Kaspersky Lab denies allegations it induced false positive AV detections

A Reuters article claimed the Russian cybersecurity firm intentionally poisoned good files to throw off competitors' antivirus detection.
A Reuters article claimed the Russian cybersecurity firm intentionally poisoned good files to throw off competitors' antivirus detection.

A new report claims Russia-based cybersecurity company Kaspersky Lab attempted to sabotage competitors' antivirus (AV) software for nearly 10 years by allegedly inducing false positive malware detection.

Citing former employees, Reuters reported that Kaspersky assigned employees to reverse engineer competitors' AV software in order to devise a way to trick it into marking good files as malicious. The Russian company and its CEO, Eugene Kaspersky, were allegedly upset over AV firms using Kaspersky's findings to better their own products, as opposed to discovering malicious files on their own, Reuters reported.

Kaspersky denied these claims in an emailed statement to SCMagazine.com.

“Contrary to allegations made in a Reuters news story, Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing,” the statement said. “Such actions are unethical, dishonest and illegal. Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false.”

Even still, the former staffers claimed Microsoft, AVG Technologies, and Avast Software were among those targeted, and some even deleted or disabled essential files on their users' computers as a result.

Microsoft and AVG wouldn't comment on the allegations. A request is still out to Avast.

The scheme apparently relied heavily on VirusTotal, a free online service that “analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and websites scanners,” as written on the VirusTotal website.

The online portal allows companies to upload findings and generally share information among one another. However, Kaspersky allegedly became upset that its efforts often went unreturned and could bring them down in the market. Because of this, the company allegedly became particularly upset in 2010 and tried to garner awareness around intellectual property. It wanted mutual respect among organizations who share information, Reuters said.

Reuters claims that during this time, the company amplified its sabotage efforts. While Kaspersky denies this, it did acknowledge in its statement that it conducted an “experiment” that year that involved uploading 20 samples of “non-malicious files” to the VirusTotal multi-scanners, which, Kaspersky wrote, “would not cause false positives as these files were absolutely clean, useless and harmless.”

The company said it publicized this experiment and used it to “draw the security community's attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity.”

The experiment led to discussion among AV providers and Kaspersky said all involved parties understood the issue and “were in agreement on all major points,” particularly on malicious files warranting further research before being flagged.

Kaspersky indicated it also had false positive results in 2012 after an “unknown source” uploaded bad files to VirusTotal. In turn, the company and other AV vendors met in 2013 to “exchange information about the incidents, work out the motives behind this attack and develop an action plan." The company also said in its statement that it's "unclear who was behind this campaign."

This isn't the first controversy for Kaspersky. Earlier this year, Bloomberg indicated that its CEO held intimate ties with Russia's former security agency, the KGB. He denied these claims in a blog post. The company also found hackers' malware on its own systems earlier this year.

UPDATE: Avast replied to SCMagazine.com's request for comment and said: "We can neither confirm nor deny that Kaspersky is responsible for the alleged attacks. If this really is the case, we feel very sorry and disappointed by this act. Our team is committed to keeping the bad guys away from our systems. Every day, attackers try to game our cloud-based detection and reputation systems, as can be seen in cases such as the recent Hacking Team archives published by Wikileaks. The idea of a legitimate, established company -- moreover, one of our competitors -- standing behind some of these attacks is truly very disheartening."
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS