Exclusive: Ex-employees - Russian antivirus firm faked malware to harm rivals

[nanana1]

Source : http://ca.reuters.com/article/technologyNews/idCAKCN0QJ1CR20150814

By Joseph Menn

SAN FRANCISCO: Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.

They said the secret campaign targeted Microsoft Corp, AVG Technologies NV, Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers' PCs.

Some of the attacks were ordered by Kaspersky Lab's co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said.

"Eugene considered this stealing," said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation.

Kaspersky Lab strongly denied that it had tricked competitors into categorizing clean files as malicious, so-called false positives.

"Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing," Kaspersky said in a statement to Reuters. "Such actions are unethical, dishonest and their legality is at least questionable."

Executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years. When contacted this week, they had no comment on the allegation that Kaspersky Lab had targeted them.

The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients. Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran's nuclear program in 2009 and 2010.

The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky's selection of competitors to sabotage.

"It was decided to provide some problems" for rivals, said one ex-employee. "It is not only damaging for a competing company but also damaging for users' computers."

The former Kaspersky employees said company researchers were assigned to work for weeks or months at a time on the sabotage projects.

Their chief task was to reverse-engineer competitors' virus detection software to figure out how to fool them into flagging good files as malicious, the former employees said.

The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other's virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google Inc's VirusTotal.

By sharing all this data, security companies could more quickly identify new viruses and other malicious content. But the collaboration also allowed companies to borrow heavily from each other's work instead of finding bad files on their own.

Kaspersky Lab in 2010 complained openly about copycats, calling for greater respect for intellectual property as data-sharing became more prevalent.

In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious. VirusTotal aggregates information on suspicious files and shares them with security companies.

Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky's lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010.

When Kaspersky's complaints did not lead to significant change, the former employees said, it stepped up the sabotage.

INJECTING BAD CODE

In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.

Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.

VirusTotal had no immediate comment.

In its response to written questions from Reuters, Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an "unknown third party" manipulated Kaspersky into misclassifying files from Tencent, Mail.ru and the Steam gaming platform as malicious.

The extent of the damage from such attacks is hard to assess because antivirus software can throw off false positives for a variety of reasons, and many incidents get caught after a small number of customers are affected, security executives said.

The former Kaspersky employees said Microsoft was one of the rivals that were targeted because many smaller security companies followed the Redmond, Washington-based company's lead in detecting malicious files. They declined to give a detailed account of any specific attack.

Microsoft's antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in "quarantine."

Batchelder said it took him roughly six hours to figure out that the printer code looked a lot like another piece of code that Microsoft had previously ruled malicious. Someone had taken a legitimate file and jammed a wad of bad code into it, he said. Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well.

Over the next few months, Batchelder's team found hundreds, and eventually thousands, of good files that had been altered to look bad. Batchelder told his staff not to try to identify the culprit.

"It doesn't really matter who it was," he said. "All of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed."

In a subsequent interview on Wednesday, Batchelder declined to comment on any role Kaspersky may have played in the 2013 printer code problems or any other attacks. Reuters has no evidence linking Kaspersky to the printer code attack.

As word spread in the security industry about the induced false positives found by Microsoft, other companies said they tried to figure out what went wrong in their own systems and what to do differently, but no one identified those responsible.

At Avast, a largely free antivirus software maker with the biggest market share in many European and South American countries, employees found a large range of doctored network drivers, duplicated for different language versions.

Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and "wanted to have some fun" at the industry's expense. He did not respond to a request on Thursday for comment on the allegation that Kaspersky had induced false positives.

WAVES OF ATTACKS

The former employees said Kaspersky Lab manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013.

It is not clear if the attacks have ended, though security executives say false positives are much less of a problem today.

That is in part because security companies have grown less likely to accept a competitor's determinations as gospel and are spending more to weed out false positives.

AVG's former chief technology officer, Yuval Ben-Itzhak, said the company suffered from troves of bad samples that stopped after it set up special filters to screen for them and improved its detection engine.

"There were several waves of these samples, usually four times per year. This crippled-sample generation lasted for about four years. The last wave was received at the beginning of the year 2013," he told Reuters in April.

AVG's chief strategy officer, Todd Simpson, declined to comment on Wednesday.

