Kaspersky Lab denies tricking AV rivals into nuking harmless files

Kaspersky Lab deliberately fed bogus malware to its rivals to sabotage their antivirus products, two anonymous former employees allege. Kaspersky says the accusations are false.

Reuters reported today that two ex-Kaspersky engineers claim they were tasked with tricking competing antivirus into classifying benign executables and other files as malicious. Anti-malware tools from Microsoft, AVG and Avast were targeted, apparently.

It's irritating for computer users if an antivirus package starts marking harmless files as malign – known as a false positive – and deletes them or shoves them into a quarantine. It's bad news if those files turn out to be operating system resources, as it will leave machines unstable, unusable or even unbootable. Such incidents are by no means uncommon across the security industry, and when they happen people and enterprises alike suffer all sorts of inconvenience.

The accusation goes that Kaspersky Lab fed false positives into rival products via VirusTotal. Anyone can upload files to VirusTotal, which runs the data through a collection of antivirus packages and reports which products were able to detect any malware, if present. According to VirusTotal, it "helps antivirus labs by forwarding them the malware they fail to detect."

"Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products," the website, which is owned by Google, adds. "We do this because we believe it will eventually lead to a safer Internet and better end-user protection."

It is claimed Kaspersky engineers took harmless Windows operating system files, manipulated them to appear as though they contained malware, and uploaded them to VirusTotal. The aim was to deceive non-Kaspersky antivirus engines into treating those system files as dangerous, and removing or disabling them on customers' PCs. Of course, Kaspersky's antivirus would know not to touch those programs.

We're told this was carried out as a reprisal attack: it's claimed execs at the Russian antivirus biz were furious that smaller rivals were ripping off its malware signature definitions, perhaps without contributing much themselves to the industry's pool of shared malware samples.

Techies in the infosec world have long passed around virus samples between each other. As the years have gone on, and the volume of Windows malware has soared past the 10 million mark, malware sample exchange is highly automated, which Kaspersky allegedly exploited.

Damaging the reputation of rivals, enhancing that of Kaspersky Lab by comparison, may also have played a part in prompting Kaspersky to turn to the dark side, allegedly. "It was decided to provide some problems for rivals", one ex-employee said. "It is not only damaging for a competing company but also damaging for users' computers."

A small team at the Russian firm was supposedly given weeks to reverse-engineer competitors' malware detection software to figure out how it worked before sabotaging it. Kaspersky allegedly tried generating false positives for years, peaking between 2009 and 2013. The Reuters report is based not just on the word of two form Kaspersky workers, but on conversations with representatives of the affected security software firms complaining that something was amiss.

Kaspersky complained openly about copycats in the industry through a high profile experiment involving VirusTotal back in 2010¹. The Russian security software firm denies it took this further towards sabotage after rivals failed to change their business practices.

In a statement, Kaspersky denied any wrongdoing, and blamed disaffected former workers for spreading false rumors.

Contrary to allegations made in a Reuters news story, Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and illegal.

Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false. As a member of the security community, we share our threat intelligence data and IOCs on advanced threat actors with other vendors, and we also receive and analyze threat data provided by others. Although the security market is very competitive, trusted threat data exchange is a critical part of the overall security of the entire IT ecosystem, and we fight hard to help ensure that this exchange is not compromised or corrupted.

The Russian biz went on to state that it was itself manipulated into misclassifying harmless files from Mail.ru and the Steam gaming platform as malicious back in November 2012.

"In 2012, Kaspersky Lab was among the affected companies impacted by an unknown source uploading bad files to VirusTotal, which led to a number of incidents with false-positive detections," the statement continued. "To resolve this issue, in October 2013, during the VB Conference in Berlin there was a private meeting between leading antivirus vendors to exchange the information about the incidents, work out the motives behind this attack and develop an action plan. It is still unclear who was behind this campaign."

Problems inherent in the greater automation of virus detection were discussed during a presentation at the 2013 Virus Bulletin conference, the slides of which are here [slides PDF]. ®

Bootnote

¹Kaspersky had this to say about the controversial VirusTotal experiment.

"In 2010, we conducted a one-time experiment uploading only 20 samples of non-malicious files to the VirusTotal multi-scanner, which would not cause false positives as these files were absolutely clean, useless and harmless," it said.

"After the experiment, we made it public and provided all the samples used to the media so they could test it for themselves. We conducted the experiment to draw the security community’s attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity (behaviour)."