Malwarebytes claim: IObit is stealing signature databases

[Dr who]

Quote:

Originally Posted by littlebits

To Dr who: I have never been involved in malware testing, because you can knock off all of the BS.

My bad,i mistaken you for this guy from SSupdater so no BS intended!
http://ssupdater.com/modules/Forums/...p?showforum=54

Will leave it at that.Piece be with you!

[Chubb]

Quote:

Originally Posted by littlebits

IObit knows that they were in the wrong by stealing others hard work and even if they don't pay legally, their reputation is destroyed. Their best option now is to offer an apology and admit what they have did, maybe some will be able to forgive. They could even legally buy a license from MBAM that would makes things better.

It would be very hard for IOBit to admit this and to give an apology. If they remain in silence, they can still argue a bit. If they admit with apology, the IOBit brand will be good for nothing anymore, and more and more lawsuits will come.

[RejZoR]

This means they were guilty as hell, but they don't have guts to admit it.

[Anar]

To be honest ... I am still not convinced. I have dumped both databases - MBAM as well as IObit. If you compare their actual content you will see that only a few parts of the signatures are identical. A large portion is not.

The problem I have is the following:
Working under the assumption that IObit has reverse engineered MBAM, why would they only use a fraction of their database? Why not the whole database instead? The signature format of MBAM isn't that complicated. Reimplementing an engine that is able to use the whole database would take about a week for an experienced developer.

In my opinion it is much more likely that IObit has outsourced the signature generation (which believe it or not is quite common ... there are plenty of indian and african companies that offer such services) and one of their contractors stole the signatures from MBAM that could be used by the IObit engine as well.

[Fuzzfas]

Quote:

Originally Posted by Dr who

How about it Littlebits, Custom scanning a folder of malware is your specialality

Can i give it a try? I repeated the test on the malware samples that i had used here:

http://www.wilderssecurity.com/showt...244614&page=15

V.1.10 WITHOUT any updates, detects about 100 more than 1.20 with updated definitions.

The difference with 1.10 in my previous test is of 1 sample only, probably because in my old test, i had updated before scanning, while this time i used 1.10 without updatng.

Included are the 2 log files. You should start with 1.20 video first:

http://www.filefront.com/14876475/Iobit.zip

The samples are supposed to be late summer samples.

The reason that i do custom scan in C: , is because in Win7x64 i don't get a right click context menu to scan just a folder with Iobit. I also stop the test after it passes the AMALWARE folder, cause there is no point in continuing and for my privacy.

The reason that i did 2 separate videos, is that if you scan with 1.20, uninstall and then install 1.10, despite deleting manually the Iobit leftover folder in C:programs, the 1.10 shows that the last update was today. While i wanted to show that 1.10 was done with 40 days old definitions (no updates, just the signatures in the setup file). So i rebooted , launched Shadow Defender again and installed a "clean" v. 1.10, put again the malwares in C:programsx86 and made a 2nd video.



- Devil's advocates:

1) Somehow i rigged the test by using video editor.(good luck in proving that).

2) I rigged the test by alterating the files between the tests (that's why i scroll slowly the files, so someone with patience may compare the hash names).

3) Iobit deleted these detections by accident.

4) The new Iobit database is incomplete , that's why 1.20 doesn't detect them. They just forgot to make an anouncement about that warning the users about getting incomplete database protection.

5) They are 100+ false positives in 1.10 (the problem is, in my last test, Avast was detecting those and even some more).

6) V. 1.10 works fine under Shadow Defender, while v.1.20 can't scan some files under Shadown Defender.


Or there is another explanation. Iobit is "cleaning up" her database.

Quote:

Originally Posted by Chubb

It would be very hard for IOBit to admit this and to give an apology. If they remain in silence, they can still argue a bit. If they admit with apology, the IOBit brand will be good for nothing anymore, and more and more lawsuits will come.

