Kaspersky Lab denies tricking AV rivals into nuking harmless files

[Jack]

Content source

http://www.theregister.co.uk/2015/08/14/kasperskygate/

Kaspersky Lab deliberately fed bogus malware to its rivals to sabotage their antivirus products, two anonymous former employees allege. Kaspersky says the accusations are false.

Reuters reported today that two ex-Kaspersky engineers claim they were tasked with tricking competing antivirus into classifying benign executables and other files as malicious. Anti-malware tools from Microsoft, AVG and Avast were targeted, apparently.

It's irritating for computer users if an antivirus package starts marking harmless files as malign – known as a false positive – and deletes them or shoves them into a quarantine. It's bad news if those files turn out to be operating system resources, as it will leave machines unstable, unusable or even unbootable. Such incidents are by no means uncommon across the security industry, and when they happen people and enterprises alike suffer all sorts of inconvenience.

The accusation goes that Kaspersky Lab fed false positives into rival products via VirusTotal. Anyone can upload files to VirusTotal, which runs the data through a collection of antivirus packages and reports which products were able to detect any malware, if present. According to VirusTotal, it "helps antivirus labs by forwarding them the malware they fail to detect."

"Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products," the website, which is owned by Google, adds. "We do this because we believe it will eventually lead to a safer Internet and better end-user protection."

Read more: http://www.theregister.co.uk/2015/08/14/kasperskygate/

 

[Abhishek Singha]

Shame on them & their products are most uncomfortable to use too..

 

[Av Gurus]

They just want to protect their work

 

[Tani]

that's funny & a childish act :v

 

[arslan ejaz]

Well If kaspersky has done it then my faith in kaspersky is gone

 

[frogboy]

Microsoft, AVG and Avast sure should be upset.

 

[Enju]

Isn't this the 3rd time this has been posted? Or is this just a repost of the statement?
Anyways here is the official Kaspersky statement: https://usa.kaspersky.com/about-us/...atement-reuters-article-posted-august-14-2015

 

[Secondmineboy]

I send the Reuters link from another post to Emsisoft and heres their answer:

Hello, and thank you for contacting Emsisoft Support.

Our malware analysts usually only add things to our own database when they have been able to verify some sort of malicious activity, and we have special protection mechanisms built into our software to prevent removal of Windows System Files in order to avoid damage to the computer when removing threats.

Best regards,

Arthur Wilkinson
Customer Support

 

[SecureRoutine]

Well I don't see any real evidence that Kaspersky are responsible for anything... So I will just treat these Kaspersky accusations as nothing more than rumours. It is possible it is true but without the evidence how can I just believe 2 unidentified former employees...?

https://twitter.com/e_kaspersky/status/632205875004985345

 

[Kardo Kristal]

@Fabian Wosar from Emsisoft gave very useful and informative reply about the same topic on Wilders Security Forums.

"There is no company out there that creates all of their signatures by hand. With 300k+ new malware samples per day, it is simply not feasible for every sample to be analyzed by a human. That is why pretty much every AV company automates the signature creation process at least to some degree.

Every vendor has their own recipe for automated signatures. Some of them are rather primitive. Others are quite complex. In general though, by reverse engineering what the engine does and reverse engineering the content of the signature database, chances are you can figure out how the automated algorithm that picked these signatures operates and what parts of a malicious file it tends to select to create the signature from.

Once you know how the signature is selected by the AV company's signature generation algorithm, you can craft a file that is malicious (which is required so it is even considered for signature creation in most cases), but has code that can be found in non-malicious files in those areas that the algorithm will pick to create the signature from. Now all you need to do is to get this manipulated malware file to the AV company by uploading it to VirusTotal for example. Then you just wait until it eventually ends up through the various sample exchanges at the AV company you targeted.

Obviously it will be rather difficult to get an AV vendor to detect extremely common files like Windows components that way, as that will likely be prevented by the QA processes put in place after the actual signature generation. But for less common files, like the printer driver that was mentioned in the article, that is completely feasible.

Are AV companies to blame here? I don't think so to be honest. It is not like someone uploaded a non-malicious file to VT that an evil AV "fake detected" and that detection was just copied by everyone. The file that was uploaded was indeed malicious. It was just crafted in a way to trick the proprietary signature selection algorithms used by the targeted AV company to select a bad signature. A similar attack is possible on human analysts by the way. Back in the day when automated sample processing wasn't a thing yet, you could look at signatures of an AV and recognize which of the analyst in the company did specific signatures if you looked at enough of them. The reason for that is that humans have habits and biases just like these automated systems have and knowing those, you can tempt a human into picking a bad signature as well."

Source

Regards,
Kardo

 

[vivid]

They're just defending the principles to me. Emsisoft is not a good example anyway due to multi-engine approach. Tsk, tsk.