Kaspersky Denies ‘False Positive’ Campaign Against Rivals

Moscow-based antivirus maker Kaspersky Lab has denied a report claiming it ran a program aimed at tricking software from rivals including Microsoft, AVG and Avast into classifying benign files as malicious.

The Reuters report cited two unnamed former Kaspersky employees who said the company manipulated these so-called “false positives” in order to force rivals to improve their own virus detection engines, rather than relying on shared databases such as VirusTotal, which aggregate contributions by antivirus researchers.

The two sources were amongst only a few people who knew of the scheme, according to Reuters.

“Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing,” Kaspersky Lab said in a statement. “Such actions are unethical, dishonest and their legality is at least questionable.”

The alleged scheme was in part a competitive measure, in which Kaspersky Lab decided to “provide some problems” for rivals, according to one of Reuters’ sources.

It was also allegedly considered by founder Eugene Kaspersky as a means of protecting the company’s intellectual property – namely, its own antivirus research, Reuters said. Kaspersky considered that rivals were relying too much on antivirus aggregators contributed to by Kaspersky itself and others, something he considered “stealing”, according to one of Reuters’ sources.

Original research

Kaspersky Lab brought this issue up publicly, voicing its disapproval at a January 2010 media presentation in Moscow.

At that presentation, senior Kaspersky analyst Magnus Kalkuhl said that as an experiment the company had created ten harmless files and sent them to VirusTotal, declaring them as dangerous. Within a week and a half, all ten files had been declared dangerous by as many as 14 security companies.

Researchers were assigned to work on the sabotage projects for weeks or months at a time, reverse-engineering rivals’ virus detection systems in order to determine how to trick them into accepting false positives, according to Reuters.

They would, for instance, inject malicious code into an important piece of PC software and then send the file anonymously to VirusTotal, Reuters said. If the file was crafted in the right way, antivirus detection engines using VirusTotal’s data would be tricked into classifying the harmless file as potentially malicious, and placed in quarantine, according to the report.

Microsoft was among those targeted because many smaller companies relied blindly on the company’s antivirus data, according to Reuters.

Kaspersky Lab’s manipulation of false positives lasted for more than 10 years and peaked between 2009 and 2013, according to Reuters’ sources.

Bad samples

Executives from Microsoft, Avast and AVG acknowledged to Reuters that they had identified large numbers of maliciously manipulated samples intended to induce false positives, but declined to comment on the possibility of Kaspersky Lab’s involvement. AVG told Reuters the most recent wave of bad samples was found at the beginning of 2013.

Kaspersky Lab said it had itself been targeted by bad samples, and told Reuters it didn’t believe a competitor could have carried out the attacks “as it would have a very bad effect on the whole industry”.

“Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted,” Kaspersky Lab stated.

Another security industry executive agreed that the reported waves of malicious samples underscore the “fragility” of the malware sample distribution system.

“A hole in the system was uncovered and plugged after large scale damage was observed,” said Rahul Kashyup, senior vice president of security firm Bromium, in a statement. “The entire antivirus industry is about reacting after damage, this act further proves yet another flaw in the model.”

Kaspersky Lab says it has more than 400 million users and 270,0000 corporate clients.

Are you a security pro? Try our quiz!