Slashdot Mirror

← Back to Stories (view on slashdot.org)

Former Employees Accuse Kaspersky Lab of Faking Malware

Posted by Soulskill on from the poisoning-the-rival-well dept.

An anonymous reader writes: Reuters reports that two former employees of Moscow-based Kaspersky Lab faked malware to damage the reputations of their rivals. The alleged campaign targeted Microsoft, AVG, Avast, and others, tricking them into classifying harmless files as viruses. The ex-employees said co-founder Eugene Kaspersky ordered some of the attacks as retaliation for emulating his software. The company denied the allegations, and Kaspersky himself reiterated them, adding, "Such actions are unethical, dishonest and their legality is at least questionable." The targeted companies had previously said somebody tried to induce false positives in their software, but they declined to comment on the new allegations. "In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal." The alleged attacks went on for more than 10 years, peaking between 2009 and 2013.

47 of 90 comments (clear)

  1. Re:Free alternatives? by idbeholda · · Score: 5, Interesting

    http://tot-ltd.org/techinf.htm...

    Project I've been working on for the past 15 years. Take it or leave it.

  2. Re:Free alternatives? by TWX · · Score: 2

    There don't seem to be very many good free alternatives other than microsoft's default package. I've wondered if it's possible for me to make my own security system, but I've never given it a good amount of thought.

    If classification is the name of the game, couldn't you use some machine learning techniques based on what malware does and write your own classifier?

    If I remember right Thunderbyte Antivirus did something much like that. At some point Thunderbyte was bought-out and I honestly have no idea what happened after that.

    In my opinion, the best approach for malware that is pulled-in by the user is to restrict what the user can do to the computer. Yes, that means annoying issues installing software such that a privileged account has to be logged into, but it also means that if the user makes serious mistakes the solution is to back up their non-executable data, delete their account and its files, and recreate and restore the data.

    On all of my Windows boxes I set up the user to have only minimal permissions. I reserve administrative functions for an admin account.

    --
    Do not look into laser with remaining eye.
  3. Anti-Virus Companies All Suck by Frosty+Piss · · Score: 4, Insightful

    It would not surprise me if *ALL* so-called antivirus software companies did this, with very few exceptions.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Anti-Virus Companies All Suck by U2xhc2hkb3QgU3Vja3M · · Score: 1

      You know, Burke, I don't know which species is worse. You don't see them fucking each other over for a goddamn percentage. - Ripley

    2. Re:Anti-Virus Companies All Suck by invictusvoyd · · Score: 1

      It would not surprise me if *ALL* so-called antivirus software companies did this, with very few exceptions.

      What ?!! don't you know that " Such actions are unethical, dishonest and their legality is at least questionable " ?

    3. Re: Anti-Virus Companies All Suck by Redbehrend · · Score: 1

      Every year it's about one of them doing something similar. I love kaspersky, why you ask? It finds what others don't, it's developed in the wild west where everyone hacks everyone aka Russia. So you know it's better than our stuff and I have yet seen a kgb type exploit exposed and used by 3rd parties unlike our (us and gov) exploits that are found and used all the time by hackers. You also hear results from it example " all the computers but the kaspersky and bitdender, etc... computers got the virus" when I talk to security professionals about rare outbreaks. For the average consumer I think it's a great value. P.S. I never got why everyone loves Microsoft anti-virus, crap gets by all the time I should know I have to fix it.

    4. Re: Anti-Virus Companies All Suck by rtb61 · · Score: 1

      Finding computer virii that others don't can also be pretty suspicious. That obvious have copies of each others software and they obviously are quite capable of coding computer virii, in fact they all claim to know more about them than anyone else. So crafting one to get past the competition and infect as many computers as possible would be one of the best possible marketing strategies.

      Not that I would suspect Kapersky Labs ahead of the others. I would honestly place all software security companies in the same category as inherently suspicious in their behaviour. They require crime and corruption to survive and grow in order for them to survive and grow, solve the security problem and they are right out of business, continue to treat the symptoms without curing the problem means profits forever. The only real solution to security has to come from FOSS because for FOSS it is nothing but a cost burden, solve security and they save money.

