Did Kaspersky Fake Malware?

Two former Kaspersky employees have accused the company of faking malware to harm rival antivirus products. They would falsely classify legitimate files as malicious, tricking other antivirus companies that blindly copied Kaspersky’s data into deleting them from their customers’ computers.

In one technique, Kaspersky’s engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.

Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.

[…]

The former Kaspersky employees said Microsoft was one of the rivals that were targeted because many smaller security companies followed the Redmond, Washington-based company’s lead in detecting malicious files. They declined to give a detailed account of any specific attack.

Microsoft’s antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in “quarantine.”

Batchelder said it took him roughly six hours to figure out that the printer code looked a lot like another piece of code that Microsoft had previously ruled malicious. Someone had taken a legitimate file and jammed a wad of bad code into it, he said. Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well.

Over the next few months, Batchelder’s team found hundreds, and eventually thousands, of good files that had been altered to look bad.

Kaspersky denies it.

EDITED TO ADD (8/19): Here’s an October 2013 presentation by Microsoft on the attacks.

EDITED TO ADD (9/11): A dissenting opinion.

Tags: , , , , , ,

Posted on August 18, 2015 at 2:35 PM46 Comments

Comments

Anura August 18, 2015 2:43 PM

“Kaspersky denies it.”

Sounds like something a guilty person would do.

In all seriousness, I wouldn’t be surprised. Corporate espionage is a thing, and when it comes down to money, corporations tend to care more about whether or not they will get caught than actual ethical considerations.

Ryan August 18, 2015 2:52 PM

Can’t remember, but a while back, a major antivirus company misidentified winlogon as a virus and as a result hundreds of thousands of computers couldn’t boot.

HiTechHiTouch August 18, 2015 3:11 PM

I could see this as (advanced) water-marking of the intellectual property (the virus definitions).

When the lower tier of AV companies are feeding off your signature files, including “false negatives” lets you identify your stolen property.

Targeting non-critical but commonly used files with “false positives” will help bring the lower tier companies to your attention when people publicly complain about your signature failing in a competitor’s program, telling you that your signature was stolen by the competitor.

Somewhere near here is an ethical line.

A printer driver is common enough to get attention, but won’t BSOD or disable Explorer or something else impact. And structure allows false positives to be ignored/bypassed/restored from quarantine so printer operation can be continued restored.

OTOH, intentionally breaking even a minor part of someone’s system is BAD. But “break” has several values…

And remember, while Microsoft is a Kaspersky competitor, Microsoft’s AV products were not a target since (I would certainly hope!) Microsoft would never be stealing signature files. Microsoft only got involved when ask to identify/verify the correct version for the printer driver.

HiTechHiTouch August 18, 2015 3:18 PM

Please read…

A printer driver is common enough to get attention, but won’t BSOD or disable Explorer or do something else that is high impact — people can deal with no printer or lost output from printer jams, etc. And, provisions exist to allow false positives to be ignored/bypassed/restored from quarantine so printer operation can be restored.

mafu August 18, 2015 3:19 PM

I don’t see why an antivirus company is not allowed to provide fake samples per se.

If the others blindly copy my stuff without checking if it’s actual malware, it’s their fault. Or does anyone think they would be justified in demanding free and mistake-free signatures from their competitors?

In relation: A while back Google indexed a nonexisting, fictional website (i.e. it absolutely cannot be found unless you type a certain search term into Google’s web search) and searched for it using competitors search engines. Surprisingly, it was found by them, which means that they used google search results as input to their own search engines. It was pretty hilarious.

Anyway: It would not be very surprising if this were a Kaspersky publicity stunt. Because it awfully looks like ‘they’re the only ones who do their stuff right, while the others are incompetent and mindlessly copy them’.

Clive Robinson August 18, 2015 3:33 PM

As I read the story originaly the information came from two unnamed said to be ex Kaspersky employees.

Thus we have a series of odd incidents, that might or might not be a clever series of attacks. And Kaspersky saying “it was not us” and an article saying it was based on what the article auther says is the word of two exemployees.

