Riding the horse of greed across the finish line
In 2012, a new Trojan appeared on the scene. Trusteer analyzed the loader component of the Trojan and found it was very similar to the loader component contained within Silon. Since T comes after S, this new Trojan became known as Tilon.
In the fall of 2013, Fox-IT gained access to the infrastructure and source code for Tilon. After deeper analysis of the Trojan and its supporting infrastructure, it turns out that the loader component was the only piece to be derived from Silon. The core of the Tilon solution is actually a re-worked, further-developed version of SpyEye-- a SpyEye version 2 now offered as, you guessed it, a managed service.
One proof point of the many findings that Fox-IT uncovered is the fact that SpyEye is routinely referred to as "sausages" and "sausage patterns" as part of the malware. When victims log in, SpyEye would steal little snippets of Web forms and URLs as a means to extract usernames and passwords. These bits of data were called sausages, and the regular expressions used to read them were called the sausage patterns. Tilon, or SpyEye v2, referred to the same exact elements.
Also of interest is that the first versions of Tilon include functionality to remove the SpyEye malware while not touching any other malware found on the system, including ZeuS. Some Tilon customers were invited to switch to v2--in place with an auto-upgrade. While some customers were invited to switch, most weren't. It is suspected by Fox-IT that if a lot of people were invited, the word would have gotten out that this new Trojan was in fact the next version of SpyEye.
Gribodemon also shared the same problems as Slavik in terms of customer support--and therefore took this opportunity to leave "idiotic" customers behind. Both guys were there from the very beginning--ZeuS and SpyEye were the two crimeware kits that started it all. Slavik kicked it off, Gribodemon entered as a worthy competitor to help establish it, and the rest of the players filled in the gaps to complete the creation of the market. However, after a long run by both, it seems that both Slavik's and Gribodemon's businesses have come to a halt.
There have been huge take-down operations for P2PZeuS. While Slavik has not been arrested, he has been identified by the FBI and is now on the FBI's most wanted list. According to Fox-IT, the FBI knows his address and that he has a boat somewhere on the Black Sea. He appears to be lying very low at the moment, doing nothing around banking malware. He must realize that he can't leave Russia without risking arrest.
Sign up for CIO Asia eNewsletters.