
Russian antivirus firm faked malware to harm rivals, say ex-employees - uptown
http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ1CR20150814
======
Rudism
I'd find this very surprising, if true. When I worked for a company that was
essentially developing malware, we were able to get ourselves whitelisted by
most anti-virus software (either by going through an automated submission
process, or outright bribery). The only one who wouldn't budge on principal,
no matter what we offered, was Kaspersky. All the others either auto-
whitelisted us when we asked or after we paid them. I gained a lot of respect
for Kaspersky for that (and lost a lot of respect for the majority of their
competitors).

~~~
nos4A2
This is interesting, because I thought Symantec was the incorruptible AV co.

~~~
SpikedCola
Have you ever used their product(s)? Given the way they used to slow PCs down
to a halt, I didn't/wouldn't trust them to do a halfway-decent job.

~~~
AmVess
Their products haven't been system hogs for a long time now. I used Norton AV
on a fairly reedy dual core Celeron (1.8 GHz)with a platter drive and it only
slowed that thing down when it was running a scheduled scan.

------
yetihehe
The whole article sounds funny.

"VirusTotal had no immediate comment."

"[...], Kaspersky denied using this technique. It said it too had been a
victim of such an attack in November 2012, when an "unknown third party"
manipulated Kaspersky into misclassifying files [...]"

"The former Kaspersky employees said Microsoft was one of the rivals [...]
They declined to give a detailed account of any specific attack."

"In a subsequent interview on Wednesday, Batchelder declined to comment on any
role Kaspersky may have played in the 2013 printer code problems or any other
attacks. Reuters has no evidence linking Kaspersky to the printer code
attack."

"Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he
suspected the offenders were well-equipped malware writers and "wanted to have
some fun" at the industry's expense. He did not respond to a request on
Thursday for comment on the allegation that Kaspersky had induced false
positives."

So, no one says it's Kaspersky, someone called "former employees" says it was,
but can't provide any example...

~~~
igravious
Not a bit coincidental that said firm seems to be the only antivirus firm in
recent memory (unless I'm mistaken) that seems to be able or willing to
uncover government-level shenanigans. No, not a bit coincidental at all.

edit: And of course this [http://www.wired.com/2015/06/kaspersky-finds-new-
nation-stat...](http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-
attack-network/) from two months ago.

First, security breach; now, an attack on their reputation?

~~~
mc32
It's also not coincidental at all that Kaspersky steers clear of exposing any
shenanigans by Moskow. I mean, Eug himself claims Russia produces not only the
best programmers but also the best exploit writers.... But surprisingly no
exposés on them.

Hmmm.

~~~
mike_hearn
Or maybe Russia just doesn't spend as much on this stuff as western
governments do.

There have been exposes by western AV firms too, but not as many and not as
good. If there was obviously Russian govt malware out there, it'd surface
sooner or later. We've seen American, Chinese, British, French, Israeli ......
seems odd that there's no Russian yet. But then I get the impression that
Russian spying is overblown anyway. They seem to mostly focus inwards these
days, or focus only on the former Soviet satellite states. USA has a much more
aggressive global agenda.

------
dbhattar
We have started seeing a lot of bad publicity and innuendos targeted toward
Kaspersky after they uncovered and published about hacking attack against
their infrastructure in recent past. Feels suspicious to me especially with
comments attributed to 'former employees'.

~~~
mc32
It's great that you read these things with some suspicion, but would you use
the same suspicion when reading allegations against US or European companies?

And, their main development being done in Moscow, do you expect current
employees to stick their heads up? There aren't a lot of protections for
whistle blowers in Russia. I'm pretty sure they'd be declared traitors, if
they did reveal something like this in a formal setting.

~~~
Demiurge
How would you read them if they were coming from a Russian news source?

~~~
mc32
Always question sources... Don't just question those you don't agree with or
the top dog. Question your supporters, their motives, question the under dog
too, the under dog is the most likely to take advantage of sympathies.

------
davidu
I know this is just my $0.02, which I generally avoid... but:

I would be very skeptical of this entire article, having worked with
researchers from Kaspersky for many years. They are terrific partners and care
deeply about infosec.

Also, Kaspersky has been known in the past, which they have disclosed, for
planting red herrings in malware archives, because they accused (and were
right) of other vendors just looking at what Kaspersky blocks and just
automatically copying it, without actually doing AV research. That's not what
they are being accused of here...

Finally, Joseph is a great journalist, but this article stinks in terms of
providing actual evidence.

------
ogurechny
There's a link to Kaspersky's forum post from 2012 floating on the net:
[http://www.anti-
malware.ru/forum/index.php?showtopic=24588&p...](http://www.anti-
malware.ru/forum/index.php?showtopic=24588&page=3#entry164300)

(Web Archive shows this topic — initially about Avast breaking Windows by
blocking tcpip.sys but turned into flame about “shitty free antiviruses”,
their lack of analytics team, and pirated software quite soon — existed in
2012.)

He explains it had been done a couple of years back to demonstrate the problem
to Computer Bild journalists. A number of executable files with “funny” code
that could not do any actual harm were made and 50% of them were added to
Kaspersky's detection list under distinctive names. Then they all were shared
on VirusTotal (and thus with other vendors). Surprisingly enough, only those
“viruses” that triggered Kaspersky Antivirus on VirusTotal started spreading
through others' databases, often with the same name. Still, there was no
article written on that for some reason. These results were later presented to
analytics and investors visiting Kaspersky's conference (Security Analyst
Summit 2012).

So what's left is to ask Computer Bild if they participated in something like
that test and/or someone who was on that conference.

------
theworstshill
Someone wants to push people off Kaspersky. Counter-intuitive as it is,
everyone in the west should use eastern (russian/chinese) anti-viruses and OS,
and vice versa. That way, it'll be harder for each government to abuse and spy
on their own citizens since I doubt Kaspersy entertains any request from
foreign govs.