Difficult to call, but knowing where Kaspersky came from and how he ended up doing what he has done makes me think he is more than capable of doing it.

Further the thought of someone sticking it to Micro$haft makes me not just smile but chuckle.

So even if it’s not true, I would still want it to be true 🙂

mathieu August 18, 2015 4:14 PM

@mafu

there was a case where Google had created about 100 “synthetic queries” (fictional results in their system, for queries such as “hiybbprqag”, “delhipublicschool40 chdjob” and “juegosdeben1ogrande”).

They configured Google to return specific web page(s) for each of these queries.

The intention was, just like you wrote, to determine if search engines like Bing was copying their results.

The results (explained here: http://googleblog.blogspot.co.uk/2011/02/microsofts-bing-uses-google-search.html) were quite interesting; they wrote that:

As we see it, this experiment confirms our suspicion that Bing is using some combination of:

  • Internet Explorer 8, which can send data to Microsoft via its Suggested Sites feature
  • the Bing Toolbar, which can send data via Microsoft’s Customer Experience Improvement Program

or possibly some other means to send data to Bing on what people search for on Google and the Google search results they click. Those results from Google are then more likely to show up on Bing.

Marshmallow August 18, 2015 4:18 PM

False positives… Yeccch.

I write my own code, and a couple of important programs of mine end up tripping the Microsoft AV checker. Shuffling code blocks around, and attempts to rewrite suspected modules didn’t help, I suspect that the annoying problem could come from the libraries.

I ended up confining the binaries to a directory manually excluded from AV scanning. I don’t really like that, as this is quite inflexible, and prevents me from sharing my work.

If at least the program told the user which virus is suspected, and let him selectively disable this particular check…

If the signature was lifted from a competitor’s definitions, I can understand why their messages aren’t very forthcoming.

How long typically are these signatures anyway?

jackson August 18, 2015 4:48 PM

@CR – your hatred for MS makes me question everything you say. What’s your problem anyway?

blake August 18, 2015 4:56 PM

Kaspersky was the group that did a lot of the work unpicking the Equation Group attacks, right? If the Equation Group is indeed a State actor then it’s fair to assume that Kaspersky is itself it a target for infiltration and discrediting.

That said, my uninformed opinion is that yes, this is quite possibly something Kaspersky actually did. It reminds me of that high frequency trading lawsuit where the guys figured out how the GS (was it GS?) algorithms valued stuff and what trades they needed to execute in what order that would lead to a guaranteed profit at the GS expense. Part of the defense of these guys was that this kind of hostile reverse engineering is something everyone does – which is probably true – and it probably crosses industries, in the manner we’re seeing.

@jackson – were you in this field in the 90s? Try Googling “Embrace, extend and extinguish”, or I guess for a laugh you could Bing it.

Jesse August 18, 2015 5:17 PM

Unless somebody can show me the moral dilemma, I’m viewing the payload of this accusation as a strong positive.

If these companies are selling anti-malware solutions to customers, and if it’s this simple for any bad actor to poison their virus definition pools (Kaspersky doesn’t have to be doing it, anybody can inject a signature file into a patsy and then upload it to virustotal!) and trick them into damning any file similar to the inoculation (a strategy that wildly stabs in the dark hoping to catch nearby or related B$, but lends itself exactly to this form of abuse) then they are getting what they deserve when their product malfunctions and knocks their customer’s computers into ditches.

This is no more immoral than a car company that sells cars in a location where it so rarely rains that nobody has been able to tell that these automobiles completely dissolve in the presence of moisture, and selling all of their kids super-soakers.

tyr August 18, 2015 5:19 PM

@ jackson

You should always question anything anyone says and
discard the evidence of your own senses last.Billy
and Balmer got rich off selling crooked crapware to
the gullible. Some of us were around when they got
their shady start and they haven’t felt like any
change in behavior is needed.

Giant corporations like governments need to be curbed
and herded into ethical behaviors at bayonet point
otherwise it doesn’t happen.

