's Eleven-like heists.
Along comes SpyEye, a lean and modular banking Trojan selling for around $1,000. "While ZeuS was the infrastructure software for elite cybercrime crew operations, SpyEye became ZeuS for the masses," says Jackson.
Banking Trojans infect Internet-connected computers and give the attacker full control. Early versions of SpyEye even included a command to seek out and uninstall any previous ZeuS infection.
ZeuS' creator, Slavik, initially professed to be nonplused by the competition. "Slavik knew his software was great," Kharouni says. "It was well coded, and he had good, loyal customers."
After building a following, Gribodemon announced SpyEye would no longer uninstall ZeuS. "He realized it would be better for him to be seen as a straight up competitor," Kharouni says.
If Gribodemon was bold, Slavik was cautious. A deal was struck. Slavik gave Gribodemon ZeuS' customers and access to ZeuS' top secret source code.
"(Slavik) was relieved of commitments to support the small-time ZeuS operators while keeping his reputation intact," Jackson says. "The SpyEye author was handed ZeuS customers on a silver platter, backed by nothing less than an endorsement by the king of modern crimeware."
Kharouni believes Slavik sensed law enforcement closing in. "He realized it would probably be best for him to give his source code to Gribodemon and make a lot of noise around that, so people would say, 'He's taking his retirement and we won't hear from him again,'" Kharouni says.
In May 2011, Gribodemon's monopoly sustained a fracture. Someone leaked a copy of ZeuS' source code onto public forums, making it possible for any low-skilled programmer to create free versions of ZeuS or SpyEye.
Was it Slavik, who's believed to be in his late 20s?
And what's become of Slavik? Did he have a hand in creating the memory-parsing malware used to breach customer data?
"Did Slavik really retire for good? No, I don't think so," Kharouni says. "He probably just moved on to another project, changed his identity and started something new."
Jackson concurs: "I believe Slavik is still developing custom code for his top-tier clients of ZeuS."
© 2014 under contract with NewsEdge. All rights reserved.