Security firm Kaspersky has denied claims from former employees that it is in the habit of tricking its competitors in the industry into marking known-good files as malware, taking advantage of the trust between firms for its own ends.
Late last week, news wire agency Reuters
broke the news that former employees of Russian security firm Kaspersky had accused the company of deliberately mislabelling files contributed to a malware-sharing service in order to trick its competitors into issuing false-positive detections in their software. Some of these files, the pair claimed, included Windows system files - which, if quarantined or deleted by competitors' software, would render a system unusable. 'It was decided to provide some problems [for competitors
,' one anonymous former employee claimed, following a reported declaration from company founder Eugene Kaspersky that competitors were 'stealing
' by following the company's developments. 'It is not only damaging for a competing company but also damaging for users' computers.
The campaign, which the pair claim has been running for more than a decade, takes advantage of the level of trust between security firms. When a company detects a previously unknown malware example, or a previously undetected variant of a known malware, it provides copies of this to its competitors so that they might add detection to their software - the benefit of broad detection of potentially damaging malware outweighing the desire to make one company's software the best in the business. By submitting known-good files and claiming they were bad a company could in theory fool other security firms into programming detection into their software, resulting in a 'false positive' and the potential damage of a user's software - and the chances of this happening were increased, the pair claim, by Kaspersky having staff working on reverse-engineering rivals' software to give it the best chance of picking or modifying a file such that it would be incorrectly detected as malware.
'If true, this news is indeed a jolt for the security industry – especially the anti-virus industry,
' commented Rahul Kashyup, chief security architect at rival security firm Bromium. 'The AV malware samples exchanged amongst vendors is based on trust, and this report claims that was breached. The ramifications are quite high – many users suffered in this process with crippled PCs and many firms actually lost business.
Kaspersky, naturally, denies any wrongdoing. 'The article, filled with sensational – false – allegations, claims Kaspersky Lab (KL), creates very specific, targeted malware, and distributes it anonymously to other anti-malware competitors, with the sole purpose of causing serious trouble for them and harming their market share,
' a clearly agreieved Eugene Kaspersky wrote
in a scathing reply to the Reuters piece. 'Oh yes. But they forgot to add that we conjure all this up during steamy banya [sauna] sessions, after parking the bears we ride outside.
'The accusations are complete nonsense, pure and simple. Disgruntled ex-employees often say nasty things about their former employers, but in this case, the lies are just ludicrous. Maybe these sources managed to impress the journalist, but in my view publishing such an ‘exclusive’ – WITHOUT A SHRED OF EVIDENCE – is not what I understand to be good journalism. I’m just curious to see what these ‘ex-employees’ tell the media next time about us, and who might believe their BS.
Kaspersky admits that there are 'a number of facts
' in the article, but that these have been conflated with 'a generous amount of pure fiction.
' The facts, Kaspersky claims, include that the data-sharing network between security firms did indeed suffer from the injection of incorrectly-labelled files, but that his company was not responsible. 'Unfortunately, we were among the companies badly affected. It turned out to be a coordinated attack on the industry: someone was spreading legitimate software laced with malicious code targeting specifically the antivirus engines of many companies, including KL. It remains a mystery who staged the attack, but now I’m being told it was me! I sure didn’t see that one coming, and am totally surprised by this baseless accusation!
Reuters has yet to provide any additional evidence to back up its sources' claims, with two of the biggest companies involved - Microsoft, whose anti-malware research director Dennis Batchelder told the outlet about a file his company had received which was designed to have Microsoft's anti-malware products detect valid printer drivers as malicious, and Avast's Ondrej Vicek which provided details of a similar attack relating to network drivers - refusing to name Kaspersky as the culprit.