A healthy dose of doubt should be used every day.

jackson August 18, 2015 5:23 PM

Oh, OK, so it’s a personal problem. Is anyone objective anymore or is the Internet just a big pile of vindictive crap?
When I was a little kid, I had relatives that still blamed the Great Depression on Hoover and would never again vote for a Republican, no matter what.
Know what happened to them? They grew old then died.
The 90’s… are you serious?

Oh Microsoft, I’m hurting you in my mind, I’m hurting you right now in my mind, don’t you feel it???

Is this by any chance a UK thing?

Johann August 18, 2015 6:08 PM

@mathieu

would seem that it’s relatively easy to get hard evidence if Internet Explorer 8 or the Bing toolbar were sending data to M$, I mean by setting up some (software/hardware) proxy that collects all the data.

Clive Robinson August 18, 2015 6:13 PM

@ Jackson,

Is this by any chance a UK thing?

Not realy, but some UK Members of Parliament were not happy about receiving threatening phone calls from Microsoft Executives a short while ago… Threatening politicians by saying if you don’t do what we want we will sack all our employees in your voters area and tell them you are to blaim, is not exactly the way most people, especially the Microsoft employees would expect the company to behave.

But you only have to look at what is currently happening with regards Win 10 doing an ET and phoning home. You may not know that under legislation in many jurisdictions this is actually illegal as it destroys “privilege” it’s also not compliant with US legislation such as HIPAA, Sab-Ox and the likes of PCI requirments.

Further it puts Microsoft in breach of it’s agreement to not carry out certain anti competivity activities with the EU legislature. On top of this there is other Data Protection legislation it breaches.

Oh and while you are at it go and have a look at what the US Gov’s own legal investigation of Microsoft and it’s findings.

I can only assume you are either not particularly well informed or you are Trolling, either way I realy don’t care, as others have pointed out Microsoft is not popular, and quite a few see it at best as a necessary evil for various reasons. Others are migrating away from Microsoft and opting for open standards, which is what caused the Microsoft Execs to phone the UK MPs and throw their toys out of the pram.

Clive Robinson August 18, 2015 6:31 PM

@ Jackson,

Lest you think I’m inventing what Microsoft execs did, have a read of,

http://www.computerweekly.com/news/2240233813/Microsoft-threatened-MPs-over-government-open-standards-policy-claims-advisor

As for your original comment of,

@CR – your hatred for MS makes me question everything you say.

You are ascribing your view point of “hatred” to what I said, which is shall we say curious behaviour. And no doubt others will wonder why so perhaps you would like to explain your view point?

Afterall if you accuse somebody of having a “problem”, the least you would normally be expected to do is state your position and give evidence to support it. To not do so alows others to draw their own perhaps unfavourable conclusions about you. The choice is yours.

blake August 18, 2015 6:51 PM

@jackson

The 90’s… are you serious?

Yeah, that’s how long you’ve had to realise that Microsoft is not your friend. It’s not like the criticism is limited to the 90s.

Jacob August 18, 2015 7:03 PM

@ Clive

re breaching data protection legislation in the EU and SOX in the US, this may amuse you:

http://www.rt.com/politics/312172-windows-10-service-agreement-stirs/

“Vadim Solovyov, the chief lawyer of the Communist Party in the State Duma addressed Prosecutor General Yury Chaika with an official request to launch a probe into Microsoft’s latest operating system” on the count of “Russian law demands that such gathering and processing of personal information is only permissible by companies included in the National Register of Personal Data Operators, Solovyov noted. As Microsoft is not included on this register, the distribution of Windows 10 on Russian territory becomes illegal, he wrote.”

Clive Robinson August 18, 2015 7:06 PM

@ Blake,

You might find this of interest,

http://mobile.computerworlduk.com/blogs/open-enterprise/how-microsoft-fought-true-open-standards-i-3569201/

It’s a series of articles that resulted from the examination of papers returned under a “Freedom of Information” request to the UK Cabinet Office.