The cleaning of their database, if accompanied by further silence, for me means that they just want the issue to be forgotten, to get out of the lights of "internet negative pubblicity" and slowly resume their activity with all this forgotten. As long as you don't admit something, time will pass and the issue will be forgotten for the large mass of users that don't read security fora. While if they did admit it, they would be banned by all download sites forever for that product.

For me the position of "MBAM stop is or we will sue you, in the meantime we will remove the disputed database because we don't want further dispute", is more likely a way to say "Enough of this, we will clean our database from your files, you stop destroying our reputation and let's forget about it".


EDIT:
P.S: No, i am in no way affiliated in MBAM, i have started using MBAM free only lately actually, since i moved to Win7 x64, i am not even member of their forum. As a matter of fact, i should be more prone in licking Iobit's ass, since i got the 1 year free license offer from them and SAS Pro, since i have won a lifetime license of them in the past (but i don't run it yet, cause 2 drivers give error in x64 although it does seem to work fine.). I am also not against China or chinese products per se, i have been Twister's defender for 2 years in this forum. Also in my old post in Wilder's posted above, i was actually speaking well of Iobit before all this happened. So, if anything else, MBAM is the one company which has given me the least she could (a freeware version opposed to Iobit and SAS that gave me a paid version for free). Not to mention that Iobit also gave me safe and free porn, while MBAM never did.

The thing is, if i had to give my chances to who's telling the truth, i 'd give 90% to MBAM and i hate it when a small vendor that doesn't have the power of Norton to strike back gets ripped.

[Fuzzfas]

Quote:

Originally Posted by Anar

To be honest ... I am still not convinced. I have dumped both databases - MBAM as well as IObit. If you compare their actual content you will see that only a few parts of the signatures are identical. A large portion is not.

The problem is that you talk about things that i suppose 95% of those that read the forum, me included, have no idea. I haven't seen nor i know how to compare signatures.

Quote:

The problem I have is the following:
Working under the assumption that IObit has reverse engineered MBAM, why would they only use a fraction of their database? Why not the whole database instead? The signature format of MBAM isn't that complicated. Reimplementing an engine that is able to use the whole database would take about a week for an experienced developer.

Let me ask you something. If they used the entire database, would they be able to deny they stole it? If i were to steal signatures and i had the way, i 'd mix signatures of various vendors plus my own signatures. This way, you get a mixed database that makes it easier to deny claims. Also, by adding your own , you have the best of both world. Both stolen and your own.

Quote:

In my opinion it is much more likely that IObit has outsourced the signature generation (which believe it or not is quite common ... there are plenty of indian and african companies that offer such services) and one of their contractors stole the signatures from MBAM that could be used by the IObit engine as well.

I 've no idea how outsourcing of signatures is done and whether it's legal to do so. However, it seems that Iobit is removing signatures from her database instead of making lawsuit against MBAM. And this tells me something.

I mean, REALLY, you threaten pubblically with lawsuit unless MBAM stops it, MBAM goes one and sends letter to Major Geeks removing your product, Softpedia makes anouncement that you must "clear your name" , download.com no longer hosts the file itself and all you do is anounce "new version" that has WORSE detection rate than your previous version? Your reputation has been destroyed , MBAM didn't stop it and you remove signatures from your database? What happened to the lawsuit?

I can't say that Iobit did this 100%, but let me tell you, even the way that Iobit handles the whole story, is shouting "i am guilty". From the way the handled the forum to the way they handled MBAM's attack and download site's slap and their new version release. So, it's not that everyone will get convinced, but most people on the net if you google "Iobit steals database" are prone to think Iobit has things to hide. That's all. I don't think that MBAM expects ALL people to believe them either. There are people who still beleive that NASA never got to the moon back in the Apollo mission, some people are hard to convince no matter what to say. I think MBAM have achieved their goal pretty well. 90%+ of the people in all kind of fora believe the MBAM version of the story. Google it yourself... And if i were MBAM i 'd be pretty happy with the result.

