A second Russian has been convicted for his part in running Scan4you, the notoriously nasty anti-anti-virus malware scanning service designed to keep new malware out of the hands of anti-virus makers.
The US Department of Justice (DOJ) announced on Wednesday that a federal jury convicted Ruslan Bondars, 37, after a five-day trial. The charges: one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage.
His colleague in crime, Jurijs Martisevs, was arrested on a trip to Latvia in April 2017, as was Bondars. The two ran the service along with a third, unnamed, alleged co-conspirator in Virginia.
Martisevs copped a plea in March.
The DOJ said that at its height, Scan4you was the largest service of its kind, with “at least” thousands of users. The service helped malware writers to come up with “some of the most prolific malware known to the FBI,” it said.
Scan4you kept things on the down-low. Unlike anti-virus makers, which report the detection of malicious files to the anti-virus community, the anti-anti-virus service promised anonymity to those who submitted samples. Users could upload files anonymously, and the service promised not to share information about the uploaded files with the anti-virus community.
The service had quite the palate: malware submitted to it included, among other types, crypters meant to hide malware from anti-virus programs, remote-access Trojans (RATs), keyloggers, and malware tool kits to create customized malicious files.
Beyond running the service for themselves, the operators franchised it, marketing it under different names and in different languages. Martisevs was the customer support contact for customers who wanted to franchise or resell the service. He sent them along to Bondars, who provided technical support.
Bondars also provided application programming interfaces (APIs) so that the service could be integrated directly into the malware kits the conspirators designed and sold. One such was the notorious Citadel toolkit, with which crooks initiated wire transfers out of victims’ bank accounts.
According to court documents, Martisevs and Bondars set up the anti-anti-virus service at least as early as 2009 and ran it until May 2017. Malware developers would submit samples, determine if they would be detected by the anti-virus programs used by their intended victims – companies and institutions – and then rinse and repeat. They’d tweak the malware, then resubmit it to see if the new version would slip past anti-virus signatures.
According to Martisevs’ plea deal, the service enabled the creation of malware that was used in hundreds of thousands of attacks.
The victims weren’t named, but one major breach mentioned in court documents took place in 2013 and targeted the payment processing systems of a “major retail store located in the United States.” That sounds an awful lot like the huge Target breach of 2013.
From the DOJ’s release:
For example, one Scan4you customer used the service to test malware that was subsequently used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States, causing one retailer approximately $292 million in expenses resulting from the intrusion.
Though actual sentences for federal crimes are typically less than the maximum, Bondars is looking at a maximum penalty of 35 years in prison. Sentencing is scheduled for 21 September.