Kaspersky said it had also improved its algorithms to defend against false virus samples. It added that it believed no antivirus company conducted the attacks "as it would have a very bad effect on the whole industry."

"Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted," Kaspersky said.

:pos: :duh: :locked: :protest: :fight: :rant: :spank: :rockon: :badmood: :ablow: :banned: :wut:

[knowledge-Spammer]

:duh:

[212eta]

Kaspersky denies faking anti-virus info to thwart rivals (networkworld)

A 2010 Statement from Kaspersky employee Mangnus Kalkuhl (securelist)

[Maxhedroom]

Not good... :angry:

"The antivirus industry has always been good at collaboration. From the earliest days of the industry, email lists were set up to share malware samples and signatures with competitors, although the discovering company got to name the sample, got the bragging rights, and bagged the publicity.
According to the Reuters report, Kaspersky Lab decided to break this solidarity pact, and allegedly spent ten years seeding legit files with malware inserted in an attempt to cripple rivals. The Russian biz was, apparently, furious with its rivals ripping off its technology."


Source


Also...

"Reuters reported today that two ex-Kaspersky engineers claim they were tasked with tricking competing antivirus into classifying benign executables and other files as malicious. Anti-malware tools from Microsoft, AVG and Avast were targeted, apparently."

Source



Crap...just seen the other post....sorry for the dupe. Can a mod delete plz...

jalaffa edit: Your topic merged with that one.

[steven36]

Kaspersky is a good product . I dont care what they do to there competitors,at all and they set the stage for other avs and they are one of the reasons all antivirus are as good as they are today. AVG you use could catch a virus from it even though it could detect it. When I tried Kaspersky it could prevent a virus from ever happening . But still AVG was the most installed product even though it never worked because it was free . Now days most people just install Avast or Microsoft because its free . Avast will keep you protected and you dont have to pay for it . So Kaspersky will never be able to compete with Avast unless they start offering a free version regardless of what the made up test made by antivirus companies say. Every year when market share comes out . The most installed ones are always free ones.

[rudrax]

The bottomline is - if your current AV haven't disappointed you yet, don't leave it, no matter what other says.

I was using AVAST once. It missed a virus and that infected my system. I left it. Then tried Webroot. After sometime it also missed a virus. I left that too. Now I use ESET. It hasn't missed anything yet and I will stick with it till it misses one.

[steven36]

The bottomline is - if your current AV haven't disappointed you yet, don't leave it, no matter what other says.

I was using AVAST once. It missed a virus and that infected my system. I left it. Then tried Webroot. After sometime it also missed a virus. I left that too. Now I use ESET. It hasn't missed anything yet and I will stick with it till it misses one.

I used avast once for years i never got infected ..but no antivirus will protect you 100%. and any test that says a antivirus works 95-100 % is fiction . using ad blockers and script blockers while surfing the web are just as important . They can block 0 day attacks . A anti-virus depends on a signature to prevent a virus and all update at different times they all have pretty much the same set . B)

Back years ago I installed NOD32 once and it missed a virus I was just testing it and had uninstalled Kaspersky .Needless to say i got rid of the virus and installed Kaspersky back.

But in recent years like 2010-2015 Ive used Avast 4 years and then switched to NOD32 ether has always kept me protected . The good news is Antivirus are better than ever before .

[Sylence]

What Kaspersky might have just done was totally legal and personal. it was those antivirus companies who mimicked Kaspersky and wanted to get to the point where they were overnight. nobody said there must be hundreds of antivirus brands in the market. only few of them would suffice. 5 good antivirus products are better than 100 antivirus brands with shitty products. btw, you don't Install free antiviruses for your corporation or business, do you?

[steven36]

Yes if it were not for Kaspersky even though I dont use it in right many years . I know for a fact that if it not for there great product most Antivirus would never stepped up there protection to what it is today. And if they hadn't done it and things were like they use to be Id still would be using kaspersky . ;)

Right now I service 2 machines with Avast on them and my main Machine has NOD32 on it because avast uses all its process thorough the browser and NOD32 dont have this problem .

[Sylence]

Yes if it were not for Kaspersky even though I dont use it in right many years . I know for a fact that if it not for there great product most Antivirus would never stepped up there protection to what it is today. And if they hadn't done it and things were like they use to be Id still would be using kaspersky . ;)

Right now I service 2 machines with Avast on them and my main Machine has NOD32 on it because avast uses all its process thorough the browser and NOD32 dont have this problem .

NOD32 is shit. it's light and not smart enough even its Eset smart security is idiot. It failed me every time I installed it from 2009 till now. it detects only common threats.. It's so light that you might think It's not even running.

[steven36]

Yes if it were not for Kaspersky even though I dont use it in right many years . I know for a fact that if it not for there great product most Antivirus would never stepped up there protection to what it is today. And if they hadn't done it and things were like they use to be Id still would be using kaspersky . ;)

Right now I service 2 machines with Avast on them and my main Machine has NOD32 on it because avast uses all its process thorough the browser and NOD32 dont have this problem .

NOD32 is shit. it's light and not smart enough even its Eset smart security is idiot. It failed me every time I installed it from 2009 till now. it detects only common threats.. It's so light that you might think It's not even running.

I started using right before version 8 came out and switched to 8 as soon as it came out . I run scans all the time with malwarebytes and hitmanpro It never lets a virus trough all scans come up clean. but i also have extra protection in my browser adblocker with some great filters and policeman .

[Sylence]

Yes if it were not for Kaspersky even though I dont use it in right many years . I know for a fact that if it not for there great product most Antivirus would never stepped up there protection to what it is today. And if they hadn't done it and things were like they use to be Id still would be using kaspersky . ;)

Right now I service 2 machines with Avast on them and my main Machine has NOD32 on it because avast uses all its process thorough the browser and NOD32 dont have this problem .

NOD32 is shit. it's light and not smart enough even its Eset smart security is idiot. It failed me every time I installed it from 2009 till now. it detects only common threats.. It's so light that you might think It's not even running.

I started using right before version 8 came out and switched to 8 as soon as it came out . I run scans all the time with malwarebytes and hitmanpro It never lets a virus trough all scans come up clean. but i also have extra protection in my browser adblocker with some great filters and policeman .

Oh lucky you. maybe version 8 is different but Instead of using all those programs and make the life easier for yourself just use Kaspersky Internet security 2016, it comes with an adblocker too which is very effective and updated list and also integrates in all browsers. example when my Ublock finds 32 items on a page, when i turn it off and KIS adblocker scans the web page, it finds all those 32 items too. :rolleyes:

[steven36]

On October 16, 2013, ESET version 7.0 was released. It offers enhanced operation memory scanning and blocks misuses of known exploits.

On October 2, 2014, ESET version 8.0 was released. It adds exploit blocking for Java and botnet protection.

^{its much better than it use to be :D}

[Yuuup!]

The Five Eyes + Israel attacking Kaspersky.Kaspersky is by far the best antivirus in the world.

[steven36]

kaspersky responded it back about it


Kaspersky Lab Denies Creating Fake Malware Data To Sabotage Rivals

Security firm Kaspersky Lab denies allegations of thwarting rivals by planting false information in the virus reports it publicly shares.

In a digital era heavily relying on computers, security is of utmost importance. Security breaches can compromise vital and sensitive data, affect the performance of a machine and cause lots of headaches, but various security software aim to protect users from such threats.

Kaspersky Lab is one of the most powerful security companies of its kind, leveraging extensive expertise and employing some of the world's best security researchers.

The latest report from Reuters, however, raises some serious concerns regarding the company's practices. More specifically, a couple of former Kaspersky employees apparently told Reuters that the security company is planting fake information in its public reports, aiming to thwart competitors. The sources spoke under condition of anonymity.

According to these sources, Kaspersky has intentionally classified routine system files as malware to harm rivals. In this case, competing software would see the files classified as malware (even if they were not actually malware) and flag or delete them on user machines, which in turn could cause various software to stop working properly.

The two former Kaspersky employees even claimed that Kaspersky Lab founder Eugene Kaspersky himself personally directed this practice of dropping file names in virus reports.

It remains to be seen whether such allegations turn out to be accurate or not, but Kaspersky does have the power to trick rivals through such practices. Back in 2010, for instance, Kaspersky complained that many other security firms were simply copying its work without adding their own contributions, and set up an experiment to prove it.

As part of the experiment, Kaspersky submitted the names of 20 benign files to VirusTotal, marking them as malware. Little over a week later, at least 14 other security firms marked the files in question as malicious as well, proving Kaspersky's point that they were copying its work. That information was conducted openly and everything was public knowledge, but the two ex-Kaspersky employees now tell Reuters that the company has in fact planted such false positives for more than 10 years, especially between 2009 and 2013.

Kaspersky, for its part, strongly denies any such practices, arguing that it never planted any misleading virus information.

The Reuters report stirred great uproar due to the severity of the issue, but Kaspersky denies all allegations. The security firm issued an official statement on the matter:

"Contrary to allegations made in a Reuters news story, Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing," argues Kaspersky. "Such actions are unethical, dishonest and illegal. Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false."

Eugene Kaspersky has even taken to his personal Twitter account to slam the Reuters report as "complete BS."

I don’t usually read @reuters. But when I do, I see false positives. For the record: this story is a complete BS: https://t.co/m0Rcy2Vm6Y

— Eugene Kaspersky (@e_kaspersky) August 14, 2015

Kaspersky continues to bash Reuters' article on his personal blog, pointing out that the whole story makes waves without offering a single shred of evidence, making sensational claims based on a couple of anonymous sources.

source

[Roy W]

Been with Avast for many years and still very happy with it.

Have tried Norton,AVG,Kaspersky etc but will stay with Avast.

[VileTouch]

you don't Install free antiviruses for your corporation or business, do you?

you wouldn't believe how stingy some companies are when it comes to software. and more so antivirus. so my solution is: ok fine, you don't want a paid AV? then NO access to the internet for this computer. and NO thumb drives allowed either... and that is behind a hardware firewall.

Been with Avast for many years and still very happy with it.

Have tried Norton,AVG,Kaspersky etc but will stay with Avast.

wow. i wonder what a hitman pro scan would come up with? avast usually doesn't even acknowledge there's something fishy in a computer, let alone admit it is a virus.

but hey, it will go off with all the bells and whistles if it detects a crack/keygen!

[Roy W]

@VileTouch,I agree with you but I cannot afford Hitman Pro.

Been using Avast free for many years and recently got the GOTD Avast Pro for a full year.

Have been legal on all my software so I would not venture to download Hitman Pro torrent

Perhaps one day Hitman Pro will come my way,for free?

I notice that we both use the Pirate symbols so we should have "something" in common?

Any ideas?

[dcs18]

An AntiVirus (or, any other program) is only as good as the User — in other words, it is the User who is the weak link to security (not the the tool — Kaspersky.) ^_^

[SabotaSe]

Kaspersky is a good product . I dont care what they do to there competitors,at all and they set the stage for other avs and they are one of the reasons all antivirus are as good as they are today. AVG you use could catch a virus from it even though it could detect it. When I tried Kaspersky it could prevent a virus from ever happening . But still AVG was the most installed product even though it never worked because it was free . Now days most people just install Avast or Microsoft because its free . Avast will keep you protected and you dont have to pay for it . So Kaspersky will never be able to compete with Avast unless they start offering a free version regardless of what the made up test made by antivirus companies say. Every year when market share comes out . The most installed ones are always free ones.

Agreeeeeeeee :rockon:

[212eta]

"The abracadabra of anonymous sources."

https://eugene.kaspersky.com/2015/08/14/the-abracadabra-of-anonymous-sources/

[LeeSmithG]

I've always had a feeling that these type of vendors create their own bacteria to scare us and justify their existence.

[Holmes]

This thread is a duplicate bat is the one first posted about this and this user is getting credit not cool:

http://www.nsaneforums.com/topic/250387-kaspersky-tipped-to-be-sabotaging-rival-anti-virus-software/

Same thread and same problem. The original thread is here:

http://www.nsaneforums.com/topic/250260-kaspersky-said-to-have-targeted-microsoft-and-others-with-fake-malware/

THis got posted yesterday and bat posted the original on 08/14/15. Can you merge the threads. As for kaspersky I love kaspersky and think this is false..