• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Kaspersky Lab Faked Malware To Damage Marketplace Rivals

Status
Not open for further replies.

Rajack

Member
http://news.yahoo.com/exclusive-ex-...us-firm-faked-malware-130432663--finance.html
http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ1CR20150814
SAN FRANCISCO (Reuters) - Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.
They said the secret campaign targeted Microsoft Corp , AVG Technologies NV , Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers' PCs.
Some of the attacks were ordered by Kaspersky Lab's co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said.
"Eugene considered this stealing," said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation.
Kaspersky Lab strongly denied that it had tricked competitors into categorizing clean files as malicious, so-called false positives.
"Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing," Kaspersky said in a statement to Reuters. "Such actions are unethical, dishonest and their legality is at least questionable."
Executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years. When contacted this week, they had no comment on the allegation that Kaspersky Lab had targeted them.
The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients. Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran's nuclear program in 2009 and 2010.
The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky's selection of competitors to sabotage.
"It was decided to provide some problems" for rivals, said one ex-employee. "It is not only damaging for a competing company but also damaging for users' computers."
The former Kaspersky employees said company researchers were assigned to work for weeks or months at a time on the sabotage projects.
Their chief task was to reverse-engineer competitors' virus detection software to figure out how to fool them into flagging good files as malicious, the former employees said.
The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other's virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google Inc's VirusTotal.

By sharing all this data, security companies could more quickly identify new viruses and other malicious content. But the collaboration also allowed companies to borrow heavily from each other's work instead of finding bad files on their own.
Kaspersky Lab in 2010 complained openly about copycats, calling for greater respect for intellectual property as data-sharing became more prevalent.
In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious. VirusTotal aggregates information on suspicious files and shares them with security companies.
Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky's lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010.
When Kaspersky's complaints did not lead to significant change, the former employees said, it stepped up the sabotage.

INJECTING BAD CODE

In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.
Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.
VirusTotal had no immediate comment.
In its response to written questions from Reuters, Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an "unknown third party" manipulated Kaspersky into misclassifying files from Tencent <0700.HK>, Mail.ru and the Steam gaming platform as malicious.

The extent of the damage from such attacks is hard to assess because antivirus software can throw off false positives for a variety of reasons, and many incidents get caught after a small number of customers are affected, security executives said.
The former Kaspersky employees said Microsoft was one of the rivals that were targeted because many smaller security companies followed the Redmond, Washington-based company's lead in detecting malicious files. They declined to give a detailed account of any specific attack.
Microsoft's antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in "quarantine."
Batchelder said it took him roughly six hours to figure out that the printer code looked a lot like another piece of code that Microsoft had previously ruled malicious. Someone had taken a legitimate file and jammed a wad of bad code into it, he said. Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well.
Over the next few months, Batchelder's team found hundreds, and eventually thousands, of good files that had been altered to look bad. Batchelder told his staff not to try to identify the culprit.
"It doesn't really matter who it was," he said. "All of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed."
In a subsequent interview on Wednesday, Batchelder declined to comment on any role Kaspersky may have played in the 2013 printer code problems or any other attacks. Reuters has no evidence linking Kaspersky to the printer code attack.

As word spread in the security industry about the induced false positives found by Microsoft, other companies said they tried to figure out what went wrong in their own systems and what to do differently, but no one identified those responsible.
At Avast, a largely free antivirus software maker with the biggest market share in many European and South American countries, employees found a large range of doctored network drivers, duplicated for different language versions.
Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and "wanted to have some fun" at the industry's expense. He did not respond to a request on Thursday for comment on the allegation that Kaspersky had induced false positives.

