Recently, a 37-year-old man from Latvia, Ruslans Bondars, was sentenced to 14 years in prison for developing and operating the Scan4You service. It is reported that the service website allows malware developers to check the detection rate of their malicious code. In the information security industry, security researchers and malware developers refer to Scan4You as a “no-distribution scanner.”
Scan4You works like Google’s legal VirusTotal web service, which aggregates scans of multiple anti-virus vendor engines and allows users to check files against numerous anti-virus programs at the same time. The only difference is that Scan4You does not allow the anti-virus engine to report results to the vendor, only the malware detection results.
For years, malware developers have been using services like Scan4You to detect their malware, and they fine-tune the code to avoid being detected in the future before putting it into practice.
According to a report released by Trend Micro earlier this year, Ruslans Bondars launched Scan4You in 2009 and soon became the most popular service on the market. The network company said that Bondars had committed all malware developers’ mistakes when running Scan4You, which was configured with a non-distributed scanner.
In 2012, when Bondars blocked the anti-virus engine from reporting, he and many other operators forgot to block the URL scanning and reporting function of the Trend Micro engine.
Trend Micro said it had received URL reputation scans from companies such as Scan4You for nearly five years, which helped the company discover the malware before it started. As data continues to accumulate, Trend Micro shares these findings with the FBI and other law enforcement agencies.
In the end, Bondars was arrested in May 2017 and his colleague Jurijs Martisevs was arrested. The two men were arrested in Latvia Riga and subsequently extradited to the United States for trial under the operation of Scan4Your.
According to court documents, Scan4You is hosted on Amazon AWS servers, and malware developers must pay to access their scanners fully. Martisevs handles payments in a personal PayPal account, which makes it easier for US law enforcement to track both individuals.