Spawn

Administrator
Verified
Staff member
Blog: CyberByte steals Malwarebytes' intellectual property - Malwarebytes Labs

"Following user reports, we began researching a piece of software named CyberByte Antivirus to determine whether it was a PUP. In our initial research, we found that CyberByte met several aspects of our PUP detection criteria, and we made the decision to begin detecting it as such.

One of these violations was that CyberByte acts as a wrapper for the open-source ClamAV engine (which doesn’t have comprehensive Mac signatures in its database), because asking for payment for a free antivirus engine is a potential red flag. However, it appeared likely that they were using another engine in addition to ClamAV.

After further examination, we noticed that there was something awfully familiar about CyberByte’s scans—specifically, the names of the threats it was looking for as part of its “quick scan.”

In the case of CyberByte, the names we saw scrolling by during a scan were our own Malwarebytes detection names.

Anyone who has used Malwarebytes for Mac recently will probably have noticed that Trojan.SteamStealer.CSGO is the very first threat that it scans for. It seemed like an extremely unlikely coincidence that CyberByte’s “quick scan” started with exactly the same threat.

Trojan.SteamStealer.CSGO is not a name that is unique to Malwarebytes. However, as the scan progressed, it was easy to see a number of threat names that are not used by any other vendors besides Malwarebytes.



We immediately suspected that CyberByte had stolen our intellectual property to augment the ClamAV engine. However, it did not seem that they were able to entirely duplicate our scan engine, as the “quick scan” only detected a small fraction of the files that Malwarebytes did.

Further proof was needed, so we added a dummy rule to our detections last week. We added a rule that would detect a particular folder—one that should never exist, and that you’d have to jump through hoops to create on a modern Mac system—as “Adware.DSMS” (meaning, “Don’t Steal My Software”).

Monday morning, on a test system, we created the dummy folder, then installed and updated CyberByte on that system. After running a “quick scan” using CyberByte, we caught it detecting the dummy folder as Adware.DSMS, proving that this was not simply a one-time theft. CyberByte has clearly set up a system for the ongoing theft of our intellectual property."
 
Indeed Iobit faced the same situation, and iobit apologized itslef and since then they have not repeated the same error.

BUT as mekelek mentioned:
I would feel bad if i were malwarebytes that someone could reverse engineer their product down to this level..
So actually also Malwarebytes is not 100% safe?