Kaspersky Lab denies tricking AV rivals into nuking harmless files

Russian biz allegedly tried to hoodwink competitors with legit Windows executables

Kaspersky Lab deliberately fed bogus malware to its rivals to sabotage their antivirus products, two anonymous former employees allege. Kaspersky says the accusations are false.

Reuters reported today that two ex-Kaspersky engineers claim they were tasked with tricking competing antivirus into classifying benign executables and other files as malicious. Anti-malware tools from Microsoft, AVG and Avast were targeted, apparently.

It's irritating for computer users if an antivirus package starts marking harmless files as malign – known as a false positive – and deletes them or shoves them into a quarantine. It's bad news if those files turn out to be operating system resources, as it will leave machines unstable, unusable or even unbootable. Such incidents are by no means uncommon across the security industry, and when they happen people and enterprises alike suffer all sorts of inconvenience.

The accusation goes that Kaspersky Lab fed false positives into rival products via VirusTotal. Anyone can upload files to VirusTotal, which runs the data through a collection of antivirus packages and reports which products were able to detect any malware, if present. According to VirusTotal, it "helps antivirus labs by forwarding them the malware they fail to detect."

"Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products," the website, which is owned by Google, adds. "We do this because we believe it will eventually lead to a safer Internet and better end-user protection."

It is claimed Kaspersky engineers took harmless Windows operating system files, manipulated them to appear as though they contained malware, and uploaded them to VirusTotal. The aim was to deceive non-Kaspersky antivirus engines into treating those system files as dangerous, and removing or disabling them on customers' PCs. Of course, Kaspersky's antivirus would know not to touch those programs.

We're told this was carried out as a reprisal attack: it's claimed execs at the Russian antivirus biz were furious that smaller rivals were ripping off its malware signature definitions, perhaps without contributing much themselves to the industry's pool of shared malware samples.

Techies in the infosec world have long passed around virus samples between each other. As the years have gone on, and the volume of Windows malware has soared past the 10 million mark, malware sample exchange is highly automated, which Kaspersky allegedly exploited.

Damaging the reputation of rivals, enhancing that of Kaspersky Lab by comparison, may also have played a part in prompting Kaspersky to turn to the dark side, allegedly. "It was decided to provide some problems for rivals", one ex-employee said. "It is not only damaging for a competing company but also damaging for users' computers."

A small team at the Russian firm was supposedly given weeks to reverse-engineer competitors' malware detection software to figure out how it worked before sabotaging it. Kaspersky allegedly tried generating false positives for years, peaking between 2009 and 2013. The Reuters report is based not just on the word of two form Kaspersky workers, but on conversations with representatives of the affected security software firms complaining that something was amiss.

Kaspersky complained openly about copycats in the industry through a high profile experiment involving VirusTotal back in 20101. The Russian security software firm denies it took this further towards sabotage after rivals failed to change their business practices.

In a statement, Kaspersky denied any wrongdoing, and blamed disaffected former workers for spreading false rumors.

Contrary to allegations made in a Reuters news story, Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and illegal.

Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false. As a member of the security community, we share our threat intelligence data and IOCs on advanced threat actors with other vendors, and we also receive and analyze threat data provided by others. Although the security market is very competitive, trusted threat data exchange is a critical part of the overall security of the entire IT ecosystem, and we fight hard to help ensure that this exchange is not compromised or corrupted.

The Russian biz went on to state that it was itself manipulated into misclassifying harmless files from Mail.ru and the Steam gaming platform as malicious back in November 2012.

"In 2012, Kaspersky Lab was among the affected companies impacted by an unknown source uploading bad files to VirusTotal, which led to a number of incidents with false-positive detections," the statement continued. "To resolve this issue, in October 2013, during the VB Conference in Berlin there was a private meeting between leading antivirus vendors to exchange the information about the incidents, work out the motives behind this attack and develop an action plan. It is still unclear who was behind this campaign."

Problems inherent in the greater automation of virus detection were discussed during a presentation at the 2013 Virus Bulletin conference, the slides of which are here [slides PDF]. ®


1Kaspersky had this to say about the controversial VirusTotal experiment.

"In 2010, we conducted a one-time experiment uploading only 20 samples of non-malicious files to the VirusTotal multi-scanner, which would not cause false positives as these files were absolutely clean, useless and harmless," it said.

"After the experiment, we made it public and provided all the samples used to the media so they could test it for themselves. We conducted the experiment to draw the security community’s attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity (behaviour)."

Similar topics

Other stories you might like

  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading
  • Cloud security unicorn cuts 20% of staff after raising $1.3b
    Time to play blame bingo: Markets? Profits? Too much growth? Russia? Space aliens?

    Cloud security company Lacework has laid off 20 percent of its employees, just months after two record-breaking funding rounds pushed its valuation to $8.3 billion.

    A spokesperson wouldn't confirm the total number of employees affected, though told The Register that the "widely speculated number on Twitter is a significant overestimate."

    The company, as of March, counted more than 1,000 employees, which would push the jobs lost above 200. And the widely reported number on Twitter is about 300 employees. The biz, based in Silicon Valley, was founded in 2015.

    Continue reading
  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading

Biting the hand that feeds IT © 1998–2022