      --
      Chaos - everything, everywhere, everywhen
  4. Re:Free alternatives? by znrt · · Score: 2

    There don't seem to be very many good free alternatives other than microsoft's default package.

    at risk of stating the obvious ... er ... linux? :)

    I've wondered if it's possible for me to make my own security system, but I've never given it a good amount of thought.

    it's possible. it's also hard. start giving it some good amount of thought and stop making yourself a target by using the 'default package'. it will be easier from there ...

  5. Why would this be bad? by xxxJonBoyxxx · · Score: 1

    >> chief task was to reverse-engineer competitors' virus detection software to figure out how to fool them into flagging good files as malicious

    Why is this a bad thing? This is pretty much what a large chunk of the "grey hatter" world does on a regular basis (figure out how to trick AV). Shouldn't we be cheering on a little AV-on-AV competition instead of letting them all group-think themselves into a pool of mediocre results?

    (This is also why running different AV engines in your network has generally been a good defense-in-depth measure in the past...I don't WANT them all to agree.)

    1. Re:Why would this be bad? by Anonymous Coward · · Score: 1

      AV companies are supposed to be the "good guys" working towards "making the world a safer place". They have an image to maintain.

      Their software runs with full privileges on millions of computers and is permanently connected to the Internet.
      If they turn out to be your run-of-the-mill evil company run by rotten people, then how could you possibly trust them to protect you?

      I don't want Kaspersky's crap anywhere near my machines if they can't even be trusted to cooperate with their own colleagues.

    2. Re:Why would this be bad? by xxxJonBoyxxx · · Score: 2

      >> run-of-the-mill evil company run by rotten people

      I didn't realize Symantec or Trend micros were a good companies run by nice people. Maybe McAfee could be a character witness for them. :)

      >> how could you possibly trust them to protect you?

      If a "security" company doesn't have the technical expertise to figure out the difference between real and fake viruses (as it seems a number of these companies couldn't), I'm not sure how much protection they're offering anyway. I guess I'd rather watch the egress traffic from the software of the the technically-savvy company than sleep knowing I got my AV software from the brightly-colored company who bought me a steak dinner at the conference.

    3. Re:Why would this be bad? by quantaman · · Score: 1

      >> chief task was to reverse-engineer competitors' virus detection software to figure out how to fool them into flagging good files as malicious

      Why is this a bad thing? This is pretty much what a large chunk of the "grey hatter" world does on a regular basis (figure out how to trick AV). Shouldn't we be cheering on a little AV-on-AV competition instead of letting them all group-think themselves into a pool of mediocre results?

      (This is also why running different AV engines in your network has generally been a good defense-in-depth measure in the past...I don't WANT them all to agree.)

      Because those files belonged to end users, Kaspersky was using their competitors' software as malware.

      --
      I stole this Sig
    4. Re:Why would this be bad? by cdrudge · · Score: 3, Insightful

      Because it's not a little AV-on-AV competition. Competition is when companies push each other to try to improve their product over the others, not purposefully throwing more hurdles in the way of the competitor.

      If they did what was accused, they maliciously submitted false information that would be shared around the industry because they knew the competition would detect it as an infected file. It didn't improve Kaspersky's accuracy, nor did it help the accuracy of anyone else's scanner detecting real threats. It only resulted in competitors looking bad for false positives, and having to spend additional efforts filtering samples.

    5. Re:Why would this be bad? by TechyImmigrant · · Score: 1

      They are not simply doing research on competing AV. They were posting, anonymously, common files to blacklists like VirusTotal. They chose files that would cause the system to crash if removed. So then other AV software, that didn't know about these fake entries in the blacklist, would break people's computers. This was very sinister, and not the first time an anti-virus company has been caught proliferating damaging software. They are harming people's computers just to make their competitors look bad. It's astonishing they would do this considering how much harm they did to everyone, and how little good they did for themselves.

      An OS based AV should have white list signatures for essential OS files. This attack shouldn't be a problem if the host has defense in depth.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    6. Re:Why would this be bad? by rch7 · · Score: 2

      How dumb it would be to trust KGB guys to do anything in your computer in the first place?
      "There is no such thing as a former KGB man" - V. Putin. They all cooperate with their authorities. Even if somebody would not want, they are obliged to do that if they want to do business in Russia and stay alive.

    7. Re:Why would this be bad? by CohibaVancouver · · Score: 1

      They have an image to maintain.

