14 DAY TRIAL // When it was first discovered back in 2012 by researchers from Trusteer, Tilon was said to be “the son” of another piece of malware called Silon. However, experts from Fox-IT say that Tilon should actually be called SpeEye2.
Researchers believe that Tilon has been actually created by the development team that the Russian national Aleksandr Andreevich Panin (aka “Gribodemon”) was part of. Back in October 2011, after the release of SpyEye 1.3.48, the team started working on a side project, a private Trojan platform for rent.
Trusteer researchers said that Tilon was based on Silon because of the loader component. However, Fox-IT says that Tilon’s functional components are actually based on SpyEye, which means that developers had access to SpyeEye source code.
“Looking at the backend of SpyEye2, much has changed. There is a single backend system strongly resembling the original SpyEye RDP backconnect daemon and also containg a lot of code from the SpyEye collector, but using the HTTP protocol,” Fox-IT noted in its report.
“The server side component is called ‘dae’ (short for daemon, a common name for a Unix service, which was also used for the RDP backconnect component of SpyEye), and combines bot control, log data, RDP and socks functionality and webinject configuration management in a single platform.”
The fact that Tilon is actually SpyEye2 is also demonstrated by the fact that after the arrest of Panin, there has been a significant decline in activity.
Now that Panin has pleaded guilty, he will probably spend a lot of years behind bars. It’s worth noting that he has pleaded guilty to conspiracy to commit wire and bank fraud, and admitted being the primary developer and distributor of SpyEye. However, that doesn’t necessarily mean that the rest of his team will give up on developing malware.
The usage of SpyEye2 has declined over the past year and it appears that the SpyEye era has come to a real end, as researchers from Fox-IT put it. However, the development team is likely to continue its activities, in one form or another.
“Fox-IT views arrests like Gribodemon and other key figures in the underground economy such as Paunch, the author of the popular Blackhole Exploit Kit, as the key to decreasing the worldwide activity around online crime,” the report reads.
“While other actors can replace their knowledge, these actors are an important lynchpin interconnecting underground trust relations. Breaking these trust networks splits the criminal underground into isolated islands.”