Regards

[nosirrah]

Quote:

Why not the whole database instead

There are 2 technologies that we know for a fact they cant use and these came into play after their last major app update and are not compatible with their application . These sections were never copied .

We knew this long before we had proof as virtually all malware we detect with these technologies was missed by IOBit and the ones they did hit did not match our naming .

There was one specific IOBit update that had the maximum number of stolen defs around Oct. 20th . The integrated defs in 1.2 will not reflect the reality of past theft .

In our very first report we mentioned that their may have been other vendors involved and this could explain what you saw , we have never actually confirmed this as this falls on the laps of those other vendors .

As far as outsourcing goes , man that would be even more damning . I lead the database team and there is no chance in hell that I would EVER add definitions from a source that I did not personally know and work with , this is pure insanity as all of your control is lost .

[Anar]

Quote:

Originally Posted by nosirrah

There are 2 technologies that we know for a fact they cant use and these came into play after their last major app update and are not compatible with their application . These sections were never copied .

~Comment containing proprietary information removed~

Quote:

Originally Posted by nosirrah

There was one specific IOBit update that had the maximum number of stolen defs around Oct. 20th . The integrated defs in 1.2 will not reflect the reality of past theft.

I compared 1.10 defs.

Quote:

Originally Posted by nosirrah

As far as outsourcing goes , man that would be even more damning . I lead the database team and there is no chance in hell that I would EVER add definitions from a source that I did not personally know and work with , this is pure insanity as all of your control is lost .

That is what contracts are for. But this is not a discussion about outsourcing pros and contras. We all do it ... you do it as well (you are using several third party components in your application). I just said that this is a likely possibility. If you guys would actually add all malware to your database instead of just a fraction you would much likely think about outsourcing as well.

Quote:

Originally Posted by Fuzzfas

The problem is that you talk about things that i suppose 95% of those that read the forum, me included, have no idea. I haven't seen nor i know how to compare signatures.

Which is ok. I don't intend to explain how anyone could do that. I just posted my thoughts. And nobody has to believe me.

Quote:

Originally Posted by Fuzzfas

Let me ask you something. If they used the entire database, would they be able to deny they stole it? If i were to steal signatures and i had the way, i 'd mix signatures of various vendors plus my own signatures. This way, you get a mixed database that makes it easier to deny claims. Also, by adding your own , you have the best of both world. Both stolen and your own.

Ok, since you and nosirrah both brought up that point I will try to rephrase my previous comment to make it more clear what I want to say. After all English is not my native language so it's quite hard for me to bring my point accross.

I didn't refer to IObit's database content in a whole compared to MBAM's. I was talking about MBAM's database content compared to IObit's. IObit's database does contain a lot more than MBAM's database. But if they have had stolen MBAM's database due to reversing you would see a much higher percantage of MBAM's database content inside IObit's. And I am not talking about just a few signatures either. I am talking about complete signature types that are missing. Signature types that would be relatively easy to implement if you had the intention to do so.

Additionally your argumentation is flawed. Stealing only half of the database would cause the same bad reputation as stealing the whole. Your company's reputation would be screwed either way. So why just taking a fraction of the database instead of the whole?

Quote:

I 've no idea how outsourcing of signatures is done and whether it's legal to do so. However, it seems that Iobit is removing signatures from her database instead of making lawsuit against MBAM. And this tells me something.

Who says they don't take legal actions against MBAM? If I were IObit (which I am not ... just in case) I would remove the signatures in question so the public can calm down and sue Malwarebytes. Thereby both preventing more damage to my reputation and defending my product. Keeping the signatures as they are now would just be like throwing more fuel into the fire.

[Fuzzfas]

Quote:

Originally Posted by Anar

Ok, since you and nosirrah both brought up that point I will try to rephrase my previous comment to make it more clear what I want to say. After all English is not my native language so it's quite hard for me to bring my point accross.

Your english is better than mine. It's just that obviously you know how to "view" signature databases and compare them, while i don't. So i can't understand you not because of the english, but because you see things that i can't see and can't understand.

