Anti-virus software companies accused over malware samples

Kaspersky test found rivals incorporating malware signatures without testing first

Anti-virus software companies have been accused of failing to properly check malware samples sent to, and shared among, them - leading to harmless files being classified as security threats.

That is the claim of security researcher Brian Krebs, following allegations that Kaspersky Lab had deliberately faked malware samples distributed to rivals.

"Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their anti-virus software programs into classifying benign files as malicious, according to two former employees," claimed the Reuters report, anonymously quoting two former staff members.

"Some of the attacks were ordered by Kaspersky Lab's co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology," Reuters added, claiming that "executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years".

Kaspersky Labs' founder Eugene Kaspersky published a detailed rebuttal of Reuters' claims in a blog post, in which he said: "The Reuters story is based on information provided by anonymous former KL employees. And the accusations are complete nonsense, pure and simple. Disgruntled ex-employees often say nasty things about their former employers, but in this case, the lies are just ludicrous... The reality is that the Reuters story is a conflation of a number of facts with a generous amount of pure fiction."

But Krebs cites a 2010 survey published by Kaspersky itself in which the company admitted circulating harmless files to anti-virus testing firm Virustotal.com that, it said, had been slightly modified. Another anti-virus software company, Dr Web, had also conducted a similar experiment. The aim was to find out how much research is actually conducted across the industry - and how much is taken on trust, or simply taken.

"Within ten days, all the files that Kaspersky had circulated had been blacklisted by as many as 14 security software vendors," Krebs claims, quoting Kaspersky analyst Magnus Kalkuhl, speaking in 2010 when the survey was conducted.

Kaspersky conducted the test, claims Krebs, because it suspected that a number of vendors were piggy-backing on top of its work - simply taking data Kaspersky had worked on and incorporating it into their own security products. Anti-virus software vendors routinely share malware samples - but some, perhaps, share more freely (and promptly) than others.

"Missing from the Reuters piece that started this hubub is the back story to what Dr. Web and Kaspersky both say was the impetus for their experiments: A long-running debate in the anti-virus industry over the accuracy, methodology and real-world relevance of staged anti-virus comparison tests run by third-party firms, like AV-Test.org and Av-Comparatives.org.

"Such tests often show many products block 99 per cent of all known threats, but critics of this kind of testing say it doesn't measure real-world attacks, and in any case doesn't reflect the reality that far too much malware is getting through anti-virus defences these days," warns Krebs.

Reuters' report follows claims earlier this year by its rival Bloomberg that Eugene Kaspersky himself was too close to Russia's own security services.