      Kaspersky is run by ex-KGB men. What would possibly go wrong?

      (Yeah, yeah. I know here on Slashdot the NSA and CIA are one-thousand times worse than the KGB and GRU ever were, but spare me.)

    8. Re:Why would this be bad? by TheRealQuestor · · Score: 1

      >> run-of-the-mill evil company run by rotten people

      I didn't realize Symantec or Trend micros were a good companies run by nice people. Maybe McAfee could be a character witness for them. :)

      >> how could you possibly trust them to protect you?

      If a "security" company doesn't have the technical expertise to figure out the difference between real and fake viruses (as it seems a number of these companies couldn't), I'm not sure how much protection they're offering anyway. I guess I'd rather watch the egress traffic from the software of the the technically-savvy company than sleep knowing I got my AV software from the brightly-colored company who bought me a steak dinner at the conference.

      There is no McAfee any longer. It is now Intel Security.

      I actually find Bitdefender Free to be a better alternative to Micrososft's free package. It's about as light weight and finds stuff MS's misses. And it's free.

    9. Re:Why would this be bad? by AaronW · · Score: 1

      That was one reason I chose to use Kaspersky. Once my license expires... never again. With all the crap coming out of Russia I don't think I'd go with them again anyway. Almost all of the spam RBL hits on my mail server are from Russia, the rest are from China. I wish I could just firewall off both countries.

      --
      This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
  6. Ad blockers are the new anti-virus. by Anonymous Coward · · Score: 1

    If you could only install one you'd be better off installing an ad blocker than an anti-virus product.

    People telling you different are trying to sell you something :)

    1. Re:Ad blockers are the new anti-virus. by U2xhc2hkb3QgU3Vja3M · · Score: 2

      People telling you different are trying to sell you something :)

      Maybe they are, but I'm not seeing their messages!

    2. Re:Ad blockers are the new anti-virus. by U2xhc2hkb3QgU3Vja3M · · Score: 1

      I would like to subscribe to your newsletter but only if this HOSTS FILES thingy is moocow approved, because we're all cows.

    3. Re:Ad blockers are the new anti-virus. by Anonymous Coward · · Score: 1

      My HOSTS file is a symbolic link to my rainbow tables database of every word, ever.

    4. Re:Ad blockers are the new anti-virus. by Zontar+The+Mindless · · Score: 1

      My hosts file is a symbolic link to an image of Natalie Portman covered in hot grits, holding a copy of Lotus Notes and a machine gun.

      --
      Il n'y a pas de Planet B.
  7. Re:Free alternatives? by sims+2 · · Score: 1

    Thanks ill give it a try next time I run across an infected system.

    --
    Minimum threshold fixed. Thanks!
  8. FUD... by Anonymous Coward · · Score: 2, Insightful

    ... with how rotten companies are these days you can never tell if its a genuine issue or some other competitor running a smear campaign.

    Either way there's no perfect AV software and as always the arms race will continue.

  9. Re: Free alternatives? by corychristison · · Score: 1

    In regards to Thunderbyte, they were acquired by Norman ASA (www.norman.com). In 2014, Norman ASA was acquired by AVG.

  10. Re:Is this really a good strategy? by U2xhc2hkb3QgU3Vja3M · · Score: 1

    Second reality (no, not the one from Future Crew):
    "Wow Kaspersky are fucking assholes, I'm not going to use their software anymore."

  11. Re:Is this really a good strategy? by Vlad_the_Inhaler · · Score: 2

    You are missing the point, and it was even in the article.
    Those false positives occasionally led to vital Windows components being quarantined, I remember a reboot loop caused this way.

    --
    Mielipiteet omiani - Opinions personal, facts suspect.
  12. Re:Moscow-based by U2xhc2hkb3QgU3Vja3M · · Score: 1

    If they really wanted to point it out, they would have made a link to Google Maps.

  13. Re:Free alternatives? by Ungrounded+Lightning · · Score: 3, Insightful

    There don't seem to be very many good free alternatives other than microsoft's default package.

    Signature-based anit-malware solutions require an industrial-scale operation to identify new threats and add them to the signatures. That's very costly: Those workers have to eat, so they have to be paid somehow.