Quote:

I didn't refer to IObit's database content in a whole compared to MBAM's. I was talking about MBAM's database content compared to IObit's. IObit's database does contain a lot more than MBAM's database. But if they have had stolen MBAM's database due to reversing you would see a much higher percantage of MBAM's database content inside IObit's. And I am not talking about just a few signatures either. I am talking about complete signature types that are missing. Signature types that would be relatively easy to implement if you had the intention to do so.

I think only you and Nosirrah can talk effectively about that. Cause i don't know what percentage of the 1 is in the other and can't verify it. The only thing that i can say, is "Is there a rule saying what percentage of the other you 'd better steal"? I mean, i unsderstand your question, but i don't see the perfect logic behind it. All i know is that if i were to steal databases, i 'd take some from more sources. In that way, there wouldn't be a crushing similarity with any other's vendor and hence i could more easily deny. It would also be harder to DETECT.

I bet that you can talk with Nosirrah about the details, cause i am in no position to know anything about the details of the signatures, which are easy to implement, which shouldn't, which are "spiked" (trapped), etc.

All i know is that v. 1.20 fully updated detects 100+ less samples in my testbed than 1.10 without updates. You draw your own conclusions from that.

Quote:

Additionally your argumentation is flawed. Stealing only half of the database would cause the same bad reputation as stealing the whole. Your company's reputation would be screwed either way. So why just taking a fraction of the database instead of the whole?

I differ with your opinion. It's easier to defend a partial database similarity than a huge database similarity. It's what you 're doing right now, isn't it? If they had ripped the entire database, how would you defend them right now? Your own line of defence is the answer to your own question.

Quote:

Who says they don't take legal actions against MBAM?

Oh, i hope they do! I know they threatened to but not taken yet (at least they didn't say so). We will be both here when they do or when they don't and we will see how it ends up in court , won't we?

Quote:

If I were IObit (which I am not ... just in case) I would remove the signatures in question so the public can calm down and sue Malwarebytes. Thereby both preventing more damage to my reputation and defending my product. Keeping the signatures as they are now would just be like throwing more fuel into the fire.

If I were Iobit and had stolen anything, i wouldn't remove anything, cause i did nothing bad and i would immediately anounce that i sue MBAM. This would show confidence and could probably help avoiding some sites removing my product. When you say "MBAM stop it right now or i sue, i ve stolen nothing", MBAM doesn't stop it and sites start one after the other removing your product, security specialists and MS MVPs start openly siding with MBAM and all you do is "I will update my database", you 're not helping youself IMHO. But that's a different view we have on this, it's ok. Cause you know, the public wasn't upset for the fact that the signatures where in Iobit's database. The public was upset that the signatures were claimed to be stolen from MBAM. Now, either they are stolen or not is the problem. Not whether you keep them in your database or remove them. Removing them, won't help you with public opinion. Convincing that they weren't stolen will. 2 different things.

Just a curiocity. Why did Iobit remove the samples from my testbed too? They 're not mentioned in MBAM's anouncement and they are really malware according to Avast.

[nosirrah]

Quote:

That is what contracts are for. But this is not a discussion about outsourcing pros and contras. We all do it ... you do it as well (you are using several third party components in your application). I just said that this is a likely possibility. If you guys would actually add all malware to your database instead of just a fraction you would much likely think about outsourcing as well.

If someone we contracted gave us a new DB chunk that deleted critical parts of several legit apps would people say "now that you have explained it we totally support you again" in reaction to us saying "its not our problem , our contracted DB guys did this , not us" .

[Fuzzfas]

Anyway, we don't have to agree that one must be convinced that either side is right. Personally i have written enough in this thread, done my own test, i won't convince you and you won't convince me.

After a point, struggling to keep trying to convince the other becomes futile.

I m off for some naruto hentai "malware" testing now (that one sure helped me take Iobit more seriously).

