Cyber Crime
Counter Antivirus Service Scan4You Operators Convicted
The Trend Micro Forward-Looking Threat Research (FTR) team started to look into Scan4You's operations in 2012, and have been in close contact with FBI investigators assigned to the case since 2014.
In May 2017, one of the biggest facilitators of cybercrime, Scan4You, went offline after the two main suspects, Ruslans Bondars and Jurijs Martisevs, were arrested in Latvia and extradited to the U.S. by the Federal Bureau of Investigation (FBI). In May 2018, the case against the Scan4You’s operators concluded in a Virginia federal courtroom.
The Trend Micro Forward-Looking Threat Research (FTR) team started to look into Scan4You's operations in 2012, and have been in close contact with FBI investigators assigned to the case since 2014. Our research on Scan4You spanned more than five years, passing some of our findings to the FBI until the service went offline.
What is Scan4You?
Scan4You is a counter antivirus (CAV) service that lets cybercriminals check the detection of their latest malware against most modern antivirus (AV) engines. This service helps cybercriminals make their malware campaigns more effective because they can tweak and test their malware to reduce detection rates.
Since CAV services like Scan4You make it easier for a budding actor to climb the cybercriminal career ladder, stopping such a large CAV service is an important preventive measure to make it more difficult for young actors to venture into cybercrime. Stopping these services also helps increase the costs of malware campaigns of more experienced actors who appear to be using CAV services. Finally, putting a stop to these types of services also sends a strong message to the underground that facilitating cybercrime can lead to arrests and prosecution.
Scan4You’s operators were also involved in other cybercriminal activities
Using a CAV service means that a malicious actor trusts it. It is therefore not a surprise that Scan4You’s owners had an established reputation as cybercriminals themselves. Scan4You’s operators have been around since at least 2006 and were affiliated with some of the longest-running cybercriminal businesses.
They did not just run a CAV service. They were also involved in one of the largest and oldest pharmaceutical spam gangs known as Eva Pharmacy. The group is infamous for the illegal sales of prescription drugs that they carefully marketed through spam and search engine optimization. They were also involved in the spread of banking malware like SpyEye and ZeuS. Scan4You used the corporate network of a Latvian Internet Service Provider (ISP) for many years and Ruslans Bondars worked for a Latvian software development company related to a variety of websites, including one that got fined for misleading advertisements and fraud in 2010.
Delving into Scan4You’s activities
Scan4You’s website claims that they don't share information on the scans with internet security companies like Trend Micro. Evidently, this wasn't entirely true. While Scan4You made sure feedback loops to Trend Micro’s servers about file scans were turned off, Scan4You also performed reputation checks of URLs, IP addresses, and domains. The way Scan4You set this up meant that all reputation scans against Trend Micro’s web reputation service were visible to us for years. Since 2012, we have collected a wealth of information on Scan4You’s operations, and in particular, information on the many reputation scans that they performed each day. A malware author would usually check the reputation of his landing pages or command and control (C&C) servers on Scan4You just before he starts a new campaign. We were able to observe these checks, and in many cases, we could preemptively block the new malicious domains before they could use them.
Other large CAV services like VirusCheckMate and AVDetect also turned off feedback loops on file scans, but we received their reputation scans of IP addresses, URLs, and domain names. This made it possible for us to estimate their market shares. Throughout the years, Scan4You was always the biggest known CAV service.
Figure 1. Comparison of URL scans by Scan4You (S4Y), VirusCheckMate (VCM), and AVDetect (AVD) in 2015; there is no vertical scale as we only have sampled data (Source: Trend Micro™ Smart Protection Network™).
Proactive collaboration with law enforcement
This is the second time Trend Micro has helped stop a CAV service. Trend Micro also assisted with the investigation against Refud.me, a medium-sized CAV service that used Scan4You’s application programming interface (API). Refud.me’s owner was arrested in 2015, and the court case was concluded in 2018.
Scan4You was the largest known CAV service. When it went offline, we expected to see a lot of its users to move to the only major CAV that was still online: VirusCheckMate. However, our data shows that there was no significant growth in the number of web reputation scans done at VirusCheckMate after May 2017. It appears most of Scan4You’s users stopped using a public CAV service.
The arrests of Scan4You operators Ruslans Bondars and Jurijs Martisevs send an important message to the cybercriminal underground. Not only is deploying or authoring malware that victimizes innocent targets a crime. In at least some jurisdictions, it's also a crime to help others carry out these offenses. Thanks to the years of work done by Trend Micro and the FBI that led to their arrests, we take one more step forward in securing today’s connected world.
Read more about our research about the largest CAV service in the underground, its operators, and the ties that bind Scan4You to other cybercriminals: The Rise and Fall of Scan4You.