Ruslans Bondars and Jurijs Martisevs, two Latvian citizens, are facing charges in the US for running a portal that allowed cybercrooks to scan and see if their malware was detected by antivirus software.
Called "no distribute scanners," these services are similar to VirusTotal, with the main difference being that they block telemetry and don't share scan results with antivirus vendors.
"No distribute scanners" are regularly used during the process of coding a malware family as a way to make sure the malware is undetectable. They are also used just before malware authors start malware distribution campaigns, as a last check to ensure their final and ready-to-go payloads are still undetectable.
According to an indictment unsealed yesterday by the Department of Justice (DOJ) and obtained by Bleeping Computer, Bondars and Martisevs have operated such a service since 2006, which they advertised on hacking forums and on the Dark Web.
Officials redacted the scanner's name in the DOJ indictment, but said the service had over 30,000 users and was "one of the biggest of its kind."
"Malware that has been submitted to [REDACTED] includes some of the most prolific malware known to the Federal Bureau of Investigation and has been used in major computer intrusions
committed against American businesses," the DOJ indictment reads.
Investigators say the service was used to scan malware such as remote access trojans (RATs), keyloggers, crypters, and others.
The service operated by Bondars and Martisevs also offered an API that malware authors embedded in their products. For example, RATs and keyloggers included this API, so customers of those malware toolkits could find out if the payloads they generated are detectable by antivirus vendors.
According to the indictment, Bondars was in charge of maintaining the scanner's technical infrastructure, while Martisevs provided customer support via ICQ, Skype, Jabber, or email.
The service was hosted on Amazon Web Services servers. Malware authors had to pay to get full access to the scanner's features. Martisevs used a PayPal account in his name to process payments.
Authorities say they also identified one of the scanner's customers, a US-based malware author with the initials Z.S., who created a keylogger that he sold to over 3,000 customers, who then infected over 16,000 computers.
Both suspects are now face charges of conspiracy, conspiracy to commit wire fraud, wire fraud, and hacking.
While Bondars is a Latvian citizen, Martisevs has dual citizenship, both Latvian and Russian, and has been living in both in Riga and Moscow. According to Russian news agency Interfax, the Russian Embassy in Washington accused the US of violating the rights of one of its citizens.
"We believe that the arrest in the current case, the American authorities have forcibly taken away by Russian citizen in violation of the 1999 agreement concluded on mutual legal assistance in criminal matters," Embassy officials said [translated].
While the name of the scanner has been redacted, many security researchers such as MalwareHunter or MalwareTech have said they suspect that Bondars and Martisevs might have operated Scan4You, one of the biggest "no distribute scanners" around, which went down this spring. The API for this scanner was often found used by many malware samples analyzed by MalwareHunter, the researcher tells Bleeping Computer.
Other "no distribute scanners" that went down without an explanation during the past year include AnonScanner, RazorScanner and BlackShades Scanner, albeit we can't ever be sure until the DOJ comes forward with more information.
Legal investigations involving this unnamed scanner and some of its customers are most likely underway, hence the reason to keep the scanner's name out of court documents.