Tags: Command-and-Control, cybercrime, spyeye
Malware Author and Co-conspirator Receive Hefty Sentences in SpyEye Cybercrime Case
On Wednesday, April 20, 2016, a federal judge handed down stiff sentences for Aleksandr Panin (“Gribodemon” or “Harderman”), author of the infamous SpyEye banking trojan, and his co-conspirator, Hamza Bendelladj (“bx1”). Because both co-defendants pled guilty, there was no actual trial. What followed instead was described by seasoned attorneys on both sides as the “weirdest” sentencing hearing they had ever witnessed.
The SpyEye Conspiracy
Panin developed SpyEye and began offering the kit or sale on underground cybercrime forums in 2010, marketing it with the tagline “ZeuS Killer”. Bendelladj was not just one of Panin’s two main customers, but partnered with him and developed plugins for SpyEye, including the “spreader” plugin and the “ATS” (automated transfer system) plugin that helped bring SpyEye up to feature parity with ZeuS. Both men were prosecuted as conspirators in the same cybercrime case.
Bendelladj, a citizen of Algeria, was arrested in early February 2013 by authorities in Thailand working in conjunction with the FBI. He was nabbed at the airport in Bangkok as he traveled from his home in Malaysia to vacation in Egypt. Panin was arrested on July 1, 2013, as he flew through Atlanta’s Hartsfield-Jackson airport on his way back to Russia from a vacation in the Dominican Republic. The third individual in the main SpyEye triad, James Bayliss (“Jam3s” or “Jam3s2k”), a British citizen, was arrested in May 2014 is being prosecuted by UK authorities.
“Weird” Sentencing Hearing
Both Panin and Bendelladj pled guilty in US federal court. Panin entered into a plea deal which, although it drastically limited his options to appeal, also capped the losses for which he would be held responsible and which determine his sentence. Bendelladj, however, plead guilty without the benefit of a plea deal, and could still appeal his sentence.
Initially, the sentencing hearing was delayed because of a change in venue from New York to Atlanta, Georgia. The discovery of a command-and-control (C2) server in Atlanta, which was operated by Bendelladj, and the discovery of several victims in Georgia gave the Northern District of Georgia jurisdiction in the case.
Sentencing hearings in the same court are sometimes scheduled in 30 minute blocks. These are often for large, complex, federal crimes cases. They rarely take more than a day, even with without plea deals which would take much of the guesswork out of the sentencing. Because Bendelladj’s strategy for a reduced sentence hinged on the actual number of unique stolen “access devices” (a physical thing or data, like a credit card, that can be used to access an account), and the differences in each side’s totals were hotly contested, the sentencing hearing became a sort of trial all its own.
The sentencing hearing alone lasted five full days over March and April 2016. Witnesses were called on both sides. Extensive testimony was given. There several lengthy rounds of direct examination, cross-examination, and redirect. Dozens of exhibits ranging from brief affidavits to detailed forensics reports were entered into the record, often with objections that had to be argued. What made it seem odd to anyone familiar to court proceedings was that issues normally thought of being trial issues were being argued under the very different evidentiary and other rules of a sentencing hearing.
Key Evidentiary Factors in Sentencing
The sentencing guidelines used in US courts for economic crimes apply to these types of cybercrime cases. In this case, the guidelines suggest sentences based on two main types of harm caused:
- Harm caused to victims of SpyEye infections, including damage to computer systems and remediation costs
- Harm caused to financial institutions and their customers through the theft, use, and resale of account “access devices” such as credit card “fullz” containing personal and financial information obtained through the use of SpyEye and related hacking activity
Both are still the result of gaining unauthorized access to a computer system, federal felony violations.
Harm Caused by Infection
In the first instance, the following were debated:
- The total number of infections vs. the number of “encounters” in a given timeframe
- The effectiveness of anti-virus software in both detection/prevention and removal roles
- The impact of the availability of free or bundled anti-virus software on average remediation costs
- How many infections could be attributed to each of the separate co-defendants vs. other SpyEye customers
The harm here would be calculated by the total number of infections for which each co-defendant was found responsible times an average remediation cost. The prosecution produced a range of costs. The defense argued that anti-virus software was freely available and already bundled with and automatically updated on virtually all PCs. The defense argued that this free anti-virus software, as long as it was “allowed to run”, would prevent SpyEye infections, and if any existing infections were found, it would be 100% effective in restoring the system to its pre-infection state at zero cost to the user. In the end, the judge accepted the lowest figure in the range quoted by the prosecution.
Harm Attributed to Stolen Data
In the second instance, the following issues were argued:
- How many “access devices” were discovered in each co-defendant’s possession
- The average financial harm attributed to a stolen access device
- What constitutes an access device
- Factors that might influence the financial harm attributed to the theft of an access device
The court guidelines are clear that USD $500 is to be considered the average financial harm attributed to stolen access devices. The bulk of the testimony involved how many incomplete or duplicate records existed in the evidence recovered from the various computers and external hard drives that were in in Bendelladj’s possession when he was arrested. This was the subject of multiple rounds of lengthy witness examination and the biggest contributor to the “highly unusual” five-day length of the hearing. At one point, an expert witness for Bendelladj’s defense team spent quite some time setting up a Raspberry Pi and projecting the connected LCD panel’s output onto a screen just to run the “grep” and “comm” Linux commands a single time each. To be fair, the numbers produced would form the facts that directly correlated with how many months Bendelladj would be sentenced to spend in a federal prison.
