I'd find this very surprising, if true. When I worked for a company that was essentially developing malware, we were able to get ourselves whitelisted by most anti-virus software (either by going through an automated submission process, or outright bribery). The only one who wouldn't budge on principal, no matter what we offered, was Kaspersky. All the others either auto-whitelisted us when we asked or after we paid them. I gained a lot of respect for Kaspersky for that (and lost a lot of respect for the majority of their competitors).
If that happened, it had nothing to do with bribery and corruption, but incompetence.
Kaspersky's refusal isn't a sign of their integrity, but avoidance of an obvious trap. I'm not saying they don't have integrity, but even if they didn't, it would be very dumb to take that bribe, especially in a country very familiar with corporate blackmail.
Their products haven't been system hogs for a long time now. I used Norton AV on a fairly reedy dual core Celeron (1.8 GHz)with a platter drive and it only slowed that thing down when it was running a scheduled scan.
"[...], Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an "unknown third party" manipulated Kaspersky into misclassifying files [...]"
"The former Kaspersky employees said Microsoft was one of the rivals [...] They declined to give a detailed account of any specific attack."
"In a subsequent interview on Wednesday, Batchelder declined to comment on any role Kaspersky may have played in the 2013 printer code problems or any other attacks. Reuters has no evidence linking Kaspersky to the printer code attack."
"Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and "wanted to have some fun" at the industry's expense. He did not respond to a request on Thursday for comment on the allegation that Kaspersky had induced false positives."
So, no one says it's Kaspersky, someone called "former employees" says it was, but can't provide any example...
Not a bit coincidental that said firm seems to be the only antivirus firm in recent memory (unless I'm mistaken) that seems to be able or willing to uncover government-level shenanigans. No, not a bit coincidental at all.
It's also not coincidental at all that Kaspersky steers clear of exposing any shenanigans by Moskow. I mean, Eug himself claims Russia produces not only the best programmers but also the best exploit writers.... But surprisingly no exposés on them.
Or maybe Russia just doesn't spend as much on this stuff as western governments do.
There have been exposes by western AV firms too, but not as many and not as good. If there was obviously Russian govt malware out there, it'd surface sooner or later. We've seen American, Chinese, British, French, Israeli ...... seems odd that there's no Russian yet. But then I get the impression that Russian spying is overblown anyway. They seem to mostly focus inwards these days, or focus only on the former Soviet satellite states. USA has a much more aggressive global agenda.
>Not a bit coincidental that said firm seems to be the only antivirus firm in recent memory (unless I'm mistaken) that seems to be able or willing to uncover government-level shenanigans.
like in that joke (an American says "we have freedom - we can criticize Reagan freely", and Russian responds "we have freedom too as we can criticize Reagan freely too") - Kaspersky was pretty active in uncovering StuxNet, i.e. shenanigans of the US/Israel governments :)
The article is about how Reuters biases public perception in favor of Palestinians and it's written by Henry I. Silverman who may or may not have an agenda of his own. That's the thing, everyone has an agenda. Just because someone is calling someone out on something that does not mean that they themselves are not motivated by their own agenda.
Meh, it was an "example given". How much do you want? Another famous one would be MH17 and Fedotov. Also you should read the definition of agenda, you clearly misused it. ("the things that must be done"[1]). The word you were looking for was motive.
That Reuters isn't a reliable source of information isn't a matter of motive or "agenda", it is common sense within educated circles.
I tried to find their reporting to the build up to iraq war - if they did it would be there. But I found nothing - seems like everything has been scrubbed from google :( On reuters / iraq in range 2003-2004 google finds nothing hosted on their domain.
The Bush story is fluff, but the grandparent comment was talking about "fluff AND propaganda", which obviously doesn't apply to the Bush article. (I assume it didn't mean "fluff OR propaganda" because obviously that wouldn't apply to the Kaspersky article).
> Asked by Winfrey whether he regretted the decision to invade Iraq based on unfounded intelligence that leader Saddam Hussein had weapons of mass destruction, Bush admitted feeling "terrible" and "sickened" about being wrong the weapons, but blamed Hussein.
I consider this to be propaganda. First time I've seen reuters accidentally a word too. Down further in my estimation!
Reporting on his comments in a book interview with Oprah is hardly "propaganda"! Good on Oprah for bringing up the topic. Everyone knows he's responsible for the fiasco of the Iraq war and there were no WMDs. Oprah prodded him as much as was appropriate, then left it at that. Reuters was just repoting on the interview. I'm pretty certain if you bothered to look you'd probably find lots of Reuters stories where they probe Bush much deeper on this issue and give him a thrashing. (I haven't looked myself, but I'd be very surprised if that wasn't the case).
Anyway, if you think that is propaganda you should perhaps visit Russia to see what real propaganda looks like.
so, the whole article is bunk because it is based on anonymous sources and did not get responses from all parties involved, but then because the headline has the word "Russia" in it, that's firm evidence of secret US government collusion with a major news outlet.
No, it's a bunk because it provides zero evidence but plenty of innuendos and unfounded allegations/accusations, and yes it's infinity more plausible a secret plan between the us gov and a us based media corporation than a reputable antivirus vendor like Kaspersky sabotaging its rivals.
"Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran's nuclear program in 2009 and 2010"
Can't rule out a campaign to smear them. No hard evidence in the report. Just speculation.
We have started seeing a lot of bad publicity and innuendos targeted toward Kaspersky after they uncovered and published about hacking attack against their infrastructure in recent past. Feels suspicious to me especially with comments attributed to 'former employees'.
I agree that it smells a bit, but take a quick look at the author, Joseph Menn. He's been floating around tech reporting for a while and seems to have some netsec chops. This isn't an article coming out of the State Department or some anonymous blog; there's a name behind it of someone who'd have their reputation to lose if it turned out to be a bunch of false allegations. (Not that that's never happened before...)
It's impossible to prove that these allegations were false. So there's no reputation to lose.
The only ways i can think of to prove innocence (in general) are a) an alibi b) finding who actually did it.
Both of these don't work here, you can't have an alibi for the whole company for 10 years, obviously. You can't find out who did "it" because there's no concrete example. At the very best you can prove that others did it too.
I wouldn't put too much weight into his reputation. John Broder (of NYT) also had a good reputation for journalistic integrity until he posted a falsified[1] review piece of a Tesla.
Yeah, I have to agree, at least as far as the headline. Kaspersky is a serious and respected vendor in the industry and has been for a long time now. Identifying them as a "Russian antivirus firm" in this context sounds a little jingoist to me. (e.g. how often do you hear about "British CPU vendor ARM" or "Abu Dhabian semiconductor giant GlobalFoundries").
That said, the trick is pretty vile. Deliberately polluting public malware databases hurts us all.
It's great that you read these things with some suspicion, but would you use the same suspicion when reading allegations against US or European companies?
And, their main development being done in Moscow, do you expect current employees to stick their heads up? There aren't a lot of protections for whistle blowers in Russia. I'm pretty sure they'd be declared traitors, if they did reveal something like this in a formal setting.
Yes, if they were in a similar position. You have to admit, Kaspersky lab has been making a lot of powerful enemies this last decade or so. With cyber-security as big of a deal as it is now, it's obvious that smear campaigns would be on the table of options. (That said, how would I know, they could have done this. But I'll argue the paranoia is strongly warranted.)
When a report comes out purely based some unnamed sources without any hard evidence, I am always suspicious irrespective of whether it is about US, European, Russian companies.
Always question sources... Don't just question those you don't agree with or the top dog. Question your supporters, their motives, question the under dog too, the under dog is the most likely to take advantage of sympathies.
I know this is just my $0.02, which I generally avoid... but:
I would be very skeptical of this entire article, having worked with researchers from Kaspersky for many years. They are terrific partners and care deeply about infosec.