~~~
AnimalMuppet
I don't trust my (US) government not to spy on me. But I don't trust the
Chinese or Russian government not to spy on me, either. I'm not sure that they
have my interest at heart any more than my own government does, and maybe
less.

~~~
jessaustin
I don't consider myself at much risk for being locked up because some dumbass
in a Russian "anti-terror" spy agency misinterprets a joke among friends. The
Russians don't have the only "anti-terror" spy agencies staffed by dumbasses,
however.

------
acd
This would explain incidents of other antivirus software deleting system
files. I remember this happening in the past and it now makes more sense.

"Avira Antivirus update cripples millions of Windows PCs ..." "Broken McAfee
DAT update cripples Windows workstations" "Update gone wrong. Panda antivirus
removing system files ..." "Bad BitDefender Antivirus Update Hobbles Windows
PCs ..."

Kaspersky labs has defended against US government malware so they might also
get into trouble for that.

------
Romkinson
Ex-employee here. I keep seeing articles like this one consistently getting
published like every 4 months by various media. It's funny to see how many
times the crowd can buy the same story about accusing Kaspersky in such
activity. Now you Reuters.

------
ablation
This whole article feels very, very shaky to me. I'm no Kaspersky fan but
nothing about this feels very convincing.

------
thescrewdriver
Why does the article title lead with the nationality of the company?

~~~
enlightenedfool
It helps build a negative sentiment against those nations. That's one of the
techniques in a propaganda.

~~~
varjag
In this case it's the opposite: enforcing a negative reputation of a company
based on deservedly poor reputation of its host country.

------
kazinator
This seems like fair game, and it benefits the consumer by keeping the anti-
virus people on their toes.

Kaspersky has demonstrated a weakness: that the firms copy each other's data
and blindly trust each other as well as the initial submissions. They have a
submission process for infected files which can be demonstrably abused to
inject false positives.

Also this:

> _Then, when competitors ran this doctored file through their virus detection
> engines, the file would be flagged as potentially malicious. If the doctored
> file looked close enough to the original, Kaspersky could fool rival
> companies into thinking the clean file was problematic as well._

What?? Infected files are _always_ similar to clean files. An infected MS Word
2010 still looks mostly like MS Word 2010 and is even usable as such. Knowing
clean from infected is the bread and butter of anti-virus. They are supposed
to take doctored files, and register them as malicious, while recognizing
clean ones as clean. If similarity between dirty and clean them causes a false
positive, you would think that this is a fundamental problem. It shows they
are using some weak heuristics to guess that files are clean instead of, say,
strong checksums. They are guessing whether that DLL belonging to MS Word 2010
is clean or not because they have no idea what clean looks like, and Kaspersky
has shown that they can be induced to guess wrong.

A proper implementation would detect so much as a single bit difference
between a clean file and an altered one. Rather, they must be working off the
assumption that there is some minimum difference between a viable infection
and the clean file. In keeping with this, there is a database of the known
_dirty_ files only, and not of the clean reference files. Anything close to
the dirty example within some small "edit distance" is just a variation on
dirty and is declared dirty. Anything distant is either a different, unknown
form of dirty, or clean. Either way it is declared clean. If that's how things
work in an AV program, it has a weakness. Competitors should be merciless in
identifying and exposing that weakness, because that's good for the consumer
in the end.

~~~
yabun
A lot of new malware is self-modifying. In situations where this is the case
checksums lose most if not all of their value. Heuristics in such situations
are really the only viable option.

~~~
kazinator
No, I mean to know what is clean.

~~~
yabun
OK, but that's a very large data set that to track - does AV software actually
do that?

------
r721
>In one technique, Kaspersky's engineers would take an important piece of
software commonly found in PCs and inject bad code into it so that the file
looked like it was infected, the ex-employees said. They would send the
doctored file anonymously to VirusTotal.

>Then, when competitors ran this doctored file through their virus detection
engines, the file would be flagged as potentially malicious. If the doctored
file looked close enough to the original, Kaspersky could fool rival companies
into thinking the clean file was problematic as well.