On the other points, some records contained personal customer information, but no credit card number, some lacked CVV2 codes, and others had card expiration dates that had passed. Payment card data lacking these details may not seem very useful, and indeed they sell for far less in underground markets, but “carders” can use the information to get cads reissued, use criminal-to-criminal (C2C) services to fill in missing details, and find other ways to monetize records with these missing bits. While hundreds of thousands of records that appeared to be bank accounts of French citizens were thrown out, the court adhered to the $500 guideline and split the discrepancy between the two opposing parties’ totals equitably.
Other Key Factors in Sentencing
Other factors that played a key role in determining sentences in this case were the degree to which each of the co-defendants cooperated with authorities and the concept of deterrence.
Panin, by all accounts, cooperated fully with authorities from the second he was arrested, and he appears to continue to do so. For the most part, Panin and his counsel sat passively throughout the hearing, his fate practically predetermined by his plea deal. Panin’s attorney did give a closing statement, but it was Panin’s own statement at the end that was more compelling. From the pale-skinned, eyeglasses-wearing programmer in a baggy orange jumpsuit and ankle shackles came a deep, measured voice in a heavy Russian accent. With eyes closed, it would be difficult to tell Panin’s voice from that of the villain Bane in the Dark Knight trilogy of Batman movies. The statement Panin gave, however, was one of unqualified remorse, making no excuses, accepting full responsibility, and professing trust in the fairness of whatever sentence the judge pronounced. Although one knew it had to have been, it seemed more rehearsed than coached, and it seemed absolutely genuine.
Bendelladj, in contrast, had initially given the authorities passwords to decrypt his hard drives, but even that negotiation was described as “dicey”. Bendelladj was described as extremely uncooperative. He did not accept any plea deal, and he is expected to appeal his sentence rather than cooperate with authorities in efforts to reduce time served. Some the posts from the old “dark0de” cybercrime forum describing him as arrogant, reckless, and a braggart (those are the nicest terms) were entered into evidence, helping to paint an unflattering picture of his personality. His closing statement did nothing to counter that. His apology and any assurances that he would never engage in such behavior again seemed perfunctory and hollow. At the end, it bolstered the prosecutor’s closing argument that once he is free again, Bendelladj would go right back to cybercrime, except this time with the benefit of knowing how to remain untouchable.
The posts from the dark0de forum entered into evidence regarding both co-defendants spoke the loudest on the issue of deterrence. There was a time when SpyEye was outselling ZeuS, the king of all malware kits. In their time, both Panin and Bendelladj were praised for their talents and how they applied them, lauded for their successes, and viewed as heroes and role models among the members of one of the largest communities of the most dangerous cybercriminals on the planet.
The fact that many commented on the arrest of “bx1” (Bendelladj) showed that the cybercriminals were paying close attention to his fate.
Panin was seen as a prodigy. No evidence was presented that he actually stole anything, and many malware authors feel shielded from prosecution for what amounts to the manufacture of cyberweapons as long as that’s their sole source of income.
In both instances, stiff sentences had extraordinary potential as deterrents. Of course, the degree of effectiveness of these types of deterrents, especially in cybercrime cases where perpetrators may enjoy a greater sense of impunity and isolation from victims, is a perennial debate. However, it’s clear that the lack of a significant sentence would send an unequivocal message to those that might seek to fill the void left by the takedown of the SpyEye triad.
Panin was sentenced first, after Bendelladj was removed from the courtroom. He was sentenced to 114 months (nine and a half years) followed by three years of supervised release. After his release, he will likely be deported back to Russia, in which case the stipulations of supervised release won’t mater.
After a 30-minute break for another hearing, Bendelladj was returned to the courtroom and sentenced to 180 months (fifteen years). He also received three years of supervised release, but will likely be deported back to Algeria or Malaysia instead.
The consensus among the parties involved in the case is that the sentences were fair and sent the right message.
The US Department of Justice issued a public statement regarding the case and sentencing in which they thank Damballa for their assistance. That statement can be found here:
In efforts to protect others from this threat since its initial release, Damballa’s Threat Research team has collected and analyzed vast amounts of data about the use of SpyEye in malware campaigns and reverse engineered new versions as they were made available by the author. We applied those findings tactically in protecting Damballa’s customers, but also strategically in efforts aimed at eventual threat extermination.
Using this intelligence, Damballa’s Threat Research team was able to help pinpoint the author of SpyEye and track the activities of top SpyEye operators throughout the cybercriminal underground, including the infamous “dark0de” malware and hacking forum taken down by law enforcement in July 2015.
Too often, threat disruption is less than permanent. Damballa’s commitment extended well beyond the arrests of the SpyEye co-conspirators, and members of the Threat Research team continued to consult with law enforcement on technical arguments throughout the prosecution and eventual sentencing.