No one personifies Russia's place at the top of the cyber underworld more than Gribo-demon, a Russian programmer, around 30 years old, U.S. investigators estimate. He is one of the few cybercriminals who is the focus of his own FBI special operation. Gribo-demon is the author of SpyEye, a sophisticated malware package first released in late 2009 and upgraded several times since then.
Once downloaded on a machine, the malware can be used by hackers to take remote command of key functions. Using SpyEye, a cyberthief can hijack an online banking session in real time, transfer funds to accounts they or their mules control, and adjust the balance displayed so nothing seems amiss.
Seems Legit
The transaction looks legitimate because, in computer terms, it is. All the bank can tell is that it was made from their customer's computer, using their correct password. A basic version of SpyEye costs around $2,000, according to the hacker sites.
"SpyEye provides military-grade intrusion capabilities for the price of a TV," said Gunter Ollmann, vice president of research at Damballa Inc., the Atlanta-based security firm that tracks major cyberthreats.
Gribo-demon's real innovation stems from what he didn't do: keep SpyEye to himself. Hackers used to write their own code. Good tools were trade secrets. Gribo-demon instead licenses SpyEye, mimicking Microsoft and Oracle, a business model that arguably opened cybercrime to the masses.
The model was pioneered by a competitor and fellow Russian who created popular malware called ZeuS, according to security experts. ZeuS first appeared in 2008. Both programmers provided clients with customer service, offering an array of enticing modules to add functionality for an additional price.
Beta Testing
The ZeuS author, known as Slavik, even Beta-tested new versions with elite users, according to Don Jackson, a SecureWorks researcher. Slavik disappeared in late 2010, but not before he handed the ZeuS source-code to Gribo, who incorporated some of its features into his own product, Jackson said.
Security experts say it's hard to overestimate impact of Slavik's and Gribo-demon's handiwork. In September, the Tokyo-based cybersecurity firm Trend Micro publicized a dossier on a 20-something Russian cyberthief who goes by the name Soldier, tracing his activities in the underground forums over several months. Using SpyEye, Soldier stole $3.2 million from U.S. customers of three banks in just six months -- about $17,000 a day -- Trend Micro said.