Article authored by Adam Hall, Senior Systems Administrator at Quadrant Information Security
On August 14 2015, news was released about Russian anti-virus company Kaspersky Labs generating ‘Fake’ Malware files to cause competitors software to classify benign data as malicious (Keane, 2015; Menn, 2015). Two former Kaspersky employees claim that the company has been attempting to damage its competitors for over a decade. In 2010, Kaspersky admitted to performing an experiment of sending 20 ‘innocent’ executable files to a virus detection site of which 10 of them had fake malware detection classifications. 10 days later, 14 vendors reported new malware detections that included some or all of the 10 files labeled as malicious by Kaspersky (Leyden, 2010). While Kaspersky admits to testing the validity of competitor’s results as their own, they deny all allegations concerning attempts to trick their competitors. Furthermore, Kaspersky adds that such actions are unethical, dishonest and their legality is questionable (Menn, 2015).
On September 1 2015, kerbsonsecurity released news about Russian anti-virus company Dr. Web and allegations that they were also attempting to damage competitors by sending false malware samples to malware detection sites. Dr. Web CEO Boris Sharov stated that this was a probe to detect companies that were stealing Dr. Web results and not performing their own analysis of malware (Krebsonsecurity, 2015). According to Dr. Web, they did not label the data as malicious, the other companies performed their own analysis and labeled them as malicious themselves (Krebsonsecurity, 2015). Sharov further adds that “a good antivirus product actually consists of two products: One that is sold to customers in a box and/or online, and the second component that customers will never see — the back-end internal infrastructure of people, machines and databases that are constantly scanning incoming suspicious files and testing the overall product for quality assurance” (Krebsonsecurity, 2015).
To help detect the ‘Real Malware,’ Quadrant uses their Bluedot system. Quadrant performs their own in-house sandbox testing of files to determine if they are malicious. If the file is determined to be malicious, signatures will be created and inserted into Quadrant’s Sagan appliance to help detect the malware when observed again. This signature can be a mixture of heuristic variables such as different IP’s, ports, patterns in a payload, or a matching file hash. A Flowbit (https://quadrantsec.com/about/blog/sagan_flowbit/) can also be integrated into the signature to allow for correlation of the event with other events to further identify an actual compromise of system, such as a successfully downloaded malicious toolbar, or ignore if a firewall has blocked the connection.
While Quadrant has no stance on whether the products listed above are good or bad, we do believe that blind trust can be misleading. That is why we attempt to validate results with our own data rather than others.
Keane, J. (2015, August 14). Kaspersky Lab Accused of Making Malware to Generate False Positives in Competing Software. Retrieved from digitaltrends.com: http://www.digitaltrends.com/computing/ex-employees-kaspersky-lab-faking-malware-to-undermine-rivals/
Krebsonsecurity. (2015, September 01). Like Kaspersky, Russian Antivirus Firm Dr. Web Tested Rivals. Retrieved from krebsonsecurity.com: http://krebsonsecurity.com/2015/09/like-kaspersky-russian-antivirus-firm-dr-web-tested-rivals/#more-32052
Leyden, J. (2010, February 10). Kaspersky Defends False Detection Experiment. Retrieved from theregister.co.uk: http://www.theregister.co.uk/2010/02/10/kaspersky_malware_detection_experiment/
Menn, J. (2015, August 14). Russian Antivirus Firm Faked Malware to Harm Rivals. Retrieved from reuters.com: http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ1CR20150814
Ullrich, J. (2015, September 03). Thursday September 3rd 2015 StormCast. Jacksonville, Fl, United States of America: SANS.