    Since Microsoft is pretty much the only company with a revenue stream that is substantially improved by protecting Microsoft systems generally, it is similarly pretty much the only operation that can profit by spending such industrial-scale money deploying new defences "for free".

    But there are still a few who find ways to make it possible. One of the best after-infection malware-removal tools out there is Malwarebytes. They distribute a stripped-down, manually-operated, nagware version of their product for free, in the hopes that you'll subscribe to the full-function version (to get additional functionality, including automated scheduled execution, and/or spare your attention from constantly closing their popups that covered your working window. B-) )

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  14. Re:Free alternatives? by dcollins117 · · Score: 3

    A hacker can really screw with someone without elevating to admin. All the juicy stuff is in the user accounts anyway. In a few seconds they can get your financial information, passwords, email contacts, the screenplay you're working on, any photos of an adult nature that happen to be there...

    In contrast, the admin account is quite dull. You already know what's on that. I get the point that once you get admin you can install your badware and stick around for a while, but once you've got all the really good stuff is in the user accounts why bother.

  15. Ethics? by Anonymous Coward · · Score: 1

    "Such actions are unethical, dishonest and their legality is at least questionable."

    Remember Enron? Yeah, what they did was somewhat unethical as well. Remember the subprime crisis? Plenty of ethically shady bankers in that as well. Stop pretending you care at all, because you don't. You only have to appear like you didn't know for PR reasons.

    1. Re:Ethics? by tnk1 · · Score: 2

      He may or may not know.

      What is important is that he has responsibility for the actions of his company. He will need to show without a shadow of a doubt that this was a totally rogue action that was not at all encouraged by their company directives OR their culture.

      It is possible that there was one guy or a group of folks who did this on their own completely against the policies and the implied culture of Kaspersky Labs. If so, then maybe he's not responsible.

      However, it's hard to believe that someone would do this without at least a cultural acceptance of these sorts of actions inside the company. You need to ensure that you have ethical people working for you, and that you make it very clear that this sort of thing is NOT accepted and certainly not rewarded. And the leadership should be asking questions, and not encouraging a "plausible deniability" atmosphere of "anything goes as long as they can't pin it to me".

      So yeah, the company may not be responsible, but it won't simply be a matter of whether Eugene Kaspersky gave an order to do it. It may be that Kaspersky Labs is staffed by people who are unethical or are encouraged to be unethical. In which case, they may not be legally liable, but they should certainly become pariahs.

  16. Provably impossible by Ungrounded+Lightning · · Score: 3, Interesting

    ... where you analyze the executable and then based off that determine if it's malicious or not.

    That's provably impossible. It's trivial to convert it to the halting problem.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:Provably impossible by TechyImmigrant · · Score: 3, Funny

      ... where you analyze the executable and then based off that determine if it's malicious or not.

      That's provably impossible. It's trivial to convert it to the halting problem.

      They worked that out centuries ago when securing castles. That's why the guards shout "Halt! Who goes there?"

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  17. Re:Is this really a good strategy? by Anonymous Coward · · Score: 1

    Antivirus software demands permission to run as root so it can properly quarantine and delete infected files that are modified or added by malicious software running as administrator (which gets that right by either manipulating the users, or a privilege escalation script). At this level of permission, no OS has OS/app separation.

  18. Re:Moscow-based by Infiniti2000 · · Score: 2

    Why not? Microsoft is noted as the "Redmond, Washington-based company." When legality is in question, it's critical to know where the companies are based. What is legal in Russia is very different than what's legal in the U.S., or even Washington state.

  19. Re:Free alternatives? by snookiex · · Score: 1

    Some obscure group of dudes that call themselves "Temple of Transgression" and develop an antivirus (ok, ok, only the frontend) in VB6 are fighting hard for not being taken seriously.

    Why is TT Livescan written in VB6, instead of another programming language? VB6 is still widely used, just like most other programming languages. In terms of development, VB6 is geared towards rapid GUI development. Combined with the fact that most of our coding is designed to be as efficient as possible, VB6 is the best option. Shortly before 32-bit support is to be phased out for Windows, we will make a new version available. It will most likely be written in Delphi.

    And no, I didn't know "VTE Virus Scanner".