[Fuzzfas]

Quote:

Originally Posted by Anar

That is what contracts are for. But this is not a discussion about outsourcing pros and contras. We all do it ... you do it as well (you are using several third party components in your application). I just said that this is a likely possibility. If you guys would actually add all malware to your database instead of just a fraction you would much likely think about outsourcing as well.

Sorry, i missed that one. So, you 're in the "business" too. Then, out of courtesy, if you wish, tell us, in which company do you work for?

[Anar]

Quote:

Originally Posted by nosirrah

If someone we contracted gave us a new DB chunk that deleted critical parts of several legit apps would people say "now that you have explained it we totally support you again" in reaction to us saying "its not our problem , our contracted DB guys did this , not us" .

I just noticed ... you guys do outsource some parts of the signature generation. Fatdcuk is located in the UK according to his profile. You are based in the US. I would bet he is self-employed and not an employee of Malwarebytes. Therefore a contractor.
And to reply to your comment ... obviously the people won't care who the signatures that caused the FP came from. So it wouldn't matter from a reputation point of view. It would matter from a legal point of view though.

Quote:

Originally Posted by Fuzzfas

Just a curiocity. Why did Iobit remove the samples from my testbed too? They 're not mentioned in MBAM's anouncement and they are really malware according to Avast.

Would be perfectly explainable by my "contractor theory". They discovered that one of their contractors stole signatures and therefore removed all signatures originating from that contractor.

Quote:

Originally Posted by Fuzzfas

Sorry, i missed that one. So, you 're in the "business" too. Then, out of courtesy, if you wish, tell us, in which company do you work for?

I am contractor and work in software development. No current employer though because of the recession.

[Fuzzfas]

Quote:

Originally Posted by Anar

Would be perfectly explainable by my "contractor theory". They discovered that one of their contractors stole signatures and therefore removed all signatures originating from that contractor.

Just for the history, my samples are pubblically available on the internet in public forum, you need no contractor, just internet connection. A guy has put them in rapidshare, hundred of users or even more have them. I don't know much more about contractors. Anyway, even if the contractor stole signatures of MBAM or even if he included my samples in his "package" so they think they are illegal, well, you know that accepting stolen goods is punishable by law too, don't you? They should say so and sue their contractor. Having a stealing contractor , if he stole from MBAM, it's still Iobit's problem having stolen signatures. Maybe they didn't do it themselves, but it's still illegal. If i steal jewelery and i come to your jewel shop and you accept to buy them, the police will bust you too.

What i understand is that they are doing "house cleaning" in their database. And in the process either on purpose (like to eliminate contractor's signatures) or by accident, they delete some definitions. I wouldn't do that if i was innocent.

Quote:

I am contractor and work in software development. No current employer though because of the recession.

I see. I didn't even know that contractors exist. That's something interesting and new for me to learn, thanks.

[nosirrah]

Quote:

I just noticed ... you guys do outsource some parts of the signature generation. Fatdcuk is located in the UK according to his profile. You are based in the US. I would bet he is self-employed and not an employee of Malwarebytes. Therefore a contractor.
And to reply to your comment ... obviously the people won't care who the signatures that caused the FP came from. So it wouldn't matter from a reputation point of view. It would matter from a legal point of view though.

I work directly with all of my researchers and their geographic location is irrelevant . All of them are NDA employees and all of them report to and get work directly from me . Me and my top researchers train our new researchers and they don't get to do any real defs until they are fully ready and approved by the team and owners . I have also worked with Ade on multiple forums and projects for the last 4 years . I knew him far better than any person that might walk in our front doors looking for work .

