Updated: Kaspersky may have tricked competitors' software

Reuters has a scoop from two anonymous ex-Kaspersky Lab employees who claim to have worked on a secret project to sabotage the company's competitors. According to the ex-employees, their job was to reverse-engineer anti-virus software from competing companies to see how those programs could be tricked into identifying a clean file as infected. Targets of the reverse-engineering allegedly included AVG, Avast, and even Microsoft.

According to the report, Kaspersky carried out its sabotage by modifying versions of what Reuters describes as "an important piece of software commonly found in PCs" to appear malicious to the reverse-engineered software. The company then submitted the modified versions of the software to Google's VirusTotal aggregation service and flagged them as infected. The modified files then triggered threat-detection heuristics in the reverse-engineered anti-virus programs, causing false positives even in systems without the modified files installed.

The ex-Kaspersky employees say Microsoft was a target because many other anti-virus companies follow Redmond's guidance on malicious files. According to a statement provided to Reuters by Microsoft's anti-malware research director Dennis Batchelder, his team found "hundreds, and eventually thousands" of good files that has been doctored and submitted. He says he asked his staff to not identify the culprit because, he said, "[a]ll of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed." The employees didn't provide Reuters with details of any specific attacks on Microsoft.

As for Kaspersky Lab, the company is vehemently denying the allegations. "Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing," the company said in a statement to Reuters. "Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted."

Update August 14, 4:52PM: Kaspersky has contacted TR with a statement responding to the Reuters article. The statement appears below in its entirety.

Contrary to allegations made in a Reuters news story, Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and illegal. Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false. As a member of the security community, we share our threat intelligence data and IOCs on advanced threat actors with other vendors, and we also receive and analyze threat data provided by others. Although the security market is very competitive, trusted threat data exchange is a critical part of the overall security of the entire IT ecosystem, and we fight hard to help ensure that this exchange is not compromised or corrupted.

In 2010, we conducted a one-time experiment uploading only 20 samples of non-malicious files to the VirusTotal multi-scanner, which would not cause false positives as these files were absolutely clean, useless and harmless. After the experiment, we made it public and provided all the samples used to the media so they could test it for themselves. We conducted the experiment to draw the security community’s attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity (behavior) (See here). After that experiment, we had a discussion with the antivirus industry regarding this issue and understood we were in agreement on all major points. Read more here.

In 2012, Kaspersky Lab was among the affected companies impacted by an unknown source uploading bad files to VirusTotal, which led to a number of incidents with false-positive detections. To resolve this issue, in October 2013, during the VB Conference in Berlin there was a private meeting between leading antivirus vendors to exchange the information about the incidents, work out the motives behind this attack and develop an action plan. It is still unclear who was behind this campaign.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.