Wired, 16 May 2018: Most antivirus scanners play a classic cat and mouse game: They work by checking software against a frequently updated list of potential threats. In response, a whole industry has built up to help occlude and conceal hacking tools. That includes services that automate the process of checking all sorts of tools, from malware to malicious URLs, against dozens of defense scanners to see if they would get blocked. The feedback helps bad actors know what to tweak further, and what’s ready to use. These malware checkers, known as “counter antivirus services” or “no distribute scanners,” have become an increasing focus for both security researchers and law enforcement. And on Wednesday, a case against the operators of one of the most popular of these clearinghouses, Scan4You, concluded. After the security firm Trend Micro brought extensive data on the service to the FBI, and law enforcement investigated, one of the Scan4You creators pleaded guilty and the other was found guilty by a Virginia court today. After keeping an eye on Scan4You activity for a couple of years and gathering information about the service’s clientele, Trend Micro brought the information to the FBI in spring 2014.

The company regularly partners with law enforcement agencies as they conduct cybercrime investigations. In May 2017, Scan4You went down after the FBI arrested and extradited two men in Latvia suspected of running the malware scanning service. Thirty-six-year-old Jurijs Martisevs, a Russian national, was on a trip to Latvia when he was apprehended. In March, he pleaded guilty in a Virginia court to charges of conspiracy and aiding and abetting computer intrusion. The other suspect, Ruslans Bondars, was found guilty on Wednesday of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage. Bondars was found not guilty of one count of conspiracy. The Trend Micro researchers watched Scan4You, which first started operations in 2009, explode in popularity in recent years. Counter antivirus services are complicated to build and maintain, and most criminals don’t have the resources to develop the testing platforms themselves. But with Scan4You, they could check their malware for 15 cents per scan, or $30 for 100,000 scans. It was a bargain, especially as Scan4You proved itself as a reliable service. Martisevs attested in a statement of facts that, “Throughout its lifetime, the service has had thousands of users and has received and scanned millions of malicious files.” Scan4You processed all sorts of malicious tools including keyloggers, malware kits, remote access trojans, and, digital cloaks (sometimes called crypters) that are specially designed to conceal malicious code.

Martisevs says that Bondars, a Latvian resident, was the technical developer and ran the infrastructure for the service, while Martisevs offered tech support to customers on communication platforms like ICQ, Jabber, Skype, and over email. Martisevs also ran Scan4You’s marketing initiatives on dark web forums and criminal message boards. Though Scan4You was doing a lot of business, the service’s low prices likely meant it didn’t turn much of a profit. Based on its observations of the operators, though, Trend Micro researchers suggest that the venture was probably more of an anchor point for other projects. The creators likely built Scan4You in the first place, the researchers say, to use in other online criminal ventures. Trend Micro’s analysis turned up connections between Martisevs and the infamous scam group Eva Pharmacy in addition to his Scan4You involvement. And the platform also sold other products. If a scan returned a lot of red flags, for example, Scan4You would advertise its own crypter for users to buy in the hopes of improving their malware’s imperceptibility. After Martisevs and Bondars were arrested and Scan4You traffic dropped to zero, Trend Micro researchers expected to displaced customers rush to the few reputable alternatives, especially a counter-antivirus service called VirusCheckMate.

So far, though, they haven’t seen such an uptick. It’s unclear whether Scan4You’s clients have started trying to do more of the vetting themselves, or are simply winging it on camouflaging their malware. A few major malware scanning takedowns, like that of the popular service Refud.me in 2015, seem to have driven many of the operations underground.