Two former employees of the antivirus protection company Kaspersky Lab have accused the company of tampering with software products by adding fake malware signatures intended to make them appear as malicious on customers computers. Allegations made from the two were made public in a report by Reuters published Friday morning, yet the firm has begun to strongly deny all claims made by the alleged ex-employees.
According the report, the “junk” files were tailored to have the same signature as legitimate files, based on the fingerprinting mechanism of competitors products. Former employees claim the antivirus agency assigned employees to reverse-engineer competitors’ software to seek out how they identified malware and would then tailor samples that would match the signatures of the common yet harmless files.
Reuters does not include specifics on what alleged faked signatures did, such as targeting specific files for identification purposes as false positives.
In the past, incidents reported by Microsoft, Symantec, and others, brought light towards attacks by outside parties aimed at creating false positives by submitting junk files as malicious, yet none had publicly suspected Kaspersky of creating and distributing them. Microsoft’s Dennis Batchelder and Hony Jia reported on these exact type of attacks in a presentation (PDF) at the Virus Bulletin conference back in October 2013. In some cases, antivirus vendors would share them between each other, while others were submitted anonymously over the Tor network.
Liam O’Murchu, a reverse engineer and security researcher at Symantec security firm publicly acknowledged similar attacks on Symantec’s products in a post on Twitter, writing: “We had investigated these attacks but could not find out who was behind them. We had some suspects, Kaspersky was not one of them.”
According to the duo, Kaspersky Lab employees have been spreading fake malware around the Internet for the past decade as part of a campaign to undermine competitors’ software protection tools, according to the report, while some orders would come from the co-founder Eugene Kaspersky himself. One of the employees told reporters that Kaspersky felt other malware protection tools were closely copying Kaspersky Lab’s software, where “Eugene considered this stealing.” Researchers at the agency were assigned months at a time to reverse engineer competitors’ software to determine how to trick them into falsely identifying safe files as potentially dangerous malware.
If the allegations hold true, this would not be the first time Kaspersky has been caught using fake malware files to trick others. In 2010, a Lab analyst Mangus Kalkhul announced that the company had, as an experiment, created 10 harmless files and submitted them to antivirus engines such as Virustotal-which aggregates and sells malware information-where they were marked malicious by many of the commercial engines. Files were uploaded to the engine to check if competitors were improperly copying Kasperksky’s research work. Within some week and a half, Kalkhul reported that some 14 companies had also come to label the files as malicious.
“In some cases the false detection was probably the result of aggressive heuristics,” Kalkhul wrote in a detailed blog post about the experiment, “but multi-scanning obviously influenced some of the results. We handed out all the samples used to the journalists so they could test it for themselves. We were aware this might be a risky step: since our presentation also covered the question of intellectual property, there was a risk that journalists might focus on who copies from whom, rather than on the main issue (multi-scanning being the symptom, not the root cause) But at the end of the day, it’s the journalists who have it in their power to order better tests, so we had to start somewhere.”