It shows quite a few examples of Microsoft communications to the UK-CO to try and dissuade the UK Government from going down the Open Standards route involving unencumbered standards, rather than the Microsoft prefered encumbered standards by which they derive significant UK TAX payer money.

Clive Robinson August 18, 2015 7:13 PM

@ Jacob,

That has not just made me smile, it’s produced tears of mirth.

I guess we will see similar from China as well.

The only thing that worries me is the likes TPP and other trade treaties with the clause that alows companies to sue states via secret court hearings and obtain significant damages.

rgaff August 18, 2015 7:54 PM

@Jesse

You forgot: then everyone sues supersoaker manufacturers for melting their cars…

rgaff August 18, 2015 8:04 PM

That whole microsoft-is-the-evilest vs microsoft-is-the-bestest exchange made me smile 😉

Dirk Praet August 18, 2015 8:10 PM

The more stories like this I read about Eugene Kaspersky and his company, the more I’m convinced that certain resourceful entities for unknown reasons want them off their turf. This is really starting to look like a JTRIG op.

Eric August 18, 2015 8:32 PM

The funny thing is though that Microsoft and many other vendors digitally sign the binaries that they ship. If the file has not been tampered with, then the signature should still be valid. And new malware binaries won’t be signed by Microsoft.

One would think that they could use heuristics that say that they expect certain files to be signed in a certain way, and if the files on disk are signed correctly and have not been tampered with, then they can be taken to be OK.

Wm August 18, 2015 8:38 PM

Come on folks. Don’t be naive when it comes to a company in the likes of Russia. Or am I not being politically correct enough here?

HGG August 18, 2015 9:30 PM

Not surprised. Catch phrases like, From Russia with Love, and Murder She Wrote, came to mind as the Brits say ready your horses.

Daniel August 18, 2015 11:00 PM

I’m with mafu on this one. I fail to see how MS or any other poor anti-virus detection code is Kaspersky’s problem. Seriously, we just had a major paper written justifying “legal hacking” and people are complaining about this?! At worst, it’s hardball business tactics and at best its smooth marketing.

I don’t know if it is true but even if it is, I fail to see the problem.

Curious August 19, 2015 3:29 AM

I am reminded of something I vaguely remember as a teenager. The entire class went to a courtroom for one day, and we sat there and listened to some courtroom case with specifics that I can’t say I remember anything of (I vaguely recall a knife stabbing being mentioned as some point). However, I do remember that I had the impression that every single one of the people testifying in court were decent honest people that all had told the truth. Only much later did I find it peculiar that it never occurred to me that time, not once, to even consider the possible motives of everyone involved.

Clive Robinson August 19, 2015 3:31 AM

@ Wm,

Come on folks. Don’t be naive when it comes to a company in the likes of Russia

Why limit your self to any country, both large and niche companies are “trans-national” these days.

As has been seen by other north American companies comming to an accommodation with Governments of all flavours is the way to survive another day. It’s the old “bread today” not “jam tomorrow” short term thinking driven by share holders of such companies, that make them ideal targets of all manner of attacks.

We have seen since the end of WWII that Super Power countries fight “proxie wars” in small countries few have heard about prior to hostilities. Well with many large corporates having more wealth and resources than many small countries, we should expect to see them become the new “proxies” for super power contests. Likewise niche companies have “disruptive technology” or a “household name” that not only make them targets for larger companies but Goverments as well.

Kaspersky is a thorn in the Five-eyes side and has been for quite a long time. As Kaspersky is outside their direct zone of political and legaslitive influence other methods of control will be used. The product that Kaspersky makes is in the form of “information” not “physical” objects, thus it makes direct governmental squeezing via traditional routes such as import controls much harder. Thus doing them reputational damage is the next tried and tested method of influence. Failing that it’s send in the terrorists / organised crime etc to squeeze via soft human targets. These are all methods the super powers on both sides have used in living memory.

