Ruslan Bondars, a 37-year-old man from Latvia was sentenced to a whopping 14 years in prison for facilitating cybercrime by creating and running a service named Scan4You that allowed malware authors to check the detection rates of their malicious code.
In the infosec industry, Scan4You is what security researchers and malware authors refer to as a “counter-anti-virus” or a “no-distribute-scanner.”
Scan4You works similar to Google’s legitimate VirusTotal web service, in the way that it aggregates scan engines from multiple antivirus vendors and allows a user to check files against multiple antivirus programs at the same time. The only difference is that Scan4You does not allow the antivirus engines to report results back to vendors, keeping malware detections only for itself.
Malware authors have been using services like Scan4You for years as a way to test malware before they launch it into real-world campaigns, fine-tuning their code to avoid detections.
The cyber-security firm says that when running Scan4You, Bondars made the same mistake that all malware authors have made in the past years when configuring their no-distribute scanners.
While Bondars blocked antivirus engines from reporting back file scans, around 2012, he and many other operators forgot to block reporting of URL scans from the Trend Micro engine.
Trend Micro says that for almost five years, it received URL reputation scan queries from services like Scan4You and many others, data that helped the company detect malware distribution campaigns before they even got off the ground.
As more data piled up, Trend Micro says it shared some of these findings with the FBI and other law enforcement agencies. Even before Bondars’ arrest, UK authorities arrested and sentenced to prison a man running a similar service called reFUD.me.
Bondars, too, was eventually arrested in May 2017, together with his co-conspirator, Jurijs Martisevs. The two were arrested in Riga, Latvia, and extradited to the US to face charges for running Scan4You.
According to court documents, Scan4You was hosted on Amazon Web Services servers, and malware authors had to pay to get full access to the scanner’s features. Martisevs used a PayPal account in his name to process payments, which made it easier for authorities to track down the two.
US authorities say Bondars was in charge of the scanner’s technical infrastructure, while Martisevs provided customer support via ICQ, Skype, Jabber, or email.
All the extensive info authorities gathered about Bondars led to a speedy five-day trial in May 2018, after which a jury found Bondars guilty.
But while US authorities sentenced Bondars for his years operating Scan4You, Trend Micro says the hacker was also behind many more other criminal activities.
The company says that Bondars had been an active member of the cyber-crime community since 2006 when he started as a member of Eva Pharmacy, one of the largest and oldest pharmaceutical spam gangs at the time.
Besides distributing spam messages peddling illegal prescription drugs, Trend Micro says Bondars also helped distribute the SpyEye and ZeuS banking trojans before finding his niche in the end by running Scan4You.