Also, Kaspersky has been known in the past, which they have disclosed, for planting red herrings in malware archives, because they accused (and were right) of other vendors just looking at what Kaspersky blocks and just automatically copying it, without actually doing AV research. That's not what they are being accused of here...
Finally, Joseph is a great journalist, but this article stinks in terms of providing actual evidence.
(Web Archive shows this topic — initially about Avast breaking Windows by blocking tcpip.sys but turned into flame about “shitty free antiviruses”, their lack of analytics team, and pirated software quite soon — existed in 2012.)
He explains it had been done a couple of years back to demonstrate the problem to Computer Bild journalists. A number of executable files with “funny” code that could not do any actual harm were made and 50% of them were added to Kaspersky's detection list under distinctive names. Then they all were shared on VirusTotal (and thus with other vendors). Surprisingly enough, only those “viruses” that triggered Kaspersky Antivirus on VirusTotal started spreading through others' databases, often with the same name. Still, there was no article written on that for some reason. These results were later presented to analytics and investors visiting Kaspersky's conference (Security Analyst Summit 2012).
So what's left is to ask Computer Bild if they participated in something like that test and/or someone who was on that conference.
Someone wants to push people off Kaspersky. Counter-intuitive as it is, everyone in the west should use eastern (russian/chinese) anti-viruses and OS, and vice versa. That way, it'll be harder for each government to abuse and spy on their own citizens since I doubt Kaspersy entertains any request from foreign govs.
I don't trust my (US) government not to spy on me. But I don't trust the Chinese or Russian government not to spy on me, either. I'm not sure that they have my interest at heart any more than my own government does, and maybe less.
I don't consider myself at much risk for being locked up because some dumbass in a Russian "anti-terror" spy agency misinterprets a joke among friends. The Russians don't have the only "anti-terror" spy agencies staffed by dumbasses, however.
Is that the conclusion? Or should you use Kaspersky because other anti-virus vendors aren't really doing anything but compiling and selling software with a TM stamp on the name?
This would explain incidents of other antivirus software deleting system files. I remember this happening in the past and it now makes more sense.
"Avira Antivirus update cripples millions of Windows PCs ..."
"Broken McAfee DAT update cripples Windows workstations"
"Update gone wrong. Panda antivirus removing system files ..."
"Bad BitDefender Antivirus Update Hobbles Windows PCs ..."
Kaspersky labs has defended against US government malware so they might also get into trouble for that.
Ex-employee here.
I keep seeing articles like this one consistently getting published like every 4 months by various media. It's funny to see how many times the crowd can buy the same story about accusing Kaspersky in such activity. Now you Reuters.
This seems like fair game, and it benefits the consumer by keeping the anti-virus people on their toes.
Kaspersky has demonstrated a weakness: that the firms copy each other's data and blindly trust each other as well as the initial submissions. They have a submission process for infected files which can be demonstrably abused to inject false positives.
Also this:
> Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.
What?? Infected files are always similar to clean files. An infected MS Word 2010 still looks mostly like MS Word 2010 and is even usable as such. Knowing clean from infected is the bread and butter of anti-virus. They are supposed to take doctored files, and register them as malicious, while recognizing clean ones as clean. If similarity between dirty and clean them causes a false positive, you would think that this is a fundamental problem. It shows they are using some weak heuristics to guess that files are clean instead of, say, strong checksums. They are guessing whether that DLL belonging to MS Word 2010 is clean or not because they have no idea what clean looks like, and Kaspersky has shown that they can be induced to guess wrong.
A proper implementation would detect so much as a single bit difference between a clean file and an altered one.
Rather, they must be working off the assumption that there is some minimum difference between a viable infection and the clean file. In keeping with this, there is a database of the known dirty files only, and not of the clean reference files. Anything close to the dirty example within some small "edit distance" is just a variation on dirty and is declared dirty. Anything distant is either a different, unknown form of dirty, or clean. Either way it is declared clean. If that's how things work in an AV program, it has a weakness. Competitors should be merciless in identifying and exposing that weakness, because that's good for the consumer in the end.
