Arrested SpyEye author also developed mystery Tilon bank Trojan, says security firm

Fox-IT spots similarities in code

Arrested SpyEye author Aleksandr Panin was probably responsible for the Tilon bank Trojan, developed as a "side project" using the same source code as his more famous creation, an analysis by Dutch security firm Fox-IT has concluded.

According to its researchers, the now largely defunct Tilon began life in October 2011, probably as a low-key way of making some money from the bank Trojan market without the need to offer the service and support on offer with purchases of the more famous SpyEye.

In August 20012, the malware was eventually noticed by security firm Trusteer, which decided it was based on the Silon bank Trojan from 2009, but Fox-IT believes that Tilon borrowed only the former's loader; its core was re-used from SpyEye, making it in effect "SpyEye 2."

Analysts missed the connection between the two pieces of malware because of Tilon's later revision, but Fox-IT's analysis points out some tell-tale similarities, principally the re-purposing of its core modules and striking similarities in its management interface.

The fact that code was re-used (rather than reverse-engineered) proved that its developers had access to its source code, Fox-IT said. Ironically, despite being less important Tilon actually improved on SpyEye in terms of overall stability.

Fox-IT views arrests like 'Gribodemon' [aka Aleksandr Panin] and other key figures in the underground economy such as Paunch, the author of the popular Blackhole Exploit Kit, as the key to decreasing the worldwide activity around online crime," said Fox-IT.

"While other actors can replace their knowledge, these actors are an important lynchpin interconnecting underground trust relations. Breaking these trust networks splits the criminal underground into isolated islands."

Tilon has declined in activity which is most likely connected to the Panin's arrest as he arrived in the Dominican Republic for a holiday last summer. He was quickly extradited to the US and recently pleaded guilty to conspiracy charges related to SpyEye.

His forensic connection to Tilon probably won't make any difference to the long jail term he has in store but does at least tidy up another loose end; Tilon always seemed like a mysterious 'umbranded' piece of malware that had appeared quite suddenly before disappearing almost as unexpectedly.

Tilon also had alleged customers in the UK, one of whom was arrested by police last March.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Personal TechTrusteerFox-IT

More about TrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by John E Dunn

Latest Videos

More videos

Blog Posts