Are members of the Five-Eyes doing this, who knows, could it be another large Corporate such as Intel or Microsoft, again who knows. The target of the original attacks appears to have been Kaspersky rivals… but could it be their rivals technology was just easier to attack, and it’s actually cyber-criminals looking to gain advantage by making AV look much worse, again who knows.

It could be any and all being oportunistic, we don’t have anywhere near enough information to make a reasonable evidence list, let alone come up with a sensible suspect list. As for having any evidence all we’ve been told is “two ex-employees” pointing at suspected attack evidence that has been known and discussed for quite a while in the AV industry. So we have nothing we can even investigate, because the “unamed exemployee” is the equivalent of “unnamed government official” as far as journalistic credibility is concerned.

However as I said above, companies are going to be the new “proxie countries” in any governments Cyber hostilities.

Anatoly Nechaev August 19, 2015 5:37 AM

Let me take this conversation to a whole new level. Here a quote by Kaspersky himself from 2012:
Пару раз уже делали. Года два-три назад с немецким Компьютер-Билдом. Даже совместные тесты делали: скомпилили пару десятков “пустышек” (весь код – страница вычислений без всякого смысла, более ничего). Половину “пустышек” задектили, вторую половину нет – и всё это отправили на ВирусТотал. Потом вместе с офигевающими немцами наблюдали, как наши детекты (включая названия!) расползаются по продуктам с ворованным сигнатурами. “Чистые пустышки”, естественно, никто детектить не стал – только те, которые детектились нами. Немцы очень прониклись, подготовили материал – но публиковать не стали (по неизвестной мне причине). Забоялись, наверное… а жаль.

В феврале этого года сделали презентацию (со слайдами, статистикой и прочими цифрами) на нашей ежегодной конференции Security Analyst Summit http://www.kaspersky.com/sas2012 – презентация была для аналитических агентств типа IDC, Gartner, Forrester и тд. Поскольку разные негодяи типа AVG и Аваста либо вышли на биржу, либо планировали выход – надо же было донести до инвесторов правду про их бизнес, ага? Иначе же получается чисто обман инвесторов, что есть очень нехорошо…

http://www.anti-malware.ru/forum/index.php?showtopic=24588&page=3#entry164300

End of qoute. Feel free to use a translator of your own preference.

TLDR version: they indeed created false positives, although not in secret but in collaboration with German magazine Computer-Build. Those FPs were not of system files (at least he talks about them as placebos compiled by them). They’ve seen how those FPs are migrating into other’s bases after being uploaded to VirusTotal. And they also made a presentation on this topic on Security Analyst Summit 2012. He didn’t make a secret back then that all this was targeted at the likes AVG & Avast who IPO’d or were planing to.

JD August 19, 2015 9:18 AM

I don’t see the issue at all.

The signatures are for use by Kaspersky software. Anyone else uses them at their own risk.

Stealing work is at a minimum copyright theft.
I’d be more worried about the bad karma from this from the people who stole.

SJ August 19, 2015 9:54 AM

As an interesting question:

even if Kaspersky did this, were they the only ones who did this?

What other actors, corporate* or individual, may have decided to submit false-positives in places like VirusTotal?

*To say a Corporation did something is to say that individuals working for the corporation did it.

However, the incentives of the individuals working on behalf of Corporate (or Government) entities are sufficiently different from incentives on those individuals working for their own benefits. Or for their own kicks and giggles…

Thus, we use phrases like “XYZ Corporation” and “TLA Government Office”…

John August 19, 2015 10:06 AM

@Wagner

From the slides:
Tor endpoints seem 4 times as infected as normal users
Tor endpoints send one tenth the rate of junk telemetry

This seems to make sense, especially with what we know about NSA compromising systems of interest. Poisoning the well to keep there tools safe also seems something they would be incentivized to do. And it would explain the lack of attribution back to them, they just intercept the phone home call and change the message.