    --
    Open Source Network Inventory for the masses! Kuwaiba
  20. Re:Free alternatives? by idbeholda · · Score: 1

    And if you actually read further, you'll notice a few URLs listed.

    http://tot-ltd.org/blacklist/
    http://tot-ltd.org/whitelist/
    http://tot-ltd.org/files-wl/
    http://tot-ltd.org/installatio...
    http://tot-ltd.org/ports
    http://tot-ltd.org/API
    http://tot-ltd.org/packer.db

  21. Re:Free alternatives? by idbeholda · · Score: 1

    No, leave that to Terry Davis. Besides, any sane person knows that next to L Ron Hubbard and HP Lovecraft, King James was the greatest fiction writer of all time.

  22. Re:The summary is a mess by CohibaVancouver · · Score: 1

    The summary is a mess

    Then read the effing linked Reuters article. It's pretty clear.

  23. No, can't DIY for actual antivirus. But ... by raymorris · · Score: 1

    DIY _really_ isn't an option for anti-virus. You can get some protection by having good backups, good host security such as SELinux, and maybe even a host-based IDS similar to Tripwire watching for any changes, but AV (scanning files looking for potentially malicious ones) is a big, big job. Lots of things are DIY, but AV isn't one of them.

    I just started work for a company that does something related. We have a full time TEAM of people just entering new threats all day long. Another team maintains the backend of the engine, and another team does the GUI - all full-time. Plus some man-hours to maintain the systems used to find and enter vulnerabilities, source control systems, the test network, WA, etc. With 20-30 full time developers, you can have something roughly as effective as one of the major brands after several years of development effort.

  24. Re:Free alternatives? by mattb47 · · Score: 1

    Microsoft Security Essentials / Windows Defender has been falling behind for years now. It used to be pretty good. But now, it unfortunately doesn't catch a lot newer malware. Microsoft dropped the ball and stopped putting the proper R&D into their product.

    Bitdefender Free is my new favorite these days:
    http://www.bitdefender.com/sol...

    Fast, effective, and low impact. Bitdefender Free is not free for commercial use, however. And they don't have a free version that support Windows 10 yet. Bitdefender scores at or near the top in most AV comparison tests for malware detection.

    Best free commercial AV is Avast for Business:
    https://www.avast.com/avast-fo...

    Not quite as low-impact as Bitdefender, and not quite as effective, but it's OK. I've used Avast for years as well. (It used to be my standard free AV, and I still use it on some systems.) Their free business AV is basically their paid AV business product stripped down to just AV, not firewalls, and anti-spam, and other cruft. The Windows firewall is just fine these days, and is you have a decent mail server spam isn't a problem. (And there are other decent free anti-spam products, like Cloudmark Desktop One.) So a plain-old just-AV product is fine with me. Includes a cloud-based console system as well, so you can centrally keep track of your AV clients -- which is GREAT for a free product.

    Good luck!

  25. Re:Free alternatives? by idbeholda · · Score: 1

    "What versions of Windows will TT Livescan run under? Windows 98 through Windows 10."

    I don't see anyone clamoring to pay my bills either, so I'm not really inclined to care what I use beyond notepad.

  26. Absolute FUD by Anonymous Coward · · Score: 1

    Kaspersky is one of the only anti-virus you can trust. And the best at detecting malware.

    I know for certain, from a McAfee employee, that they collect info in the telemetry for NSA. This is done in the consumer's version of the software, and can be disabled only for corporations.

  27. "Dilbert" or John Dvorak or someone else suggested by eric_harris_76 · · Score: 1

    Anti-virus companies could (or have an incentive to) create virus-infected software and release it into the world, and then come up with detection for them faster then their competitors.

    Don't recall if it was a joke, speculation, or a vague accusation, much less who made it. (It was years ago.)

    So this claim seems more than a little familiar.

    --
    There's no time like the present. Well, the past used to be.
  28. Re:Free alternatives? by donak · · Score: 1

    I've been using MalwareBytes (as suggested above) then installing Comodo Internet Security http://comodo.com/ (free for personal use) if needed, and finally CCleaner from Piriform http://piriform.com/ to rescue peoples PCs after disaster has struck.
    I'm thinking of making it a standard "pack" of software for anyone who asks at the Library where I volunteer.

    --
    Don't blame me, it's usually 2 in the morning when I post ...