A lot of new malware is self-modifying. In situations where this is the case checksums lose most if not all of their value. Heuristics in such situations are really the only viable option.
>In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.
>Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.
I don't quite understand - what about hashes? VirusTotal doesn't work as they say it works.
Hashes aren't the only thing that judge a file. Virus scanners today look for specific portions of files that look like malicious code, either by directly matching it or by tracing the code. Apparently some virus scanners traced too far into other parts of the executable's code, into the legitimate portions that are found as system components on computers today.
I can see if rivals were 'aping' their software, whatever that means, that Eug might get angry. It's another thing to engage in this kind of retaliatory behavior because not only can it lead to data loss for users caught in this juvenile dispute but raises other grave questions about what else they might engage in.
Most worrisome is what other unscrupulous behavior is he willing to engage in? Is he willing to do the bidding of the motherland at the expense of the trust customers put into the product?
I believe it. We supported several shareware products during the period described in the article and most of our sharewares were at some point tagged as malware by antivirus programs - Norton Antivirus, most notably, but never by Kaspersky.
The signatures that triggered it were in 3rd party installer code that we used. If you think of it, it is a perfect attack method as by targeting shared installer many products were made false positive with little effort.
Yeah... But it's also very uncompetitive. And, more importantly, if they are willing to engage in this behavior what other perhaps more unsavory things are they willing to engage in?
Of course, this might call into question the authenticity of their recently published research into state funded spyware. I'm sure it's just a coincidence the anonymous sources chose to speak after a decade of silence.
The current title is misleading, and should be rephrased as "Russian antivirus firm accused of faking malware to harm rivals" (or, better yet, "Kaspersky accused of faking malware to harm rivals"). There's absolutely zero actual evidence or examples in the article of Kaspersky doing anything, and the article title in its current form reeks of sensationalism and click-baitiness.
Perhaps a mod should step in and cleanup the title a bit? I realize it's technically the original, but it's still misleading.
It seems to me that the only people harmed by this were those who were aping Kaspersky instead of doing their own research. How is this different than mapmakers putting irrelevant bogus things on their maps to detect who copied their maps?
These actions harmed users who had essential system files wrongly quarantined by their anti-virus programs. These users may have spent many hours and dollars trying to resolve the problem. Quote from the article:
"Microsoft's antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in 'quarantine'."
If Avast is affected by this and the file is a critical system file, real damage can be done to user's systems. Mcafee had this problem five years ago.
would seem to me that an antivirus software company should guard pretty heavily against this kind of attack, since if it works anyone could sabotage a rival by anonymously submitting doctored versions of their software.
Not being pedantic. I realize English isn't everyone's first language. And then there's auto-completion on devices like iPad's that can result in embarrassing errors.
It's "principle", not "principal". They are very different.
I see this a lot, used in the other direction, on job postings "Principle Engineer" as opposed to "Principal Engineer".
> Not being pedantic. I realize English isn't everyone's first language. And then there's auto-completion on devices like iPad's that can result in embarrassing errors.
Embarrassing errors like using "'s" to form a plural, instead of the correct "s"?
Done on internationally to see how quickly my helpful comment would find someone looking for a way to take me down. I figured it was easier to just offer-up three errors and get it over with.
>I'd certainly reconsider my Kaspersky license if I had one.
Well, giving ring 0 access to security software made by a company that is very near to a "not so friendly" state would worry me more than the fact that they play dirty with competition.
This doesn't allege that they produced malware, only that they produced false positives for competitors. They didn't deploy any actual malware.
It sounds like they took advantage of the fact that most malware fingerprinting uses md5 to create collisions with known good files, then uploaded bad files with a matching signature to the places that aggregate bad md5s.
on the basis of a badly sourced article that offers no evidence, other than some rumors spread by anonymous ex employees? This is a company that has uncovered serious misbehaviour by government sponsored malware writers. Glad you don't run my security.
