Most antivirus scanners play a classic cat and mouse game: They work by checking software against a frequently updated list of potential threats. In response, a whole industry has built up to help occlude and conceal hacking tools. That includes services that automate the process of checking all sorts of tools, from malware to malicious URLs, against dozens of defense scanners to see if they would get blocked. The feedback helps bad actors know what to tweak further, and what's ready to use.

These malware checkers, known as "counter antivirus services" or "no distribute scanners," have become an increasing focus for both security researchers and law enforcement. And on Wednesday, a case against the operators of one of the most popular of these clearinghouses, Scan4You, concluded. After the security firm Trend Micro brought extensive data on the service to the FBI, and law enforcement investigated, one of the Scan4You creators pleaded guilty and the other was found guilty by a Virginia court today.

Cat and Mouse

In summer 2012, Trend Micro researchers noticed some unusual activity cropping up on their threat-tracking scanner. The researchers had been investigating a malware distribution tool called "g01pack." They realized that a group of Latvian IP addresses kept checking g01pack-related URLs against Trend Micro’s web reputation system—a tool that tracks web activity and can block malicious websites for customers. Digging deeper, the researchers discovered that the Latvian IP addresses were actually initiating these checks for all sorts of URLs. The researchers were looking at a goldmine of information about the inner workings of a notorious malware checker.

"A service like Scan4You gives a leg up for these criminals," says Ed Cabrera, chief cybersecurity officer at Trend Micro. "It was a critical tool for these campaigns to be successful globally, and you see the impact when you take down one of these key individuals or groups. There's a ripple effect."

After keeping an eye on Scan4You activity for a couple of years and gathering information about the service's clientele, Trend Micro brought the information to the FBI in spring 2014. The company regularly partners with law enforcement agencies as they conduct cybercrime investigations. In May 2017, Scan4You went down after the FBI arrested and extradited two men in Latvia suspected of running the malware scanning service. Thirty-six-year-old Jurijs Martisevs, a Russian national, was on a trip to Latvia when he was apprehended. In March, he pleaded guilty in a Virginia court to charges of conspiracy and aiding and abetting computer intrusion. The other suspect, Ruslans Bondars, was found guilty on Wednesday of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage. Bondars was found not guilty of one count of conspiracy.

When scanning malware itself, bad actors can do most of the antivirus checks locally—reducing the chance that they might inadvertently expose too much about themselves and their tools to defenders. But the researchers note that the only way for attackers to check the credibility of their malicious URLs is to enter them into online tools like those Trend Micro offers. Scan4You allowed users to check their hacking tools against as many as 40 antivirus products at once, a risk that ultimately revealed too much about the operation.

'You see the impact when you take down one of these key individuals or groups. There's a ripple effect.' Ed Cabrera, Trend Micro

The Trend Micro researchers watched Scan4You, which first started operations in 2009, explode in popularity in recent years. Counter antivirus services are complicated to build and maintain, and most criminals don't have the resources to develop the testing platforms themselves. But with Scan4You, they could check their malware for 15 cents per scan, or $30 for 100,000 scans. It was a bargain, especially as Scan4You proved itself as a reliable service.

Martisevs attested in a statement of facts that, "Throughout its lifetime, the service has had thousands of users and has received and scanned millions of malicious files.” Scan4You processed all sorts of malicious tools including keyloggers, malware kits, remote access trojans, and, digital cloaks (sometimes called crypters) that are specially designed to conceal malicious code. Martisevs says that Bondars, a Latvian resident, was the technical developer and ran the infrastructure for the service, while Martisevs offered tech support to customers on communication platforms like ICQ, Jabber, Skype, and over email. Martisevs also ran Scan4You's marketing initiatives on dark web forums and criminal message boards.

Anchors Away

Though Scan4You was doing a lot of business, the service's low prices likely meant it didn't turn much of a profit. Based on its observations of the operators, though, Trend Micro researchers suggest that the venture was probably more of an anchor point for other projects. The creators likely built Scan4You in the first place, the researchers say, to use in other online criminal ventures. Trend Micro's analysis turned up connections between Martisevs and the infamous scam group Eva Pharmacy in addition to his Scan4You involvement. And the platform also sold other products. If a scan returned a lot of red flags, for example, Scan4You would advertise its own crypter for users to buy in the hopes of improving their malware's imperceptibility.

'This is selling the ability to make other criminal campaigns much more successful.' Ed Cabrera

After Martisevs and Bondars were arrested and Scan4You traffic dropped to zero, Trend Micro researchers expected the displaced customers rush to the few reliable alternatives, especially a counter-antivirus service called VirusCheckMate. So far, though, they haven't seen such an uptick. It's unclear whether Scan4You's clients have started trying to do more of the vetting themselves, or are simply winging it on camouflaging their malware. A few major malware scanning takedowns, like that of the popular service Refud.me in 2015, seem to have driven many of the operations underground.

"The special thing about this investigation is the scale and scope of crime as a service," Cabrera says. "But this it not your traditional opportunity where they’re actually committing crimes for you, like doing a data breach or parsing and selling the data. This is selling the ability to make other criminal campaigns much more successful. It speaks to the level of capability of the criminal underground."

Though attackers will inevitably find ways to work around the loss of Scan4You, eliminating the platform is an efficient way to cause problems for a whole lot of criminals around the world, and maybe even lose them some money.

More Great WIRED Stories