A recent Reuters story accusing Russian security firm Kaspersky Lab of faking malware to harm rivals prompted denials from the company’s eponymous chief executive — Eugene Kaspersky — who called the story “complete BS” and noted that his firm was a victim of such activity. But according to interviews with the CEO of Dr.Web — Kaspersky’s main competitor in Russia — both companies experimented with ways to expose antivirus vendors who blindly accepted malware intelligence shared by rival firms.
The Reuters piece cited anonymous, former Kaspersky employees who said the company assigned staff to reverse-engineer competitors’ virus detection software to figure out how to fool those products into flagging good files as malicious. Such errors, known in the industry as “false positives,” can be quite costly, disruptive and embarrassing for antivirus vendors and their customers.
Reuters cited an experiment that Kaspersky first publicized in 2010, in which a German computer magazine created ten harmless files and told antivirus scanning service Virustotal.com that Kaspersky detected them as malicious (Virustotal aggregates data on suspicious files and shares them with security companies). The story said the campaign targeted antivirus products sold or given away by AVG, Avast and Microsoft.
“Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky’s lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010,” wrote Reuters’ Joe Menn. “When Kaspersky’s complaints did not lead to significant change, the former employees said, it stepped up the sabotage.”
Eugene Kaspersky posted a lengthy denial of the story on his personal blog, calling the story a “conflation of a number of facts with a generous amount of pure fiction.” But according to Dr.Web CEO Boris Sharov, Kaspersky was not alone in probing which antivirus firms were merely aping the technology of competitors instead of developing their own.
In an interview with KrebsOnSecurity, Sharov said Dr.Web conducted similar analyses and reached similar conclusions, although he said the company never mislabeled samples submitted to testing labs.
“We did the same kind of thing,” Sharov said. “We went to the [antivirus] testing laboratories and said, ‘We are sending you clean files, but a little bit modified. Could you please check what your system says about that?'”
Sharov said the testing lab came back very quickly with an answer: Seven antivirus products detected the clean files as malicious.
“At this point, we were very confused, because our explanation was very clear: ‘We are sending you clean files. A little bit modified, but clean, harmless files,'” Sharov recalled of an experiment the company said it conducted over three years ago. “We then observed the evolution of these two files, and a week later, half of the antivirus products were flagging them as bad. But we never flagged these ourselves as bad.”
Sharov said the experiments by both Dr.Web and Kaspersky — although conducted differently and independently — were attempts to expose the reality that many antivirus products are simply following the leaders.
“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” Sharov said. “It’s unacceptable.”
According to Sharov, a good antivirus product actually consists of two products: One that is sold to customers in a box and/or or online, and the second component that customers will never see — the back-end internal infrastructure of people, machines and databases that are constantly scanning incoming suspicious files and testing the overall product for quality assurance. Such systems, he said, include exhaustive “clean file” tests, which scan incoming samples to make sure they are not simply known, good files. Programs that have never been seen before are nearly always given more scrutiny, but they also are a frequent source of false positives.
“We have sometimes false positives because we are unable to gather all the clean files in the world,” Sharov said. “We know that we can get some part of them, but pretty sure we never get 100 percent. Anyway, this second part of the [antivirus product] should be much more powerful, to make sure what you release to public is not harmful or dangerous.”
Sharov said some antivirus firms (he declined to name which) have traditionally not invested in all of this technology and manpower, but have nevertheless gained top market share.
“For me it’s not clear that [Kaspersky Lab] would have deliberately attacked other antivirus firm, because you can’t attack a company in this way if they don’t have the infrastructure behind it,” Sharov said. Continue reading →