WAVES OF ATTACKS

The former employees said Kaspersky Lab manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013.
It is not clear if the attacks have ended, though security executives say false positives are much less of a problem today.
That is in part because security companies have grown less likely to accept a competitor's determinations as gospel and are spending more to weed out false positives.
AVG's former chief technology officer, Yuval Ben-Itzhak, said the company suffered from troves of bad samples that stopped after it set up special filters to screen for them and improved its detection engine.
"There were several waves of these samples, usually four times per year. This crippled-sample generation lasted for about four years. The last wave was received at the beginning of the year 2013," he told Reuters in April.
AVG's chief strategy officer, Todd Simpson, declined to comment on Wednesday.
Kaspersky said it had also improved its algorithms to defend against false virus samples. It added that it believed no antivirus company conducted the attacks "as it would have a very bad effect on the whole industry."
"Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted," Kaspersky said.
Holy shit, this cannot be okay and it should not be okay.
 

finley83

Banned
Between this and John McAfee's meltdown, it feels like a promising HBO comedy should come out of this at some point.
 

WedgeX

Banned
Holy shit. I remember the Avast meltdown where it flagged and deleted a whole lot of important things. And led everyone to abandon Avast.

Will never consider Kapersky products ever again. Should be illegal, really.
 

Rajack

Member
Holy shit. I remember the Avast meltdown where it flagged and deleted a whole lot of important things. And led everyone to abandon Avast.

Will never consider Kapersky products ever again. Should be illegal, really.

It likely is since it is anticompetitive and a form of sabotage.
 

cameron

Member
It's quite fiendish. From the article, the signatures of malicious files are shared between security companies using a aggregator like VirusTotal. The scheme was done by marking clean files used by common software as malware and then informing the aggregator. I'm not condoning the behaviour, but that's damn good.

The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other's virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google Inc's VirusTotal.

In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.

Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.

Edit: It's done anonymously, so I guess it's hard to track back to Kaspersky.
 
Q

Queen of Hunting

Unconfirmed Member
Honestly not surprised always thought antu virus companies would do shit to seem like their software is better
 

Lucumo

Member
So, is there any proof? Apparently not. Apart from that, those false positives had a good effect in the end - companies actually tried to improve their products and rely less on others.
 
See the issue with things like this is you really just never know what's true, and what could simply be malicious ex employees looking to ruin the reputation of a company they use to work for, which for all we know could now be a direct competitor of theirs depending on where they currently work.

If this is true, however, then Kasperspy should never be trusted again. I use to use their software, but for one reason or another, moved away from their stuff and just went back to Norton.

So, is there any proof? Apparently not. Apart from that, those false positives had a good effect in the end - companies actually tried to improve their products and rely less on others.

I'm thinking this as well. It seems like they had a good end result. Although it definitely sucks for whoever had their important files or data destroyed because of this kind of stuff.
 

cm osi

Member
i just realized i always mispelled kaspersky
shitty thing to do anyway, expecially when you're already that big
 

LoveCake

Member
What exactly has Kaspersky done, from what i can make out Kaspersky infected files & sent them to rival anti-virus saying that their software flagged these files?
 
Shocking, if true. It borders on unbelievable, really, and of course it's by two former employees that were perfectly placed to see how long and bad their alleged corporate sabotage had gotten.

This passage jumps out at me more:
The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients. Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran's nuclear program in 2009 and 2010.

Anyways, it's interesting to hear that virus detection is such a collaborative effort. I never really thought about how it worked. And, of course, I always wondered how false positives happened... so these allegations go a long way to explaining it.


One thing I'm really wondering: is Kapsersky historically known for avoiding false positives, while their rivals are not or something? I've never used them, so I'm not sure on their reputation.
 

KadeYuy

Member
I wouldn't take this at face value. It's most likely not Kaspersky. They're well respected in computer security space but are Russian so people don't like them.
 

CTLance

Member
There's always been rumours that all antivirus companies have some shady underpinnings in order to keep the cashflow intact, so this does not really surprise me. Not even gonna single out Kapersky - although they sure appear to have been caught with their pants down on this and hopefully get their shit pushed in on all fronts as an example to the others.

And this has nothing to do with them being Russian. Nor with their founder apparently being a rich guy. It has everything to do with trust being at a premium, and those that violate it even in the slightest deserve to get smacked down, hard. They aren't selling funny home videos. They're selling software that has full system-level access to all files on a system, even extremely sensitive ones. You don't fuck around with that.
 

hirokazu

Member
If this is true, it seems like they actually achieved what they set out to do and the industry may be better off having implemented their own checks rather than accepting submissions to VirusTotal as-is, no?
 

