Arrested SpyEye author Aleksandr Panin was probably responsible for the Tilon bank Trojan, developed as a “side project” using the same source code as his more famous creation, an analysis by Dutch security firm Fox-IT has concluded.
According to its researchers, the now largely defunct Tilon began life in October 2011, probably as a low-key way of making some money from the bank Trojan market without the need to offer the service and support on offer with purchases of the more famous SpyEye.
In August 20012, the malware was eventually noticed by security firm Trusteer, which decided it was based on the Silon bank Trojan from 2009, but Fox-IT believes that Tilon borrowed only the former’s loader; its core was re-used from SpyEye, making it in effect “SpyEye 2.”
Analysts missed the connection between the two pieces of malware because of Tilon’s later revision, but Fox-IT’s analysis points out some tell-tale similarities, principally the re-purposing of its core modules and striking similarities in its management interface.
The fact that code was re-used (rather than reverse-engineered) proved that its developers had access to its source code, Fox-IT said. Ironically, despite being less important Tilon actually improved on SpyEye in terms of overall stability.
Fox-IT views arrests like 'Gribodemon' [aka Aleksandr Panin] and other key figures in the underground economy such as Paunch, the author of the popular Blackhole Exploit Kit, as the key to decreasing the worldwide activity around online crime,” said Fox-IT.
“While other actors can replace their knowledge, these actors are an important lynchpin interconnecting underground trust relations. Breaking these trust networks splits the criminal underground into isolated islands.”
Tilon has declined in activity which is most likely connected to the Panin's arrest as he arrived in the Dominican Republic for a holiday last summer. He was quickly extradited to the US and recently pleaded guilty to conspiracy charges related to SpyEye.
His forensic connection to Tilon probably won’t make any difference to the long jail term he has in store but does at least tidy up another loose end; Tilon always seemed like a mysterious 'umbranded' piece of malware that had appeared quite suddenly before disappearing almost as unexpectedly.
Tilon also had alleged customers in the UK, one of whom was arrested by police last March.