CyberByte steals from Malwarebytes

Status
Not open for further replies.

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Blog: CyberByte steals Malwarebytes' intellectual property - Malwarebytes Labs

"Following user reports, we began researching a piece of software named CyberByte Antivirus to determine whether it was a PUP. In our initial research, we found that CyberByte met several aspects of our PUP detection criteria, and we made the decision to begin detecting it as such.

One of these violations was that CyberByte acts as a wrapper for the open-source ClamAV engine (which doesn’t have comprehensive Mac signatures in its database), because asking for payment for a free antivirus engine is a potential red flag. However, it appeared likely that they were using another engine in addition to ClamAV.

After further examination, we noticed that there was something awfully familiar about CyberByte’s scans—specifically, the names of the threats it was looking for as part of its “quick scan.”

In the case of CyberByte, the names we saw scrolling by during a scan were our own Malwarebytes detection names.

Anyone who has used Malwarebytes for Mac recently will probably have noticed that Trojan.SteamStealer.CSGO is the very first threat that it scans for. It seemed like an extremely unlikely coincidence that CyberByte’s “quick scan” started with exactly the same threat.

Trojan.SteamStealer.CSGO is not a name that is unique to Malwarebytes. However, as the scan progressed, it was easy to see a number of threat names that are not used by any other vendors besides Malwarebytes.



We immediately suspected that CyberByte had stolen our intellectual property to augment the ClamAV engine. However, it did not seem that they were able to entirely duplicate our scan engine, as the “quick scan” only detected a small fraction of the files that Malwarebytes did.

Further proof was needed, so we added a dummy rule to our detections last week. We added a rule that would detect a particular folder—one that should never exist, and that you’d have to jump through hoops to create on a modern Mac system—as “Adware.DSMS” (meaning, “Don’t Steal My Software”).

Monday morning, on a test system, we created the dummy folder, then installed and updated CyberByte on that system. After running a “quick scan” using CyberByte, we caught it detecting the dummy folder as Adware.DSMS, proving that this was not simply a one-time theft. CyberByte has clearly set up a system for the ongoing theft of our intellectual property."
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
we have changed our detection of CyberByte from PUP.CyberByte to OSX.FakeAV. We are taking actions to stop this infringement and protect our intellectual property.

Hope this also gets updated on VT.
 

ektorbarajas

Level 1
Apr 26, 2018
3
Indeed Iobit faced the same situation, and iobit apologized itslef and since then they have not repeated the same error.

BUT as mekelek mentioned:
I would feel bad if i were malwarebytes that someone could reverse engineer their product down to this level..

So actually also Malwarebytes is not 100% safe?
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top