6

Well most probably we will never know the truth, but anyway:

Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees...

In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.

Full article

Since I am a user of a no Kaspersky AV, I am getting a bit worried. In which cases an AV decides to "clean" a file instead of permanently deleting it? (We could for instance talk about Avast). Is this "injection" of bad code in a "health" file as described in the article, likely to be cleaned instead of deleted?

Community
  • 1
  • 2
    If the rivals' probabilistic classification routines can be tricked, it's the rivals' fault. – Deer Hunter Aug 14 '15 at 17:38
  • 1
    Okay, now translating into plain English from Reuters: AV makers likely employ automatic malware classification based on VirusTotal's database. If you (Kaspersky) feed it biased priors and the competitors are blind enough to run no manual checks/investigations, you can trick them into changing classification parameters. Neat. – Deer Hunter Aug 14 '15 at 17:42
  • @deerhunter okay that makes more sense, but I don't see how that should work. Even if Kaspersky uploaded tempered files those files would not ever occur on a real system. The only thing it would do, is boosting Kaspersky's Rating on VirusTotal. Not a nice practice but not harmful to anybody in my eyes – John Aug 14 '15 at 20:52
  • 2
    If the competitors used to take the signatures without even checking them, then that would be highly unprofessional. Same goes to Kaspersky. But I assume they learned their lesson and don't do that anymore. – John Aug 14 '15 at 21:01
  • 1
    The clean/deletion decision is up to the settings of each AV software. In SEP, you can define those parameters, for instance. – schroeder Aug 14 '15 at 22:33

1 Answers1

2

As the article states, this issue was observed between 2009 and 2013, so is not current anymore. It relied mainly on two things:

  • According to the anonymous Kaspersky employees, because other anti-virus software editor were allegedly copying, "stealing" Kaspersky technology,
  • And in all case with more certitude because there was at least during this period a real marketing race to which editor was the first to detect an infected file and to detect the largest amount of them.

The trick was therefore relatively simple: submit some code sample to VirusTotal which will be flagged as malicious by Kaspersky alone, and the other editors will soon "catch up" by updating their signature base to include this one as well. The most technically difficult part was to manipulate other editor's software into producing a signature matching also legitimate files.

IMHO this showed a very poor approach where marketing takes precedence over security.

This article also explains how such deception practice were discovered by the anti-virus companies (for instance a sudden rise of customers calling the AV support because their printer's driver has been quarantined), and how they saw this as a flaw in their anti-virus software and signature management processes to be fixed.

So these software and processes being (theorically at least!) harder to corrupt nowadays, such flaw should not happen anymore and, therefore, to answer your question you should not worry anymore.

At the time of such practice was observed however, the anti-virus would not clean the file but quarantine or delete it because its code matches a pattern wrongly flagged as suspicious. There is indeed nothing to clean, the file being a legitimate one! The "bad code" was only injected in the initial sample sent to VirusTotal in a way that competitors will not add the bad code to their signature base, but the legitimate one...

WhiteWinterWolf
  • 19,292
  • 4
  • 61
  • 110