Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Exclusive: Russian antivirus firm faked malware to harm rivals - Ex- employees
#1
Exclamation 
By Joseph Menn

SAN FRANCISCO (Reuters) -
Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.

They said the secret campaign targeted
Microsoft Corp (MSFT.O), AVG Technologies
NV (AVG.N), Avast Software and other rivals,
fooling some of them into deleting or disabling
important files on their customers' PCs.

Some of the attacks were ordered by Kaspersky Lab's co-founder, Eugene
Kaspersky, in part to retaliate against smaller
rivals that he felt were aping his software
instead of developing their own technology,
they said. "Eugene considered this stealing," said one of the former employees.

Both sources requested anonymity and said they were among a small group of people who knew about the operation.

Kaspersky Lab strongly denied that it had
tricked competitors into categorizing clean files
as malicious, so-called false positives.

"Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing," Kaspersky said in a statement to Reuters. "Such actions are unethical, dishonest and their legality is at least questionable."

Executives at Microsoft, AVG and Avast
previously told Reuters that unknown parties
had tried to induce false positives in recent
years.

When contacted this week, they had no
comment on the allegation that Kaspersky Lab
had targeted them. The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients.

Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran's nuclear program in 2009 and 2010.

The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky's selection of competitors to sabotage.

"It was decided to provide some problems" for
rivals, said one ex-employee. "It is not only
damaging for a competing company but also
damaging for users' computers."

The former Kaspersky employees said company researchers were assigned to work
for weeks or months at a time on the sabotage
projects.

Their chief task was to reverse-engineer
competitors' virus detection software to figure
out how to fool them into flagging good files as
malicious, the former employees said.

The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said.

They licensed each other's virus-detection engines, swapped samples of malware, and
sent suspicious files to third-party aggregators
such as Google Inc's (GOOGL.O) VirusTotal.

By sharing all this data, security companies
could more quickly identify new viruses and
other malicious content. But the collaboration
also allowed companies to borrow heavily from
each other's work instead of finding bad files on their own.

Kaspersky Lab in 2010 complained openly
about copycats, calling for greater respect for
intellectual property as data-sharing became
more prevalent.

In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious.

VirusTotal aggregates information on
suspicious files and shares them with security companies.

Within a week and a half, all 10 files were
declared dangerous by as many as 14 security
companies that had blindly followed Kaspersky's lead, according to a media
presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010.

When Kaspersky's complaints did not lead to
significant change, the former employees said,
it stepped up the sabotage.

"INJECTING BAD CODE"

In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said.

They would send the doctored file anonymously to VirusTotal. Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious.

If the doctored file looked close enough to the
original, Kaspersky could fool rival companies
into thinking the clean file was problematic as well.

VirusTotal had no immediate comment.

In its response to written questions from Reuters, Kaspersky denied using this technique.

It said it too had been a victim of such an attack in November 2012, when an "unknown third party" manipulated Kaspersky into
misclassifying files from Tencent (0700.HK), Mail.ru (MAILRq.L) and the Steam gaming
platform as malicious.

The extent of the damage from such attacks
is hard to assess because antivirus software
can throw off false positives for a variety of
reasons, and many incidents get caught after a small number of customers are affected,
security executives said.

The former Kaspersky employees said
Microsoft was one of the rivals that were
targeted because many smaller security
companies followed the Redmond, Washington-based company's lead in detecting malicious files.

They declined to give a detailed account of any specific attack.

Microsoft's antimalware research director,
Dennis Batchelder, told Reuters in April that he
recalled a time in March 2013 when many
customers called to complain that a printer
code had been deemed dangerous by its
antivirus program and placed in "quarantine."

Batchelder said it took him roughly six hours to
figure out that the printer code looked a lot like
another piece of code that Microsoft had
previously ruled malicious.

Someone had taken a legitimate file and jammed a wad of bad code into it, he said.

Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well. Over the next few months, Batchelder's team found hundreds, and eventually thousands, of good files that had been altered to look bad.

Batchelder told his staff not to try to identify the culprit. "It doesn't really matter who it was," he said. "All of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed."

In a subsequent interview on Wednesday,
Batchelder declined to comment on any role
Kaspersky may have played in the 2013 printer
code problems or any other attacks.

Reuters has no evidence linking Kaspersky to the printer code attack.

As word spread in the security industry about
the induced false positives found by Microsoft,
other companies said they tried to figure out
what went wrong in their own systems and
what to do differently, but no one identified
those responsible.

At Avast, a largely free antivirus software maker with the biggest market share in many
European and South American countries,
employees found a large range of doctored
network drivers, duplicated for different
language versions. Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and "wanted to have some fun" at the industry's expense.

He did not respond to a request on Thursday for comment on the allegation that Kaspersky had induced false positives.

WAVES OF ATTACKS

The former employees said Kaspersky Lab
manipulated false positives off and on for more
than 10 years, with the peak period between
2009 and 2013.

It is not clear if the attacks have ended, though
security executives say false positives are much less of a problem today. That is in part because security companies have grown less likely to accept a competitor's determinations as gospel and are spending more to weed out false positives.

AVG's former chief technology officer, Yuval
Ben-Itzhak, said the company suffered from
troves of bad samples that stopped after it set
up special filters to screen for them and
improved its detection engine.

"There were several waves of these samples,
usually four times per year. This crippled-
sample generation lasted for about four years.
The last wave was received at the beginning of the year 2013," he told Reuters in April.

AVG's chief strategy officer, Todd Simpson,
declined to comment on Wednesday.

Kaspersky said it had also improved its
algorithms to defend against false virus
samples. It added that it believed no antivirus
company conducted the attacks "as it would
have a very bad effect on the whole industry." "Although the security market is very
competitive, trusted threat-data exchange is
definitely part of the overall security of the
entire IT ecosystem, and this exchange must
not be compromised or corrupted," Kaspersky said.


(Reporting by Joseph Menn; Editing by Tiffany
Wu)
Semper Fidelis

[Image: SyAa0qj.png]

USMC
Nemo me impune lacessit
Reply
#2
Very interesting article IceWizard…..posting this response before reading the whole article but I would not be surprised if they also make new viruses to buy their anti-virus software, to cure it.

Hmmm wonder if I will see that when I go back and finish the article.

Very informative read, thanks Ice
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)