- Ruslan Bondars, a 37-year-old Latvian citizen, ran a malware scanning service from 2009 to 2017.
- The hacker remained an active member of the Eva Pharmacy hacker community since 2006, one of the largest and oldest pharmaceutical spam gangs at the time.
Ruslan Bondars, a 37-year-old Latvian citizen was sentenced to 14 years in prison for creating and managing a malware scanning service named "Scan4You" from 2009 to 2017. The service allowed malware authors to improve their malware code by checking the detection rate of any malicious code.
Malware authors and security researchers classified Scan4You as a ‘counter-antivirus’ or a ‘no-distribute-scanner’, ZDNet reported. Scan4You works by aggregating search results from multiple antivirus scan engines and compiles the overall report back to the requester.
Cybercriminals used Scan4You to identify if any antivirus programs that could detect their malicious tools. These tools could also be adapted into malware kits and sold to cybercriminals. The malware scanning service also allowed cybercriminals to make improvements to their malicious code, before being deployed in campaigns in the wild.
Scan4You used by Target hackers
According to a report by the Los Angeles Times, the malware used in the 2013 Target data breach was also processed by Scan4You. It is believed that the cybercriminal behind the Target hack, which resulted in over 40 million Target users’ credit card data being stolen, was a Scan4You user. The upgraded malware was used on Target’s own security system, which potentially ignored it.
Earlier this year, Trend Micro published a reportwhich explained how Bondars set up the Scan4You model and remained an active member of the Eva Pharmacy hacker community since 2006. Eva Pharmacy is believed to be one of the largest and oldest pharmaceutical spam gangs of that time.
“Scan4You is a counter antivirus (CAV) service that lets cybercriminals check the detection of their latest malware against most modern antivirus (AV) engines. This service helps cybercriminals make their malware campaigns more effective because they can tweak and test their malware to reduce detection rates,” Trend Micro researchers said. “Since CAV services like Scan4You make it easier for a budding actor to climb the cybercriminal career ladder, stopping such a large CAV service is an important preventive measure to make it more difficult for young actors to venture into cybercrime. Stopping these services also helps increase the costs of malware campaigns of more experienced actors who appear to be using CAV services.”
Bondars was arrested in May 2017 along with one of his co-conspirators Jurijs Martisevs. The two were arrested in Riga, Latvia, and extradited to the US to face charges for running Scan4You. Further investigations revealed that Bondars was responsible for managing technology infrastructure, while Martisevs handled customer support through email, Skype, ICQ, and Jabber. Bondars was charged after a quick 5-day trial in May 2018 and was declared guilty by US court.
Bondars reportedly argued that his service had legal uses as well and that he could not be held responsible for when the service was used to conduct illegal activities.
“Our position protects all online businesses; all online businesses have legitimate and illegitimate users,” defense attorney Jessica Carmichael said in court, the LA Times reported.
However, assistant US attorney Kellen Dwyer wrote in his sentencing argument, “The defendant apparently thinks he is unique in being charged for creating and selling a computer product that had theoretical lawful uses. He is not. Malware often has theoretical lawful uses.”
In late 2015, a joint investigation between the UK National Crime Agency (NCA)'s National Cyber Crime Unit (NCCU) and cybersecurity firm Trend Micro led to the arrest of a man running a similar service called reFUD.me, who was later sentenced by British authorities.