albert August 19, 2015 11:05 AM

Kaspersky has a point. They are unprovable allegations by ex-employees. AFAIK, no one has vetted these people to see proof that they are ex-employees. Gee, I guess you might need their names for that:)
.
One thing to remember: in the US, Russia is the enemy*. We’re flooded with anti-Russian propaganda 24/7/365. For reasons I won’t detail here, the US must have a steady supply of ‘enemies’ to fight ‘wars’ with. Within the geopolitical realm, assume that the US and their NATO lackeys lean away from ‘truth’, far away.
.
Frankly, I don’t see what difference it makes who did it. It’s a broken system that breaks AV broken systems, which then break a broken OS. The only thing that works is the system designed to separate you from your money.
…….
@jackson,
I spent most of my 22-year career in MS houses with MS products (from MS-DOS onward). I don’t ‘hate’ MS, but I prefer to have nothing to do with them or their products. The reasons are technical, financial, and ethical. You might read some early history about how the company got started, their managements personal ‘ethics’, their legal problems (they spent $1.4B in one year on legal expenses), the business ‘plan’, etc. So don’t shoot the messengers, just counter the facts they present and prove them wrong, or shut up and go away.
.
.
*one of many, granted.
. .. . .. o

Sasparilla August 19, 2015 2:09 PM

Kaspersky is very not popular in the upper levels of the U.S. surveillance establishment. I would not be surprised if this was not retaliation for outing the Equation Group’s software among other things. The fact that the manager for operations at Symantec thought this was a smear, speaks to the allegations validity.

U.S. antivirus vendors are compromised and don’t out the NSA’s surveillance software if they stumble on it (that’s why you don’t hear of the FBI complaining about them etc.). But when you don’t bend over and do what the U.S. surveillance state wants, it takes matters into its own hands:

https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

Vesselin Bontchev August 20, 2015 11:24 AM

The Reuters story is complete and utter bullshit.

What it alleges that Kaspersky has done (targeting particular competitors to make them cause false positives) cannot be done. You can reverse-engineer a competing product and figure out how it work, you can create a file it will incorrectly detect, you can make the product cause false positives on your product – but you cannot make a particular product (which you don’t control) cause false positives on legitimate files that you do not control.

What can be done (and what has been done) is target the anti-virus industry as a whole. That is, figure out how a few products detect something, insert the data they are looking for in the right place in a legitimate file, and upload the file to VirusTotal or a similar service. The file is no longer legitimate, so detecting it isn’t a false positive. However, since a few products will be detecting it, and it will be distributed to pretty much everyone in the AV industry, you can hope that many of them will implement detection of it and, by doing so, they will pick pieces of code to identify that are present in the original, legitimate file, thus causing false positives.

This is very similar to what is described in the article. The main difference is that you cannot target it. You don’t know which part of the file will be picked for detection by a particular product. You cannot force a particular product to cause a false positive. You can just “throw your net wide” and hope that some products will fall for it – but you cannot control which ones will.

This attack was indeed performed against the AV industry in 2013 and several products did fall for it. The funny thing is that Kaspersky’s was one of them. 🙂

Another unplausible thing in the Reuters article – according to these anonymous sources, Kaspersky wanted to “get even” at competing products who were stealing his malware detection data. So far so good – I know for a fact that several companies (mostly Chinese) indeed reverse-engineered his product and stole his detection data and algorithms. But note which products are listed in the article. One of them is… Microsoft!

We aren’t talking about some two-bit no-name impossible to reach Chinese producer. We are talking about a huge company that can be sued for hundreds of millions in damages, if it is caught stealing. And they stole Kaspersky’s data?! LOL, just LOL.

I consider the whole thing a hoax and a smear campaign. It might be more complicated than just two disgruntled employees badmouthing their former employer. Several government intelligence agencies have serious reasons to be pissed at Kaspersky for the work he has done in the past. Looks like a PsyOp to me.

Clive Robinson August 20, 2015 12:54 PM

@ Vesselin Bontchev,

… but you cannot make a particular product (which you don’t control) cause false positives on legitimate files that you do not control

I disagree and so do many malware writers.

