Slashdot Mirror
Former Employees Accuse Kaspersky Lab of Faking Malware
An anonymous reader writes: Reuters reports that two former employees of Moscow-based Kaspersky Lab faked malware to damage the reputations of their rivals. The alleged campaign targeted Microsoft, AVG, Avast, and others, tricking them into classifying harmless files as viruses. The ex-employees said co-founder Eugene Kaspersky ordered some of the attacks as retaliation for emulating his software. The company denied the allegations, and Kaspersky himself reiterated them, adding, "Such actions are unethical, dishonest and their legality is at least questionable." The targeted companies had previously said somebody tried to induce false positives in their software, but they declined to comment on the new allegations. "In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal." The alleged attacks went on for more than 10 years, peaking between 2009 and 2013.
http://tot-ltd.org/techinf.htm...
Project I've been working on for the past 15 years. Take it or leave it.
There don't seem to be very many good free alternatives other than microsoft's default package. I've wondered if it's possible for me to make my own security system, but I've never given it a good amount of thought.
If classification is the name of the game, couldn't you use some machine learning techniques based on what malware does and write your own classifier?
If I remember right Thunderbyte Antivirus did something much like that. At some point Thunderbyte was bought-out and I honestly have no idea what happened after that.
In my opinion, the best approach for malware that is pulled-in by the user is to restrict what the user can do to the computer. Yes, that means annoying issues installing software such that a privileged account has to be logged into, but it also means that if the user makes serious mistakes the solution is to back up their non-executable data, delete their account and its files, and recreate and restore the data.
On all of my Windows boxes I set up the user to have only minimal permissions. I reserve administrative functions for an admin account.
Do not look into laser with remaining eye.
It would not surprise me if *ALL* so-called antivirus software companies did this, with very few exceptions.
If you want news from today, you have to come back tomorrow.
There don't seem to be very many good free alternatives other than microsoft's default package.
at risk of stating the obvious ... er ... linux? :)
I've wondered if it's possible for me to make my own security system, but I've never given it a good amount of thought.
it's possible. it's also hard. start giving it some good amount of thought and stop making yourself a target by using the 'default package'. it will be easier from there ...
... with how rotten companies are these days you can never tell if its a genuine issue or some other competitor running a smear campaign.
Either way there's no perfect AV software and as always the arms race will continue.
>> run-of-the-mill evil company run by rotten people
I didn't realize Symantec or Trend micros were a good companies run by nice people. Maybe McAfee could be a character witness for them. :)
>> how could you possibly trust them to protect you?
If a "security" company doesn't have the technical expertise to figure out the difference between real and fake viruses (as it seems a number of these companies couldn't), I'm not sure how much protection they're offering anyway. I guess I'd rather watch the egress traffic from the software of the the technically-savvy company than sleep knowing I got my AV software from the brightly-colored company who bought me a steak dinner at the conference.
Maybe they are, but I'm not seeing their messages!
You are missing the point, and it was even in the article.
Those false positives occasionally led to vital Windows components being quarantined, I remember a reboot loop caused this way.
Mielipiteet omiani - Opinions personal, facts suspect.
There don't seem to be very many good free alternatives other than microsoft's default package.
Signature-based anit-malware solutions require an industrial-scale operation to identify new threats and add them to the signatures. That's very costly: Those workers have to eat, so they have to be paid somehow.
Since Microsoft is pretty much the only company with a revenue stream that is substantially improved by protecting Microsoft systems generally, it is similarly pretty much the only operation that can profit by spending such industrial-scale money deploying new defences "for free".
But there are still a few who find ways to make it possible. One of the best after-infection malware-removal tools out there is Malwarebytes. They distribute a stripped-down, manually-operated, nagware version of their product for free, in the hopes that you'll subscribe to the full-function version (to get additional functionality, including automated scheduled execution, and/or spare your attention from constantly closing their popups that covered your working window. B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
A hacker can really screw with someone without elevating to admin. All the juicy stuff is in the user accounts anyway. In a few seconds they can get your financial information, passwords, email contacts, the screenplay you're working on, any photos of an adult nature that happen to be there...
In contrast, the admin account is quite dull. You already know what's on that. I get the point that once you get admin you can install your badware and stick around for a while, but once you've got all the really good stuff is in the user accounts why bother.
... where you analyze the executable and then based off that determine if it's malicious or not.
That's provably impossible. It's trivial to convert it to the halting problem.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Why not? Microsoft is noted as the "Redmond, Washington-based company." When legality is in question, it's critical to know where the companies are based. What is legal in Russia is very different than what's legal in the U.S., or even Washington state.
Because it's not a little AV-on-AV competition. Competition is when companies push each other to try to improve their product over the others, not purposefully throwing more hurdles in the way of the competitor.
If they did what was accused, they maliciously submitted false information that would be shared around the industry because they knew the competition would detect it as an infected file. It didn't improve Kaspersky's accuracy, nor did it help the accuracy of anyone else's scanner detecting real threats. It only resulted in competitors looking bad for false positives, and having to spend additional efforts filtering samples.
How dumb it would be to trust KGB guys to do anything in your computer in the first place?
"There is no such thing as a former KGB man" - V. Putin. They all cooperate with their authorities. Even if somebody would not want, they are obliged to do that if they want to do business in Russia and stay alive.
He may or may not know.
What is important is that he has responsibility for the actions of his company. He will need to show without a shadow of a doubt that this was a totally rogue action that was not at all encouraged by their company directives OR their culture.
It is possible that there was one guy or a group of folks who did this on their own completely against the policies and the implied culture of Kaspersky Labs. If so, then maybe he's not responsible.
However, it's hard to believe that someone would do this without at least a cultural acceptance of these sorts of actions inside the company. You need to ensure that you have ethical people working for you, and that you make it very clear that this sort of thing is NOT accepted and certainly not rewarded. And the leadership should be asking questions, and not encouraging a "plausible deniability" atmosphere of "anything goes as long as they can't pin it to me".
So yeah, the company may not be responsible, but it won't simply be a matter of whether Eugene Kaspersky gave an order to do it. It may be that Kaspersky Labs is staffed by people who are unethical or are encouraged to be unethical. In which case, they may not be legally liable, but they should certainly become pariahs.