Russian anti-virus vendor Kaspersky Lab is denying accusations that it conducted operations designed to trick software from competing firms into classifying harmless files as malicious.
In a story published Friday, Reuters reporter Joseph Menn, citing two former Kaspersky Lab employees as sources, said the company manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013.
Reuters said that according to the ex-employees, Kaspersky engineers allegedly took “important pieces of software” commonly found in PCs and injected bad code into them so that files looked like they were infected, then anonymously uploaded files to malware information exchange VirusTotal.
“When competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious,” Menn wrote. “If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.”
The former employees, who wished to remain anonymous, told Reuters that some of the attacks were ordered by company chief Eugene Kaspersky, partly to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology.
“Eugene considered this stealing,” one of the former employees said.
Kaspersky Lab fired back immediately, saying the allegations made are not true, and that such actions are unethical, dishonest and illegal.
“Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing,” Kaspersky Lab said in a statement provided to SecurityWeek.
“Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false,” the statement continued. “As a member of the security community, we share our threat intelligence data and IOCs on advanced threat actors with other vendors, and we also receive and analyze threat data provided by others.”
While the Russian security firm defended against the accusations, the company did say that it conducted a one-time experiment in 2010 by uploading samples of non-malicious files to VirusTotal—something that had been made public by the company soon after—and well before being accused in the report from Reuters.
“In 2010, we conducted a one-time experiment uploading only 20 samples of non-malicious files to the VirusTotal multi-scanner, which would not cause false positives as these files were absolutely clean, useless and harmless,” Kaspersky Lab explained. “After the experiment, we made it public and provided all the samples used to the media so they could test it for themselves. We conducted the experiment to draw the security community’s attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity (behavior).”
The company also claimed that in 2012 it was affected by an unknown source uploading bad files to VirusTotal, which led to a number of incidents with false-positive detections.
During the VB Conference in Berlin in October 2013, Kaspersky said there was a private meeting between antivirus vendors to exchange the information about the incidents, work out the motives behind the attack and develop an action plan.
“We had investigated these attacks but could not find out who was behind them. We had some suspects, Kaspersky was not one of them,” Liam O’Murchu, Manager of Security Response Operations for North America at Symantec, wrote on Twitter.
The tactic, not matter who is behind it, is a major wakeup call to the industry, says Rahul Kashyap, Chief Security Architect and SVP of Security & Solutions Engineering at Bromium.
“Besides the huge impact of the claim, there are two other issues this report brings out – the challenges of reliably attributing and the fragility of anti-virus ‘system’,” Kashyap told SecurityWeek.
“To prove that this story is indeed true, reliable facts need to be presented that provide legit evidence against Kaspersky. I doubt it’ll be easy for anyone to reliably attribute the act directly to Kaspersky—unless the informants did it themselves and stored reliable evidence at the time of crime,” Kashyap said.
“This also exposes to the fragility of the entire malware sample distribution system. As the report claims – a hole in the system was uncovered and plugged after large scale damage was observed. The entire Anti-Virus industry is about reacting after damage, this act further proves yet another flaw in the model.”
“On the incident in general, we’re well aware of the issue of false positives propagating from product to product through the vital industry-wide information sharing systems,” John Hawes, Chief of Operations at Virus Bulletin, told SecurityWeek. “In the past we regularly observed false alarms which cropped up in our testing spreading to other products very quickly. This was a symptom of automated processes relying too heavily on detection results from other vendors as a criteria for classifying an item as malicious, and it seems to have reduced fairly considerably in the last year or two as automation systems have become more sophisticated.”
“As to whether a security vendor would be involved in deliberately trying to abuse these processes to discredit their rivals, I remain highly skeptical,” Hawes said. “The benefits would be rather marginal – to achieve a major headline-making false positive event of the kind which would dent a vendor’s reputation, a seriously major file which broke a major package or stopped Windows from functioning properly would have to be made to look malicious.”
VirusTotal, a subsidiary of Google, is an aggregator and does not take responsibility for such false positives, and has a policy to not whitelist any files or URLs. Furthermore, the company says it will not remove any detections resulting from the normal operation of the products it makes use of.
Earlier this year VirusTotal launched an initiative designed to address the issue of false positives through a project called “trusted source.” As part of the initiative, major software vendors are asked to share metadata from their software collection. Additionally, when files get distributed to antivirus vendors under the trusted source initiative, they are tagged so that potential erroneous flags can be ignored, preventing a snowball effect with detection ratios.
“Any major vendor with proper QA processes should be routinely running their products over in-house sets of major files before releasing updated detection routines, to watch out for just this sort of issue,” Hawes said.
“Although the security market is very competitive, trusted threat data exchange is a critical part of the overall security of the entire IT ecosystem, and we fight hard to help ensure that this exchange is not compromised or corrupted,” Kaspersky stated.