Hacker gets 14 years jail time for operating Scan4You malware scanning service by Waqas.
I’ve been puzzling over what crime was committed here, especially when I read:
…
The purpose was to assess whether the malicious code was detected or not during routine security checks. Scan4You is also regarded in the infosec industry as a non-distribute-scanner. The difference between VirusTotal and Scan4You is that the latter doesn’t let antivirus engines to report back results to vendors and the malware detections are kept discreet while the former does so.
…
The Scan4You service, according to the court documents, was hosted on Amazon Web Services servers while malware developers used to pay to get full access to its features. Trend Micro also stated that Bondars also made a very common mistake that almost every malware developer has made in the past, which is that he blocked antivirus engines from the reporting of file scans.
…
If you track down the indictment, Ruslans Bondars and Jurijs Martisevs incitement (h/t Catalin Cimpanu for uploading),
On a quick read, section 11 of the indictment appears to be its most worrisome point:
…
11. The Defendants intentionally marketed (omission) to computer hackers using the website (omission) and a hidden service accessible via The Onion Router (TOR), an online network for enabling anonymity. The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII). Moreover, the (omission) service differed from legitimate scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community, and notify their users they will do so, (omission) instead informed its users the could upload anonymously, and that data about the uploaded files would not be shared with the antivirus community. As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.
…
The indictment does not contain the advertisements posted by the defendants: “The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII).” so it’s not possible to judge the intent evidenced by those ads.
On the other hand:
- “a hidden service accessible via The Onion Router (TOR)”
- anonymous uploads
- not sharing with the antivirus community
By themselves, surely don’t support the conclusion:
…
As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.
…
Don’t rely on this post as legal advice but I can easily see a legitimate virus scanning service offering a hidden service with anonymous uploads, for the purpose of staying ahead of its competition in detection of malware. If malware authors are more likely to upload to a service anonymously, doing otherwise makes little business sense.
Moreover, not sharing with the antivirus community rests on the mistaken assumption computer security is a shared concern. That’s demonstrably false by collection and use of zero-day vulnerabilities by the NSA. See: The challenge of offensive hacking: the NSA and zero days
Governments around the world use cyber vulnerabilities and call on you to make unpaid contributions of time and labor to improve “cybersecurity.”
I’ll pass on that request.
Hacker represent the QA staffs software vendors refuse to hire. If governments want more secure software, decriminalize hacking and establish civil liability for software vendors, contractors and users.
Incentivize security as opposed to preaching about it.