[Fuzzfas]

Oh, in case you missed it, since there are many pages in this thread, here's what Iobit says about the origin of MBAM's "claimed" samples:

Quote:

After carefully tracing and investigating the history of IObit’s database, we find that someone used the submission page which is disabled now (http://db.iobit.com/deal/sdsubmit/index.php) to submit samples with the same names from Malwarebytes. Unfortunately, IObit database analyzer carelessly used the names provided by the submission. This mistake can be understood because it is very normal - Many enthusiastic IObit users find there are samples missed by IObit Security 360 but detected by other anti-malware products, then they would submit these samples to us and provide names defined by other anti-malware vendors.

http://blog.iobit.com/archives/95.html

Which goes against the theory of the contractor, as far as at least the malware samples mentioned by MBAM goes.


I also find weird, that they also detect the registry key "Hijack.DisplayProperties". Some user exported the key after scanning with MBAM, renamed the registry key to "HiJack.DisplayProperties" and submitted it to Iobit where the same (obviously) naive analyst included the detection of a harmless registry key with the same name?

Because i doubt a contractor would sent... a Windows registry key as "sample". Which is false positive by the way 100% of the times you change your display settings.

[Dr who]

Quote:

Originally Posted by Anar

Would be perfectly explainable by my "contractor theory". They discovered that one of their contractors stole signatures and therefore removed all signatures originating from that contractor.

If i understand from information around the web this is not a case of 100 signatures,not even a thousand but whoever copy and pasted a large chunk of the hacked MBAM database.The only stuff not copied was the stuff their engine could'nt process.
You have confirmed this since you have been peeking into both unpacked databases.

So they snipped what was not compatable with IO engine and your telling me that massive chunk of data inserted into the IObit database went unnoticed by anyone at IObit360 HQ. Yeah right like hell!

Even if they broke it down into smaller chunks over time they would extremely noticable increases in their database size increase because of sheer volume of signatures added.

I'm sorry but for a software developer your arguement is thin.

Databases that double insize tend to get noticed by develelopers and coworkers a like at the time and questions would be asked internally.

No bones about it IObit database for a unspecified period of time contained signatures that were block copy and pasted from the unencrypted MBAM database.

Theft is theft no matter if it is outsourced or inhouse

[Anar]

Quote:

Originally Posted by nosirrah

I work directly with all of my researchers and their geographic location is irrelevant. All of them are NDA employees and all of them report to and get work directly from me.

Though they are not employees but are self-employed and therefore are contractors (otherwise an NDA would not be neccessary - at least not where I live). I bet they will sent invoices every month and will have to take care of taxes, social security and other social receivables themselves as well (which wouldn't be the case if they were employees - at least not where I live).

Quote:

Originally Posted by nosirrah

Me and my top researchers train our new researchers and they don't get to do any real defs until they are fully ready and approved by the team and owners . I have also worked with Ade on multiple forums and projects for the last 4 years . I knew him far better than any person that might walk in our front doors looking for work .

And there goes your "I lead the database team and there is no chance in hell that I would EVER add definitions from a source that I did not personally know and work with" argument. But as I said ... it's not about outsourcing pros and cons. I just explained my theory based on my observations.

Quote:

Originally Posted by Dr who

If i understand from information around the web this is not a case of 100 signatures,not even a thousand but whoever copy and pasted a large chunk of the hacked MBAM database.The only stuff not copied was the stuff their engine could'nt process.

Right. But if IObit did in fact reverse engineer MBAM in-house, they could have and would have implemented the missing signature types, don't you think?

Quote:

Originally Posted by Dr who

So they snipped what was not compatable with IO engine and your telling me that massive chunk of data inserted into the IObit database went unnoticed by anyone at IObit360 HQ. Yeah right like hell!

Let's do a little test: Go to a large contractor site. Like for example http://www.rentacoder.com. Look for projects involving Spyware. You would be surprised.

Quote:

Originally Posted by Dr who

Even if they broke it down into smaller chunks over time they would extremely noticable increases in their database size increase because of sheer volume of signatures added.

Or the contractor did it from the beginning and noone noticed it so far. Huge database growth is normal for young applications. It could be unnoticed.

Quote:

Originally Posted by Dr who

Theft is theft no matter if it is outsourced or inhouse

Lawyers would disagree. I think the US has a principle of utmost good faith as well.

