3 years in prison for the Scan4You service helping to cheat antiviruses

Trend Micro made public details of close cooperation with the FBI, as a result of which people associated with a CAV (Counter Antivirus) service called Scan4You were identified, arrested and brought to court, which allowed cybercriminals to evade popular antiviruses. Ruslans Bondars was found guilty of the offenses charged against him, and Jurijs Martisevs pleaded guilty in March 2018.

The Scan4You service allowed cybercriminals to check whether their latest malware was detected by more than 30 popular antivirus programs, which ensured more effective attacks. Someone might ask - what was the service different from VirusTotal or Jotti? Well, it was paid, but it still does not provide anything, because the illegal practice was the use of antivirus scanners (probably operating from the command line) without the consent of the producers.

Ruslans Bondars profil na Linkedin
Ruslans Bondars: official profile on Linkedin from 2012. Latvian was convicted for administering a service that avoids popular antivirus programs.

The Scan4You service appeared in 2009 and eventually became one of the largest CAV type anti-virus services. Malware authors used Scan4You to scan the developed viruses. The result allowed them to check which anti-virus engines do not detect the threat and, if necessary, use additional techniques to hide the virus code from protection programs.

Illegal used anti-viruses: Counter Antivirus

CAV services are illegal because they allow cybercriminals to scan malicious software against detection by antivirus engines. And although they are very similar to VirusTotal or Jotti, they use anti-virus programs in a way that is against the law and without contracts with producers.

VirusCheckMate - antywirusy wykorzystywane do sprawdzania wirusów

CAV services are not new. Already in 2007, the AVCheck.ru website was closed in a similar way after the arrest of alleged administrators. Unlike, for example, VirusTotal does not send the resolved files or URLs to other antivirus producers. As a result, cybercriminals usually stay away from VirusTotal and decide to use a solution that does not send their "creative work" to all interested parties. In addition, CAV requires malware authors to pay for each scanned file or allow purchase of a package. Legal public scanners do not do this, but for more demanding users, they provide APIs that allow automatic sample transfer. The services of VirusTotal are used, among others SecureAPlus in technology of 12 antivirus engines (UniversalAV). The Jotti scanner uses the Polish SpyShelter product.

Services such as VirusTotal have one more disadvantage - they are not suitable for verifying the security of files in the same way as anti-viruses installed in computers, so they can not be used to perform comparative security tests, as it is written on the VirusTotal blog:

VirusTotal antivirus engines are versions launched from the command line, so depending on the product, they do not behave exactly the same as the same versions for computers. For example, desktop solutions can use techniques based on behavioral analysis and firewalls that can block threats.

The used anti-virus engines with command line scanning can be more aggressive and generate more false alarms. And some engines can even be configured individually, which means that a given manufacturer provides the engine version in accordance with its expectations - this engine can be set differently than the one on the end user's device.

With that in mind, if you ever read that the X or Y engine does not detect the threat on VirusTotal, remember how this service works and that the results it delivers may differ from the actual protection.

Services such as VirusTotal or Jotti using command line scanning, which may include behavioral protection, techniques and mechanisms for blocking behavior, heuristics or sandboxing, of course help in verifying the file's safety, but do not prove the real effectiveness of the security product, because they do not reflect the other protection components, such as IPS / IDS, firewalls, anti-ransomware modules and more.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.