SpyEye Arrests Don't Touch High-Level Trojan Developers

While the arrest of members of the SpyEye gang is something to cheer about, the suspects are most likely low-level money mules and the developers of the banking Trojan remain at large.

U.K. police have arrested three alleged members of the SpyEye gang. Security researchers consider SpyEye, a banking Trojan that harvests victims' personal credentials, the de facto successor to the Zeus Trojan.

Two of the men were charged on April 8, but the third man was released on bail on the condition that he return for further questioning in August, police said, according to a report by The Register. Pavel Cyganoc, a Lithuanian living in Birmingham, England, and Aldis Krummins, a Latvian living in Goole, England, were both charged with conspiracy to defraud and concealing the proceeds of crime.

Cyganoc was also charged with conspiracy to cause unauthorized modifications to computers, police said.

The Police Central e-Crime Unit, a specialized group based in Scotland Yard, made the arrests "in connection with an international investigation into a group suspected of utilizing malware to infect personal computers and retrieve private banking details."

Along with the arrests, police also seized computer equipment and data. The investigation is still ongoing.

However, these arrests won't affect the gang's activities, as the suspects are most likely fairly low in the hierarchy, Sean Bodmer, senior threat analyst at Damballah, told eWEEK.

"Unfortunately, these are not the primary authors [members of the Roman team] behind SpyEye development," Bodmer said. Damballa had information on four developers behind the Trojan, which had been gathered by infiltrating the botnet's command-and-control servers, according to Bodmer. "None of the names and ages match any of the information" of the arrested suspects, said Bodmer.

It's difficult for law enforcement to track the higher members of the SpyEye gang as they use many names and numerous VPN services to hide their tracks, Bodmer said. They also have a "smart" chain-of-command where the authors are removed from daily operations of the botnets and sales of the crimeware kit.

The suspects are most likely money mules, the individuals who accept stolen funds in their personal accounts and move it to the actual gang's accounts for a slice of the proceeds. Even so, it's important not to underestimate the impact of the arrests, as the criminals' activities have been disrupted, Troy Gill, security analyst at AppRiver, told eWEEK. The information gained during the arrests could also play a role in bringing down the larger group, Gill said.

Security analysts have been watching SpyEye for some time, especially after there were reports of its merging with Zeus late last fall. The most recent version of the SpyEye code is a closely guarded secret, according to Bodmer. The older versions are available online, as an attack kit for SpyEye is available on underground cyber-crime forums for around $1,000 per license. With the kit, practically anyone can create a customized version of the Trojan.

That appears to be the case here, as the three-month investigation revolved around the group's customized version of the SpyEye Trojan. "There are many independently operating criminal gangs who purchase crimeware tools like Zeus and SpyEye, and it would appear that one of these gangs is now looking out the window at the gray bar hotel," Chet Wisniewski, senior security advisor at Sophos, told eWEEK. The arrests will likely not affect the other SpyEye variants that are available, and the code remains available for even more variants.

The team behind SpyEye is most likely making money off of the sale of malware instead of using it to actually steal account credentials, Fred Touchette, a senior security analyst at AppRiver, told eWEEK. Arresting the "script kiddies" helps send a message that law enforcement isn't going to put up with the malware, Touchette said.

Much more work has to be done to put a dent in online banking fraud, Wisniewski said.

There have been joint international efforts in the past between the U.K. police and the United States Federal Bureau of Investigation to execute raids and arrest cyber-crime suspects. The largest and most prominent bust was last October when authorities arrested dozens of money mules working with the gang behind the Zeus banking Trojan in both the U.K. and U.S.

Even with the code merger between the two Trojans, Zeus is still active as standalone malware.