Russian anti-malware firm Dr.Web tested rivals to see if they blindly accepted malware reports shared through cross-industry intelligence systems like Kaspersky Lab, according to investigative reporter Brian Krebs. However, Dr.Web stopped short of using services such as VirusTotal to trip up rivals, the focus of fiercely contested allegations against Kaspersky Lab.
Two articles by Reuters charged Kaspersky Lab with turning this exercise to mendacious ends by faking malware to harm rivals. Kaspersky Lab has strenuously denied the charges, as previously reported.
Reuters' accusations are based largely on the testimony of two anonymous, former Kaspersky Lab employees who alleged that workers were assigned to reverse engineer the virus detection software of rivals in order to figure out how to trick their technology into flagging up benevolent files as potentially malign – creating huge problems for customers of the affected firms in the process.
Such false positives are a well-known Achilles’ heel of anti-malware scanners, which still rely in part on signature detection. The trick is akin to giving sniffer dogs the false scent of a suspect, doctored in such a way that they go after passers-by. Leaked emails supposedly sent by Eugene Kaspersky in 2009 talked about “rubbing out” rivals, Reuters reported in a follow-up story.
Anti-malware tools from Microsoft, AVG and Avast were targeted for sabotage between 2009 and 2013.
Kaspersky openly complained about copycats in the security biz via a high-profile experiment involving VirusTotal back in 2010. The Russian security software firm denies it moved past shaming without naming onto sabotage after rivals failed to change their business practices.
Part of Kaspersky Lab’s defence is that it was itself manipulated into misclassifying harmless files from Mail.ru and the Steam gaming platform as malicious back in November 2012. One of the few points all parties seem to agree on is that an unknown source was uploading bad files to VirusTotal in 2012, something that led to closed door meetings between rival vendors at the VB Conference in Berlin in October 2013.
Dr.Web chief exec Boris Sharov told Krebs that when it submitted clean but modified files to anti-virus testing labs in an experiment three years ago. Up to half of its rivals' antivirus products detected the clean files as malicious within days. He suggested the firms that went awry had failed to invest sufficiently in quality assurance and whitelisting of benign files.
“If you carry out your own analysis of each file you will never be fooled like this,” Sharov said about the testing experiments run by both Dr.Web and Kaspersky Lab. “Some products prefer just to look at what others are doing, and they are quite successful in the market, much more successful than we are. We are not mad about it, but when you think how much harm could bring to customers, it’s quite bad really.”
The experiments run by both Dr Web and Kaspersky Lab happened against a backdrop of a long-running row about anti-virus comparison tests.
Simon Edwards, technical director at Dennis Technology Labs, an experienced antivirus tester and chairman of the Anti-Malware Testing Standards Organization, remains sceptical about allegations of anti-virus companies sabotaging each other’s products.
"It would not surprise me to learn that anti-malware companies perform experiments to assess whether or not competitors are stealing their IP in the form of signatures," Edwards told El Reg. "In fact I have sat there while a vendor ran such an experiment to prove that her competitor was blindly stealing her company's intellectual property."
"I would, however, be surprised to see convincing evidence that these companies, which face an extraordinary challenge in defeating a nearly constant tsunami of malware, were engaged in sabotaging each other," he added.
Edwards pointed out the security software makers have been sharing data on threats between each other for years.
"The malware challenge is so great that there have for many years been sophisticated systems in place that allow them to share malware samples and other useful metadata," Edwards explained. "Of course, these can be abused to corrupt the databases of unethical competitors and to game tests."
"The problem that has been highlighted by recent allegations is that such experiments (or sabotage campaigns) could potentially annoy users. This, in turn, could cause them to either change their anti-malware product or, worse, stop using one," he concluded. ®
VirusTotal, a service owned by Google that allows anyone to upload suspicious files, aggregates data and shares information with security firms. The service aims to help internet hygiene by flagging up instances where security vendors have not yet detected particular malware samples.
Sponsored: Ransomware has gone nuclear