Creator Of SpyEye Data-Stealing Malware Pleads Guilty


A Russian national who wrote the SpyEye data-stealing malware responsible for infecting at least 1.4 million PCs has pleaded guilty to conspiracy to commit wire and bank fraud for his role in distributing the malicious software.

Aleksandr Andreevich Panin pleaded guilty to the charges in U.S. District Court in the Northern District of Georgia. He faces sentencing in April. Charges against a second man, Hamza Bendelladj of Algeria, for his role in developing and selling SpyEye are still pending.

Panin operated out of Russia from 2009 to 2011, creating and distributing the SpyEye automated attack toolkit using underground hacking forums. SpyEye has grown in popularity due to its ability to be regionally customized to an area's local banks and other financial institutions. The malware associated with the toolkit is designed to record keystrokes and inject browsers with code to underhandedly access bank accounts. It can steal bank account credentials, credit card data, financial information and other details that could be used to drain bank accounts, make fraudulent purchases, or be sold to identity thieves.

[Related: Blackhole Author Arrested: 10 Facts About The Automated Attack Toolkit]

More than 10,000 bank accounts have been compromised by SpyEye infections in 2013 alone, authorities say. SpyEye rivaled the Zeus malware toolkit. Both malware families have been notorious for spreading automated attacks and creating botnets of infected systems capable of spreading spam, malware and phishing attacks. Malware based on the SpyEye and Zeus families has also surfaced in recent years, targeting business-to-business transactions and high-balance banking consumers.

Federal investigators said SpyEye was an invite-only toolkit, sold to other cybercriminals for prices ranging form $1,000 to $8,500. Purchasers of the toolkit are said to have reaped rewards, with one attacker making over $3.2 million in a six-month period using SpyEye.

Panin was arrested last July following a flight into Atlanta. Bendelladj was apprehended in Thailand and extradited to the U.S. in May. In addition, authorities in the U.K. and Bulgaria have arrested four attackers who are believed to have used SpyEye in attacks. Law enforcement have been tracking and communicating with Panin and Bendelladj since 2011, a year in which the source code to SpyEye was leaked, creating a new wave of attacks and infected systems.

Security experts say banks, credit unions and other financial firms were hit hardest by having to deal with customer infections of SpyEye-related malware. Most infections associated with the banking malware were on consumer PCs, said Robert Anderson, principal at IngenuIT, a New York City based service provider.

"Automated attack toolkits are here to stay," Anderson said. "Arrests and convictions to crack down on this crime is important, but there will be other people to take their place."

The infected PCs made up botnets that were rented out to spread more malware, spam campaigns and even denial-of-service attacks. Malware infections are only part of the problem, because attacks that use the power of infected consumer systems often cause pain to business clients, said Alex Moss, managing partner of Chicago-based security consultancy, Conventus Corp. With dozens of different attack toolkits available to cybercriminals, it's very likely that another one will take its place, Moss said.

"It's not necessarily about dealing with the malicious code itself, rather it's the bot army associated with the infections," Moss said. "There will always be people to take the place of those arrested looking for the next toolkit."

PUBLISHED JAN. 29, 2014