Kaspersky allegations to breed mistrust

IT security experts say allegations that Kaspersky Labs fed false anti-virus intelligence to its rivals threatens to undermine trust the security software industry depends on.

Media outlets have been publishing a Reuters report which contained claims that the anti-virus software vendor assigned researchers to work on programs to sabotage rivals by investigating ways to make their software classify safe computer files as malicious.

The aim of the research, according to two anonymous former employees cited in the report, was to trick its rivals’ software into deleting important files on their customers’ computers.

The so-called “false positives” that the two former employees allege it fed to rivals were designed to discredit them.

Kaspersky Labs’s colourful chairman and founder, Eugene Kaspersky, took to Twitter to stridently repudiate the story tweeting: “I don’t usually read @reuters. But when I do, I see false positives. For the record: this story is a (sic) complete BS”.

However, Ty Miller, founder of computer security consultancy Threat Intelligence said that even the perception that shared intelligence might be tainted could damage the cyber security industry.

“The highly popular Cyber Threat Intelligence industry is still in its infancy and is largely based on sharing intelligence data amongst trusted parties. These trusted parties often include governments, security vendors, intra-industry organisations, and even intelligence data pulled from arbitrary websites.

“The same trust relationship model is being used and is subsequently open to abuse if rogue organisations or individuals decide to poison the intelligence data,” Mr Miller said.

HackLabs director Chris Gatford agreed saying: “If this gets any traction it could probably undermine the industry or the amount of information they share which impacts the end users of all anti-virus software”.

Kaspersky Labs published an official response to the report describing the allegations ase the “meritless” efforts of disgruntled former employees.

“Although the security market is very competitive, trusted threat data exchange is a critical part of the overall security of the entire IT ecosystem, and we fight hard to help ensure that this exchange is not compromised or corrupted,” the company wrote.

However, it also admitted to running a “one-time” experiment in 2010 releasing about 20 benign files to VirusTotal, a free online virus checker.

“We conducted the experiment to draw the security community’s attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity,” the company wrote.

Mr Miller said it was impossible to know whether Kaspersky Labs was being sincere.

Mr Gatford wouldn’t rule out the possibility that rogue elements within Kaspersky Labs carried out the operation sub rosa and without management’s knowledge. He argued that the computer security industry’s unique culture could foster such strategies.

“If you look at our industry, generally speaking, security companies have unusual employees. They’re out-of-the-box thinkers, slightly rebellious.

“Would they go as far as submitting flagged samples to throw off a rival? Absolutely. I’m sure that’s happened,” Mr Gatford said.

Mr Gatford pointed to an incident in 2006 when McAfee’s for its anti-virus software that deleted important system files from thousands of computers including those of banks in Australia.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list. 

Get newsletters, updates, events and more right here