Whilst some AV software looks for an exact match on a given string of data most gave that up a longtime ago. This is because the CISC implementation that IAx86 is has redundancy in it’s instruction set that enables code with the same desired functionality to be writen just by swaping assembler code instructions.

The way one way that such code has been spotted is to effectivly look for invariable code fragments with variable code linking them. This can and has been done with what is in effect an array of matched filters. The problem with this is deciding how large to make each matched filter and the weighting to each code component. Thus if somebody uses a different array size or weighting to everybody else and you know what they are you can design a code string that crosses over it’s threshold whilst not crossing the threshold of your own array and weightings.

The last time I or my then colleagues looked at it most AV code was more complicated than this, but the basic principle still holds.

Those writing malware use a similar technique, but designed to stay below the threshold of most –but not all– AV software. Whilst it is moderatly easy to get past one AV instance, the task gets progressivly harder to a low power order for each additional AV instance you want to get past.

With regards your last paragraph, yup as I said above my first guess would be the FiveEyes for state level attacks. Because they have the resources to do the testing etc required to commit such a campaign.

vgor August 20, 2015 8:56 PM

@ Curious

Only much later did I find it peculiar that it never occurred to me that time, not once, to even consider the possible motives of everyone involved.

Innocent until proven guilty is within us thus we expect that of others. You can attribute that to naivety but distrust is a learned process.

VinnyG August 21, 2015 7:45 AM

@Vesselin Bontchev; jackson; HiTechHiTouch:

If you were around IT in the 1990’s, you would realize that the Microsoft to which you ascribe such high standards is the same company that expropriated the Stacker algorithm from Stac Software and used it in DoubleSpace (Windows 98) before forging an agreement with Stac about purchase of same, under the arrogant assumption that Stac would do the appropriate beg and roll over tricks when MS dangled a biscuit of MS’ choosing under Stac’s corporate nose. After all, what small software company could refuse the advances of the great and powerful wizards of Redmond? Actually, Stac did say “no”, resulting in a series of civil legal actions and ultimately (iirc) forcing Microsoft to purchase Stac outright. This was typical of MS’ behavior during that period. Maybe that behavior has improved, maybe their legal team is more skilled at hiding such things, or maybe our expectations for ethical behavior from IT vendors have plummeted.

-VinnyG

Russtopia August 21, 2015 7:38 PM

@Marshmallow:

Do you code in Delphi? Or use Delphi components? Or .EXE packers?

I’ve seen antivirus products flag some of the above as malware, just because they were/are used by certain larger pirate groups in writing their key-gen programs.

The antivirus companies, being lazy I suspect, just flagged the signature of the packing code or common components as the signature, not what the programs were actually doing (supplying a key is not malware; it might be immoral, illegal, or just copyright infringement, but they’re not the same as malware or viruses).

The more conspiratorial-minded out there have accused antivirus companies of taking payments from the BSA, etc. to purposely do this, of course.

Sam August 22, 2015 2:19 PM

@VinnyG-
Did you just ask Vesselin Bontchev if he was “around IT” in the ’90s? This place only gets more amusing…

Clive Robinson August 23, 2015 1:11 PM

@ Sam,

Did you just ask Vesselin Bontchev if he was “around IT” in the ’90s

Are you not making an assumption?

After all the person posting as “Vesselin Bontchev” above could be anybody, by that name or chosing to use that name, after all they do not claim to be the Bulgarian researcher for FRISK, nor involved with the design of AV software.

After all according to Vesselin Bontchev, Dark Avenger and other malware was falsely attributed back in 2000/1, so has some experience of smear campaigns, possibly originating from the likes of western IC.

Bill Gates October 25, 2016 12:55 AM

That’s not “faking” malware!

Thanks Krebs for another click bait moron-a-thon.

If someone was cheating off your paper in High School and you intentionally wrote down wrong answers and the cheater got an F, would you then give the person whose test was being copied without permission detention???

LOGIC!

This article is absurd, and the comments are absurd. Kaspersky has issues, but it does more than a lot of these companies who basically have done nothing with their product engines for 10 years in some cases.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.