|
 They said the secret campaign targeted Microsoft Corp <MSFT.O>, AVG
Technologies NV <AVG.N>, Avast Software and other rivals, fooling
some of them into deleting or disabling important files on their
customers' PCs.
Some of the attacks were ordered by Kaspersky Lab's co-founder,
Eugene Kaspersky, in part to retaliate against smaller rivals that
he felt were aping his software instead of developing their own
technology, they said.
"Eugene considered this stealing," said one of the former employees.
Both sources requested anonymity and said they were among a small
group of people who knew about the operation.
Kaspersky Lab strongly denied that it had tricked competitors into
categorizing clean files as malicious, so-called false positives.
"Our company has never conducted any secret campaign to trick
competitors into generating false positives to damage their market
standing," Kaspersky said in a statement to Reuters. "Such actions
are unethical, dishonest and their legality is at least
questionable."
Executives at Microsoft, AVG and Avast previously told Reuters that
unknown parties had tried to induce false positives in recent years.
When contacted this week, they had no comment on the allegation that
Kaspersky Lab had targeted them.
The Russian company is one of the most popular antivirus software
makers, boasting 400 million users and 270,000 corporate clients.
Kaspersky has won wide respect in the industry for its research on
sophisticated Western spying programs and the Stuxnet computer worm
that sabotaged Iran's nuclear program in 2009 and 2010.
The two former Kaspersky Lab employees said the desire to build
market share also factored into Kaspersky's selection of competitors
to sabotage.
"It was decided to provide some problems" for rivals, said one
ex-employee. "It is not only damaging for a competing company but
also damaging for users' computers."
The former Kaspersky employees said company researchers were
assigned to work for weeks or months at a time on the sabotage
projects.
Their chief task was to reverse-engineer competitors' virus
detection software to figure out how to fool them into flagging good
files as malicious, the former employees said.
The opportunity for such trickery has increased over the past decade
and a half as the soaring number of harmful computer programs have
prompted security companies to share more information with each
other, industry experts said. They licensed each other's
virus-detection engines, swapped samples of malware, and sent
suspicious files to third-party aggregators such as Google Inc's
<GOOGL.O> VirusTotal.
By sharing all this data, security companies could more quickly
identify new viruses and other malicious content. But the
collaboration also allowed companies to borrow heavily from each
other's work instead of finding bad files on their own.
Kaspersky Lab in 2010 complained openly about copycats, calling for
greater respect for intellectual property as data-sharing became
more prevalent.
In an effort to prove that other companies were ripping off its
work, Kaspersky said it ran an experiment: It created 10 harmless
files and told VirusTotal that it regarded them as malicious.
VirusTotal aggregates information on suspicious files and shares
them with security companies.
Within a week and a half, all 10 files were declared dangerous by as
many as 14 security companies that had blindly followed Kaspersky's
lead, according to a media presentation given by senior Kaspersky
analyst Magnus Kalkuhl in Moscow in January 2010.
When Kaspersky's complaints did not lead to significant change, the
former employees said, it stepped up the sabotage.
INJECTING BAD CODE
In one technique, Kaspersky's engineers would take an important
piece of software commonly found in PCs and inject bad code into it
so that the file looked like it was infected, the ex-employees said.
They would send the doctored file anonymously to VirusTotal.
Then, when competitors ran this doctored file through their virus
detection engines, the file would be flagged as potentially
malicious. If the doctored file looked close enough to the original,
Kaspersky could fool rival companies into thinking the clean file
was problematic as well.
VirusTotal had no immediate comment.
In its response to written questions from Reuters, Kaspersky denied
using this technique. It said it too had been a victim of such an
attack in November 2012, when an "unknown third party" manipulated
Kaspersky into misclassifying files from Tencent <0700.HK>, Mail.ru
<MAILRq.L> and the Steam gaming platform as malicious.
The extent of the damage from such attacks is hard to assess because
antivirus software can throw off false positives for a variety of
reasons, and many incidents get caught after a small number of
customers are affected, security executives said.
[to top of second column] |
The former Kaspersky employees said Microsoft was one of the rivals
that were targeted because many smaller security companies followed
the Redmond, Washington-based company's lead in detecting malicious
files. They declined to give a detailed account of any specific
attack.
Microsoft's antimalware research director, Dennis Batchelder, told
Reuters in April that he recalled a time in March 2013 when many
customers called to complain that a printer code had been deemed
dangerous by its antivirus program and placed in "quarantine."
Batchelder said it took him roughly six hours to figure out that the
printer code looked a lot like another piece of code that Microsoft
had previously ruled malicious. Someone had taken a legitimate file
and jammed a wad of bad code into it, he said. Because the normal
printer code looked so much like the altered code, the antivirus
program quarantined that as well.
Over the next few months, Batchelder's team found hundreds, and
eventually thousands, of good files that had been altered to look
bad. Batchelder told his staff not to try to identify the culprit.
"It doesn't really matter who it was," he said. "All of us in the
industry had a vulnerability, in that our systems were based on
trust. We wanted to get that fixed."
In a subsequent interview on Wednesday, Batchelder declined to
comment on any role Kaspersky may have played in the 2013 printer
code problems or any other attacks. Reuters has no evidence linking
Kaspersky to the printer code attack.
As word spread in the security industry about the induced false
positives found by Microsoft, other companies said they tried to
figure out what went wrong in their own systems and what to do
differently, but no one identified those responsible.
At Avast, a largely free antivirus software maker with the biggest
market share in many European and South American countries,
employees found a large range of doctored network drivers,
duplicated for different language versions.
Avast Chief Operating Officer Ondrej Vlcek told Reuters in April
that he suspected the offenders were well-equipped malware writers
and "wanted to have some fun" at the industry's expense. He did not
respond to a request on Thursday for comment on the allegation that
Kaspersky had induced false positives.
WAVES OF ATTACKS
The former employees said Kaspersky Lab manipulated false positives
off and on for more than 10 years, with the peak period between 2009
and 2013.
It is not clear if the attacks have ended, though security
executives say false positives are much less of a problem today.
That is in part because security companies have grown less likely to
accept a competitor's determinations as gospel and are spending more
to weed out false positives.
AVG's former chief technology officer, Yuval Ben-Itzhak, said the
company suffered from troves of bad samples that stopped after it
set up special filters to screen for them and improved its detection
engine.
"There were several waves of these samples, usually four times per
year. This crippled-sample generation lasted for about four years.
The last wave was received at the beginning of the year 2013," he
told Reuters in April.
AVG's chief strategy officer, Todd Simpson, declined to comment on
Wednesday.
Kaspersky said it had also improved its algorithms to defend against
false virus samples. It added that it believed no antivirus company
conducted the attacks "as it would have a very bad effect on the
whole industry."
"Although the security market is very competitive, trusted
threat-data exchange is definitely part of the overall security of
the entire IT ecosystem, and this exchange must not be compromised
or corrupted," Kaspersky said.
(Reporting by Joseph Menn; Editing by Tiffany Wu)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
