One of the men behind the Scan4You, a counter-antivirus tool used by cybercriminals to determine whether their malware would be flagged during routine security scans, has been convicted on three counts in federal court.
37-year-old Ruslans Bondars, who a Department of Justice press release describes as a Latvian “non-citizen” or “citizen of the former USSR who had been residing in Riga, Latvia,” was found guilty on Wednesday on violations of the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and another charge related to computer intrusion. Per the DOJ release:
According to testimony at trial and court documents, from at least 2009 until 2016, Bondars operated Scan4you, which for a fee provided computer hackers with information they used to determine whether their malware would be detected by antivirus software, including and especially by antivirus software used to protect major U.S. retailers, financial institutions and government agencies from computer intrusions.
For example, one Scan4you customer used the service to test malware that was subsequently used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States, causing one retailer approximately $292 million in expenses resulting from the intrusion.
Counter-antivirus services can help streamline the process of incrementally updating malware to evade security scans by aggregating large amounts of data. With that assistance, hackers can design malware more effectively or more easily update it on the fly, increasing their profits. In other words, services like Scan4You enable cybercrime on a platform level.
Sometimes Scan4You’s tools were even built directly into malicious software. According to the DOJ, in one instance that allegedly resulted in $500 million in damages, the developer of a bank account-hijacking malware called “Citadel” integrated parts of the Scan4You API “directly into the Citadel toolkit.” The special API service offered the “flexibility to scan malware without the need to directly submit the malware to Scan4you’s website,” the DOJ added.
Japanese cybersecurity firm Trend Micro said it helped collaborate with the FBI over the course of three years to bring Scan4You down. In a report shared with Gizmodo, Trend Micro explained that while it’s possible to test malware against security tools locally, the only way to know beforehand whether a destination URL controlled by hackers has been flagged as suspicious is by checking it against antivirus services’ online databases. Trend Micro wrote it first became aware of Scan4You in 2012 when it noticed Latvian corporate servers kept pinging them to test URLs related to a private exploit kit called g01pack, quickly realized what was going on, and kept collecting data that they later shared with the FBI in 2014.
In a blog post, Trend Micro described how that method allowed them to monitor Scan4You for years, accumulating reams of evidence:
Scan4You’s website claims that they don’t share information on the scans with internet security companies like Trend Micro. Evidently, this wasn’t entirely true. While Scan4You made sure feedback loops to Trend Micro’s servers about file scans were turned off, Scan4You also performed reputation checks of URLs, IP addresses, and domains. The way Scan4You set this up meant that all reputation scans against Trend Micro’s web reputation service were visible to us for years.
Since other counter-antivirus services like VirusCheckMate and AVDetect were similarly exposed, Trend Micro added, they were able to compare the service’s market shares. Scan4You appeared to be constantly in the lead.
Another participant in Scan4You, 35-year-old Moscow resident Jurijs Martisevs, pled guilty in March after he was arrested in Latvia and extradited over objections from the Russian government, the Daily Beast reported. In a statement of facts, he said that Scan4You had thousands of customers and scanned millions of files for them.
“A service like Scan4You gives a leg up for these criminals,” Trend Micro’s chief cybersecurity officer Ed Cabrera told Wired. “It was a critical tool for these campaigns to be successful globally, and you see the impact when you take down one of these key individuals or groups. There’s a ripple effect... This is selling the ability to make other criminal campaigns much more successful.”
According to the Trend Micro blog post, since Scan4You was busted, cybercriminals appear to have re-evaluated whether it was wise to use other public counter-antivirus services. While monitoring VirusCheckMate, the only other known one that remained in operation, they determined there was “no significant growth” in the number of web reputation scans it performed against their servers after May 2017.
Bondars’ sentencing date is set for September 21st, 2018, according to the DOJ.