I don't quite understand - what about hashes? VirusTotal doesn't work as they
say it works.

~~~
striking
Hashes aren't the only thing that judge a file. Virus scanners today look for
specific portions of files that look like malicious code, either by directly
matching it or by tracing the code. Apparently some virus scanners traced too
far into other parts of the executable's code, into the legitimate portions
that are found as system components on computers today.

It's a neat attack.

~~~
_0ffh
> Virus scanners today look for specific portions of files that look like
> malicious code, either by directly matching it or by tracing the code.

FYI virus scanners have been doing that for ~25 years.

------
mc32
I can see if rivals were 'aping' their software, whatever that means, that Eug
might get angry. It's another thing to engage in this kind of retaliatory
behavior because not only can it lead to data loss for users caught in this
juvenile dispute but raises other grave questions about what else they might
engage in.

Most worrisome is what other unscrupulous behavior is he willing to engage in?
Is he willing to do the bidding of the motherland at the expense of the trust
customers put into the product?

~~~
JulienSchmidt
More worrisome is what CAN be done. If they don't abuse it, someone else will
eventually. Probably in a less obvious way, to hurt specific users only.

------
andrei_c
I believe it. We supported several shareware products during the period
described in the article and most of our sharewares were at some point tagged
as malware by antivirus programs - Norton Antivirus, most notably, but never
by Kaspersky.

The signatures that triggered it were in 3rd party installer code that we
used. If you think of it, it is a perfect attack method as by targeting shared
installer many products were made false positive with little effort.

------
huhtenberg
Ethics aside, that's pretty neat actually. That's like ordering a linkfarm SEO
package as a Xmas gift for your competitors :)

~~~
mc32
Yeah... But it's also very uncompetitive. And, more importantly, if they are
willing to engage in this behavior what other perhaps more unsavory things are
they willing to engage in?

~~~
Demiurge
Of course, this might call into question the authenticity of their recently
published research into state funded spyware. I'm sure it's just a coincidence
the anonymous sources chose to speak after a decade of silence.

------
yellowapple
The current title is misleading, and should be rephrased as "Russian antivirus
firm _accused of faking_ malware to harm rivals" (or, better yet, " _Kaspersky
accused of faking_ malware to harm rivals"). There's absolutely zero actual
evidence or examples in the article of Kaspersky doing anything, and the
article title in its current form reeks of sensationalism and click-baitiness.

Perhaps a mod should step in and cleanup the title a bit? I realize it's
technically the original, but it's still misleading.

------
LorenPechtel
It seems to me that the only people harmed by this were those who were aping
Kaspersky instead of doing their own research. How is this different than
mapmakers putting irrelevant bogus things on their maps to detect who copied
their maps?

~~~
nathanm412
If Avast is affected by this and the file is a critical system file, real
damage can be done to user's systems. Mcafee had this problem five years ago.

~~~
LorenPechtel
It could be a bad thing for the user that was the victim of a copycat AV but
how is that not due to their being a copycat?

------
gweinberg
would seem to me that an antivirus software company should guard pretty
heavily against this kind of attack, since if it works anyone could sabotage a
rival by anonymously submitting doctored versions of their software.

------
ZanyProgrammer
In addition, it ruins the reputation of Windows and PCs in general, and just
makes lives miserable for (at an absolute minimum) less tech savvy users.

------
ild
So the annoying PCMatic ads were right???

------
pppp
Title is inaccurate - the important part at the end was cut off: "\- Ex-
employees"

Accusation is presented as fact.

This would be a better title: "Russian antivirus firm faked malware to harm
rivals - say ex-employees"

~~~
x5n1
"disgruntled ex-employees"

~~~
chrisbennet
Snowden was a "disgruntled ex-employee". Sometimes there are good reasons to
leave a company.

~~~
vidarh
Yes, but that doesn't mean this information isn't relevant when considering
how to interpret the claims.

Especially in the absence of actual evidence.

------
rebootthesystem
Not being pedantic. I realize English isn't everyone's first language. And
then there's auto-completion on devices like iPad's that can result in
embarrassing errors.

It's "principle", not "principal". They are very different.

I see this a lot, used in the other direction, on job postings "Principle
Engineer" as opposed to "Principal Engineer".

~~~
dragonwriter
> Not being pedantic. I realize English isn't everyone's first language. And
> then there's auto-completion on devices like iPad's that can result in
> embarrassing errors.

Embarrassing errors like using "'s" to form a plural, instead of the correct
"s"?

~~~
rebootthesystem
Yup.

Done on internationally to see how quickly my helpful comment would find
someone looking for a way to take me down. I figured it was easier to just
offer-up three errors and get it over with.

Yes, there are two more you missed.

------
JanSolo
Isn't is a breach of trust for a protector-against-malware to also be a
producer-of-malware?

I'd certainly reconsider my Kaspersky license if I had one.

~~~
kybernetyk
>I'd certainly reconsider my Kaspersky license if I had one.

Well, giving ring 0 access to security software made by a company that is very
near to a "not so friendly" state would worry me more than the fact that they
play dirty with competition.

