Reuters published a story today claiming security firm Kaspersky Lab tried to damage rivals (including Microsoft, AVG, and Avast) by tricking their antivirus software programs into classifying benign files as malicious so that they would disable or delete critical system components. The report is allegedly based on accounts of two former Kaspersky employees who claimed that the company was looking to build market share and that cofounder and CEO Eugene Kaspersky wanted to retaliate against smaller rivals that he felt were copying his security tool.
The report included a denial from the company (“never conducted any secret campaign to trick competitors into generating false positives to damage their market standing”), and soon after it was published, Eugene tweeted that it was “complete BS.” Now he has penned a blog post denouncing it further:
The Reuters story is based on information provided by anonymous former KL employees. And the accusations are complete nonsense, pure and simple.
Disgruntled ex-employees often say nasty things about their former employers; but, in this case, the lies are just ludicrous. Maybe these sources managed to impress the journalist, but in my view publishing such an ‘exclusive’ — WITHOUT A SHRED OF EVIDENCE — is not what I understand to be good journalism. I’m just curious to see what these ‘ex-employees’ tell the media next time about us, and who might believe this BS.
The former Kaspersky employees allegedly told Reuters that company researchers were assigned to work for weeks or months on the supposed sabotage projects. They manipulated false positives “off and on for more than 10 years, with the peak period between 2009 and 2013,” the report said.
There are two problems here. The security issue is that a company creating and distributing malware to attack rivals would not only be indirectly damaging its competitors, it would also be directly hurting users. The bigger issue is that the report doesn’t present any evidence, beyond anonymous testimony, that Kaspersky did this.
Eugene gives a different narrative of the events:
In 2012-2013, the anti-malware industry suffered badly because of serious problems with false positives. And unfortunately, we were among the companies badly affected. It turned out to be a coordinated attack on the industry: someone was spreading legitimate software laced with malicious code targeting specifically the antivirus engines of many companies, including Kaspersky Lab. It remains a mystery who staged the attack, but now I’m being told it was me! I sure didn’t see that one coming, and am totally surprised by this baseless accusation!
Here’s how it happened: in November 2012 our products produced false positives on several files that were in fact legitimate. These were the Steam client, Mail.ru game center, and QQ client. An internal investigation showed that these incidents occurred as the result of a coordinated attack by an unknown third party.
For several months prior to the incidents, through intra-industry information-exchange channels such as the VirusTotal website, our anti-malware research lab repeatedly received numerous slightly modified legitimate files of Steam, Mail.ru and QQ. The creator(s) of these files added pieces of malicious code to them.
Later we came to the conclusion that the attackers might have had prior knowledge about how different companies’ detection algorithms work and injected the malicious code precisely in a place where auto systems would search for it.
These newly received modified files were evaluated as malicious and stored in our databases. In total, we received several dozen legitimate files containing malicious code.
False positives started to appear once legitimate owners of the files released updated versions of their software. The system compared the files to the malware database – which contained very similar files – and deemed the legitimate files malicious. After that, we upgraded our detection algorithms to avoid such detections.
Meanwhile the attacks continued through 2013 and we continued to receive modified legitimate files. We also became aware that our company was not the only one targeted by this attack: other industry players received these files as well and mistakenly detected them.
In 2013 there was a closed-door meeting among leading cybersecurity and other software industry players that also suffered from the attack — as well as vendors that were not affected by the problem but were aware of it. During that meeting the participants exchanged information about the incidents, tried to figure out the reasons behind them, and worked on an action plan. Unfortunately no breakthrough occurred, though some interesting theories regarding attribution were expressed. In particular, the participants of the meeting considered that some other AV vendor could be behind the attack, or that the attack was an attempt by an unknown but powerful malicious actor to adjust its malware in order to avoid detection by key AV products.
In short, one or more parties definitely created false positives for years with the sole purpose of damaging antivirus companies and their customers. Whether Kaspersky was behind such a campaign has yet to be proven, one way or the other.
The most important part here is that despite all this, the security industry as whole ended up working closer together to fight back. Both reports, from Reuters and Eugene, agree that these particular problems surrounding false positives ended in 2013.