Suikoguy

I whinny my fervor lowly, for his length is not as great as those of the Hylian war stallions
I wouldn't take this at face value. It's most likely not Kaspersky. They're well respected in computer security space but are Russian so people don't like them.

The source is not exactly some random blog somewhere.

Besides, people have reason to be skeptical of Russia lately.

One thing I'm really wondering: is Kapsersky historically known for avoiding false positives, while their rivals are not or something? I've never used them, so I'm not sure on their reputation.

eset has historically been one of the leaders for avoiding false positives. Not sure about the last couple of years.
http://www.av-comparatives.org/wp-content/uploads/2014/10/avc_fps_201409_en.pdf
http://www.av-comparatives.org/wp-content/uploads/2015/04/avc_fps_201503_en.pdf

This is coupled with decent/great detection.
 

Syriel

Member
If this is true, it seems like they actually achieved what they set out to do and the industry may be better off having implemented their own checks rather than accepting submissions to VirusTotal as-is, no?

Had to pull Norton off one of my boxes last month when it went absolutely crazy with false positives.

Among other things it decided that the Xbox 360 SDK was just a collection of viruses.
 

Regiruler

Member
Ugh, I use kapersky on one of my laptops :/

I'm confused as to what they actually did though. Did they tamper with their own antivirus to make it look better? Hack others' antivirus?
 

Undead

Member
And there's me completely uncaring because I'm thinking all companies have been doing this shit to each other for years.

Maybe that's just the cynic in me
 

styl3s

Member
Glad stuck I with AVG free!
I tried Kaspersky many years ago but it deleted shit that clearly wasn't harmful files and i ran into multiple problems so i uninstalled and looked for a new free virus scanner and was suggest AVG free + Malwarebytes free and i haven't had any problems yet.
 

FoxSpirit

Junior Member
I wouldn't put this past Kaspersky to be honest.
At the same time, wtf is it with companies stopping to do their own work is simply generously borrowing from the more dedicated ones? If Kaspersky could pull that for years and noone cared enough to check their shit better that's shoddy engineering at it's best.

Let's see what comes from this.
 

commedieu

Banned
angela.jpeg
 

Rebel Leader

THE POWER OF BUTTERSCOTCH BOTTOMS
I had Kaspersky before

It kept the computer running after shut down.
How do I know? I uninstalled it and it never happened again.
 

soleil

Banned
I'm not condoning what Kapersky allegedly did, if they did it. But if I read the article correctly, other antivirus software will only flag the harmless files if they copied Kapersky's code, hence the incentive given. So while Kapersky did something really bad (allegedly), the shittyness didn't start with them (also allegedly).
 

Rajack

Member
I'm not condoning what Kapersky allegedly did, if they did it. But if I read the article correctly, other antivirus software will only flag the harmless files if they copied Kapersky's code, hence the incentive given. So while Kapersky did something really bad (allegedly), the shittyness didn't start with them (also allegedly).

That's because these companies exchange signature data all the time. Its basically a necessity of computer and network security.
 

samn

Member
Anonymous sources, no proof, yup, we're done here.

If Kaspersky would be so sneaky as to engage in this behaviour, then any other antivirus company could be so sneaky as to frame them.
 

down 2 orth

Member
If this is true, it seems like they actually achieved what they set out to do and the industry may be better off having implemented their own checks rather than accepting submissions to VirusTotal as-is, no?

Yeah, that's what I got from reading this article as well.
 

Faddy

Banned
What exactly has Kaspersky done, from what i can make out Kaspersky infected files & sent them to rival anti-virus saying that their software flagged these files?

Someone, allegedly Kaspersky, reverse engineered anti virus suppliers code and then crafted and submitted viruses to VirusTotal which would result in those companies flagging non-infected system files as infected. The AV software would then remove the file which could break the users computer.

It has exposed that many AV vendors don't scrutinize the information given from VirusTotal. Anyone caught out by this has been taking shortcuts and you probably shouldn't trust them to keep critical machines safe.
 
Status
Not open for further replies.
Top Bottom