Inside the Takedown of Scan4You, a Notorious Malware Clearinghouse

Posted on May 17, 2018

Inside the Takedown of Scan4You, a Notorious Malware Clearinghouse

Most antivirus scanners play a classic cat and mouse game: They work by checking software against a frequently updated list of potential threats. In response, a whole industry has built up to help occlude and conceal hacking tools. That includes services that automate the process of checking all sorts of tools, from malware to malicious URLs, against dozens of defense scanners to see if they would get blocked.

The feedback helps bad actors know what to tweak further, and whats ready to use. These malware checkers, known as ‘counter antivirus services’ or ‘no distribute scanners,’ have become an increasing focus for both security researchers and law enforcement. And on Wednesday, a case against the operators of one of the most popular of these clearinghouses, Scan4You, concluded.

After the security firm Trend Micro brought extensive data on the service to the FBI, and law enforcement investigated, one of the Scan4You creators pleaded guilty and the other was found guilty by a Virginia court today. In summer 2012, Trend Micro researchers noticed some unusual activity cropping up on their threat-tracking scanner. The researchers had been investigating a malware distribution tool called ‘g01pack.’

They realized that a group of Latvian IP addresses kept checking g01pack-related URLs against Trend Micro’s web reputation system—a tool that tracks web activity and can block malicious websites for customers. Digging deeper, the researchers discovered that the Latvian IP addresses were actually initiating these checks for all sorts of URLs. They were looking at a goldmine of information about the inner workings of a notorious malware checker.