A Russian coder who ran and franchised an anti-anti-virus service has pled guilty to one charge of conspiracy and one charge of aiding and abetting computer intrusion. The service let crooks check against dozens of brands of antivirus software to see if their malware would be detected and helped a range of malware slip through to bring about massive hacks.
Jurijs Martisevs was arrested on a trip to Latvia last April. Also arrested was fellow countryman Ruslans Bondars, who’s accused of running the service along with Martisevs and a third, unnamed, alleged co-conspirator in Virginia.
Martisevs was extradited to the US – a move that Russia claimed was tantamount to kidnapping. Bondars is still awaiting trial.
Martisevs’ service was designed to keep new malware out of the hands of anti-virus makers. It didn’t report the detection of malicious files, thereby keeping anti-virus makers in the dark about new threats. The service had quite the palate: malware submitted to it included, among other types, crypters meant to hide malware from anti-virus programs, remote-access Trojans (RATs), keyloggers, and malware tool kits to create customized malicious files.
Beyond running the service for themselves, the operators franchised it, marketing it under different names and in different languages. Martisevs was the customer support contact for customers who wanted to franchise or resell the service. He sent them along to Bondars, who allegedly provided technical support.
Bondars also allegedly provided application programming interfaces (APIs) so that the service could be integrated directly into the malware kits the conspirators designed and sold. One such was the notorious Citadel toolkit, with which crooks initiated wire transfers out of victims’ bank accounts.
According to court documents, Martisevs and Bondars set up the anti-anti-virus service at least as early as 2009 and ran it until May 2017. Malware developers would submit samples, determine if they would be detected by the anti-virus programs used by their intended victims – companies and institutions – and then rinse and repeat. They’d tweak the malware to come up with new hash values, then resubmit it to see if the new version would then slip past anti-virus signatures.
According to Martisevs’ plea deal, the service enabled the creation of malware that was used in hundreds of thousands of attacks.
The victims weren’t named, but one major breach mentioned in court documents took place in 2013 and targeted the payment processing systems of a “major retail store located in the United States.” That sounds an awful lot like the huge Target breach of 2013.
The hackers submitted variations of their credit card stealing code to the service four times over the course of two weeks before finally deploying the malware on Black Friday weekend. The Target breach ultimately netted thieves some 100 million credit and debit cards. It also cost the retailer a $39 million settlement with banks and credit card firms, and $10 million paid out to consumers in a class action lawsuit.
Martisevs is looking at up to five years in prison on the conspiracy charge, a fine of $250,000, and three years of supervised release. The aiding and abetting charge is the more serious one: it has a maximum of 10 years in prison (though maximum penalties are rarely handed out), as well as the fines and supervised release.