Kaspersky Lab is one of the largest cybersecurity firms in the world, and has been responsible for discovering some of the most advanced malware in existence. However, a recent report indicates that the company has been modifying harmless files to look like malware in order to trip up competing products and throw up false positives.
The exclusive report from Reuters claims that Kaspersky was not happy with competitors borrowing from its research, without contributing any findings of their own. Anti-virus companies share knowledge by swapping samples and submitting it to third party aggregators. In this case, Kaspersky was doing all the sharing and was not getting anything in return.
Annoyed by the situation, founder Eugene Kaspersky ordered his team to modify common files to look like malware. These modified files were then submitted to the aggregator, where other anti-virus teams would add them to their own database of malicious files. If the modification had enough resemblance to the original file, both would be flagged as malware and quarantined. Essentially, this would lead to a large number of false positives.
The campaign targeted companies like Microsoft, AVG Technologies, and Avast Software; who all ended up disabling portions of their customers’ computers. However, these companies did not comment on any allegations against Kaspersky; but did admit to attempts at introducing false positives over the years.
Naturally, Kaspersky (both the company and its founder) itself has denied any sort of wrongdoing in this case. It also said that it did not believe that the attacks could have come from within the industry itself “as it would have a very bad effect on the whole industry.”
Update: Kaspersky has offered an explanation for what actually happened with the modified files:
“In 2010, we conducted a one-time experiment uploading only 20 samples of non-malicious files to the VirusTotal multi-scanner, which would not cause false positives as these files were absolutely clean, useless and harmless. After the experiment, we made it public and provided all the samples used to the media so they could test it for themselves. We conducted the experiment to draw the security community’s attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity (behavior).
After that experiment, we had a discussion with the antivirus industry regarding this issue and understood we were in agreement on all major points. Read more here.”
In other words, there is nothing to see here. It was just a bunch of disgruntled employees trying to stir up controversy using leftover files from a five year old experiment.