A Russian coder who ran and franchised a dark web service that optimized malware and checked it against antivirus engines has pled guilty to one charge of conspiracy and one charge of aiding and abetting computer intrusion.
Jurijs Martisevs was arrested while on a trip to Latvia and extradited to the US after the authorities accused him and associate Ruslans Bondars of running the anti-antivirus system. Martisevs has now admitted to this, while Bondars is still awaiting trial.
According to court documents [PDF] Martisevs set up the service in 2009 and it operated until May 2017. Malware developers could submit their sample to the pair’s service and it would check the code against the virus signatures that are used by the world’s leading security software suites.
If the malware sample showed red and was likely to be identified in the wild, the code could then be tweaked to evade detection. One sample was submitted several times to the service before being unleashed on a major US retailer – thought to be Target.
Another malware writer with the initials ZS used the service to check the efficiency of a keylogger that had been developed. The malware was then sold to over 3,000 buyers and was thought to be used to infect over 16,000 computers.
The pair also offered their malware checking engine as an API so that it could be incorporated into off-the-shelf virus builder toolkits. Martisevs admitted that the code he helped develop was used by the Citadel malware that was used to extract $500m (£383m) from bank accounts around the world.
The pair even franchised out the service so other people could pitch it to hackers. They provided technical support via ICQ, Skype, Jabber, or email.
Martisevs faces a possible five years in prison on the conspiracy charge, along with a fine of $250,000 and three years’ supervised release. The aiding and abetting charge is more serious, with a possible ten years inside, as well as the fines and supervised release.