The concept of antivirus (AV) scanning within IT security is simple and effective. These programs, which have become part and parcel of typical infrastructure and data protection strategies, scan enterprise networks for known malware signatures and other processes associated with suspicious hacker activity. If and when these signatures or processes are detected, the antivirus program sounds the alarm, enabling admins to work proactively to prevent intrusion and infection.
Recently, a court case centered around the malicious service, Scan4You, a so-called counter antivirus that works in the opposite sense of traditional antivirus. The service, which was available to malicious users from 2009 until its shutdown last year, quickly became a top counter AV platform, until its operators were arrested and charged in a Virginia federal court.
Trend Micro tracked the rise and fall of Scan4You in its new report, shining a light on counter AV and the increasingly sophisticated nature of cybercriminals.
How does counter AV work?
Outside of services like Scan4You and its competitors – which we’ll examine deeper a bit later – there are other counter AV approaches and strategies that hackers already used to cover their tracks. These include file encryption to mask malicious attachments and files, either encrypted through the efforts of the hacker themselves or through an encryption tool.
As Trend Micro noted, encryption tools are available and cost-effective; $85 will buy a user a lifetime license.
“With these, security software won’t be able to uncover the malware before the victim receives it,” Trend Micro researchers noted. “For instance, a simple keylogger known as HawkEye utilized this method to target small and medium-sized businesses worldwide.”
Counter AV services like Scan4You, on the other hand, scan hackers’ created malware against current antivirus solutions to determine if it can be detected, as well as which specific AV software systems recognize the code as malicious. In this way, attackers can be more assured, ahead of time, that their malware will spur a successful breach or attack before being pinpointed and blocked or the infection takes hold.
Unfortunately, counter AV services don’t stop at a simple scan and comparison against top AV security platforms.
“The service then runs a series of encryption routines to render the malware obscure, making virus analysis difficult for researchers, which includes avoiding firewalls and antivirus tools,” Trend Micro explained. “After this process, the malware is deemed to be undetectable and antivirus-resistant. This is also the reason why some malware can bypass the security measures users and enterprises have set.”
The Rise of Scan4You
The ability to render an attackers’ code unidentifiable to current security programs is quite the attractive feature for cybercriminals. In this way, it’s no surprise why services like Scan4You were able to emerge in the underground web.
As Trend Micro noted, these types of services may have started as tools only available to – and for use within – hacking groups, which then decided to open them up for paying customers. However they came to be, Scan4You quickly rose to become one of the most-used and best-known, offering customers 100,000 counter AV scans per month for $30, or single scans for just 15 cents.
By accepting payment through PayPal and cryptocurrency like Bitcoin, combined with the promise from Scan4You operators that data would not be shared with any AV or cybersecurity company, hackers felt confident that they were getting a good deal.
Career cybercriminals: The operators behind Scan4You
As Trend Micro reported, the individuals behind the operations for the counter AV service were identified as Ruslans Bondars, otherwise known as “B0rland” or “Borland,” and Jurijs Martisevs, or “Garrik.”
Both had been responsible for cybercriminal activities and advancing within career hacker circles since 2006. Their other illegal operations include the sale of non-FDA-approved prescriptions through Eva Pharmacy, the sale of stolen credit card data and the circulation of banking malware like SpyEye and ZeuS to support specific hacking campaigns.
Trend Micro uncovers the truth behind Scan4You’s privacy claim
Despite promising customers that details collected from counter AV scans would not be shared with security firms, Trend Micro researchers were able to follow a trail from the service’s reputation checks on URLs, IP addresses and domains. Interestingly, through this pursuit, Trend Micro researchers were able to see data relating to Scan4You’s reputation scans from several years.
“Since 2012, we have collected a wealth of information on Scan4You’s operations, and, in particular, information on the many reputation scans that they performed each day,” the Trend Micro Forward-Looking Threat Research Team explained. “A malware author would usually check the reputation of his landing pages or command and control (C&C) servers on Scan4You just before he starts a new campaign. We were able to observe these checks, and in many cases, we could preemptively block the new malicious domains before they could use them.”
Not the only game in town
In addition to Scan4You, other counter AV services have also been discovered, including VirusCheckMate, Scan4You’s main competitor, and AVDetect. Despite putting protections in place similar to that of Scan4You, Trend Micro was also able to glean information into the reputation scans being carried out by these services as well.
The fall of Scan4You: Operators brought to justice
Despite their robust information security and malicious activity background and expertise, the operators of Scan4You were found and brought to a federal court in Virginia to answer for their illegal actions.
According to Trend Micro’s report, researchers and law enforcement were able to identify Bondars and Martisevs through personal information associated with accounts used to set up Scan4You. Bondars included his real name and photo within a Gmail account connected with malicious command-and-control domains, and Martisevs used a phone number in connection with the service’s WebMoney account.
After a lengthy investigation – which included both Trend Micro and the FBI Washington office beginning in 2014 – Bondars and Martisevs were arrested in Latvia and extradited to the U.S. in 2017. According to Naked Security, Bondars was charged with one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud and one count of computer intrusion with the intent to cause damage. After a five-day trial, Bondars was convicted.
Martisevs, on the other hand, was charged with one charge of conspiracy and one charge of aiding and abetting computer intrusion. He was able to strike a plea deal.
The counter AV landscape following Scan4You
Following Bondards and Martisevs’ arrests in 2017, Scan4You was taken offline and stopped running scans. While researchers expected to see an increase in usage concerning its competitors – including mainly VirusCheckMate – no subsequent growth was identified after Scan4You was taken offline.
Researchers took this to mean that Scan4You’s legal trappings sent a message to the underground counter AV industry – and that former Scan4You customers stopped using a service to prevent detection.
Check out Trend Micro’s report to learn more about Scan4You and the counter AV landscape.