[Fuzzfas]

Quote:

Originally Posted by Dr who

Theft is theft no matter if it is outsourced or inhouse

Well, if they did get illegal samples but didn't do it consciously , but were fooled by a contractor (i don't know how easy that is), at least they have an attenuation factor.

Of course it's not MBAM's business to know that. MBAM's business was to find out if the database was stolen and it was a success to actually suspect that it may be stolen.

Of course i suppose when identical names , specially if on false positives start accumulating , you become suspicious.

This guy who before all this exploded, also noted the "interesting" thing about the false positive:

Quote:

Interestingly, this is identical to what MalwareBytes Antispyware finds and is not a result of malicious modification hence a false positive.

http://www.freeantivirushelp.com/blo...playproperties

I am actually thinking of starting a poll about that later, to see how many antiviruses, flag that particular key. I expect it to be only MBAM and Iobit.

[Fuzzfas]

My prediction about this case:

- For whatever reasons, Iobit will just wait until the story is forgotten and won't sue MBAM.

- If the story is about a contractor that fooled them really, they may sue the contractor and ruin him.

They will leave the rest to time, that heals everything and makes people forget.

[Anar]

Ok, since I got a few PMs I want to clarify one thing:

I don't want to deny that IObit's database has large portions of definitions that are equal to Malwarebytes' definitions. I even would go so far that I would say that someone did copy Malwarebytes' signatures.

What I don't understand is why IObit would go through the trouble of reversing MBAM in order to only copy half of it (* this is a figure of speech, it's not exactly 50% of MBAM's signatures they copied ... though I could calculate the exact value). Somehow - for me - that doesn't make much sense. For me the only logical thing would be that they didn't and instead someone else did.

That is all I wanted to say and discuss about. I don't have a grudge against MBAM and I am not an IObit fanboy (though I have an account over there since I intended to participate in their testing contest). I just have personal doubts after taking an in-depth look at it and wanted to share my opinion.

[Fuzzfas]

@ Anar,

Your theory of a contractor, sounds plausible. Albeit, Iobit until now has not verified this theory (you saw what they said about their investigation). But i wouldn't say it's improbable for larger pieces.

Personally, i can't exclude them from having done all this by themselves either though. Because for me it's perfectly logical NOT to steal the 100%, because you increase drammatically the chances that someone will notice the similarity. Unless Iobit was expecting to be suspected and "caught" so she should think "well, since i will be busted anyway, i may as well take it all". But this is something that you want to do WITHOUT raising suspicion and thus getting caught. So the less you get from more sources, the better the chances that you will pass un-noticed.

It's like the thieves after the bank robbery, you know? Where they say "Guys, don't spend the money right away, or they will catch us". They don't think "Since they will catch us, we may as well go immediately and buy a Ferrari and enjoy it".

Or, you stole some diamonds and you need to pass from airport check. Where's the best place to hide them? a) In a bag on their own, b) Amongst other , legal diamonds which are 3 times the numbers of the stolen ones and hope nobody will recognize the stolen ones. I would pick the latter. You know, the same principle of "keeping my diamonds in the freezer inside the ice cube generator", because this way a thief will not notice you have a bunch of diamonds inside ice cubes (hopefully). Of course you can stack all your diamonds in an angle of the freezer in a bag and write on them "diamonds here". I wouldn't do that. Stealing the entire MBAM database, for me is equal to shouting "MBAM database here people!".

If i were at their place and wanted to steal, i 'd take a 15-20% of MBAM and that's it. I 'd try to take another 15% from someone else and so one. It would be less easy to be detected. I 'd also try to use different detection names for as many samples as possible.

[qpok]

Quote:

Originally Posted by Fuzzfas

If i were at their place and wanted to steal, i 'd take a 15-20% of MBAM and that's it. I 'd try to take another 15% from someone else and so one. It would be less easy to be detected. I 'd also try to use different detection names for as many samples as possible.

My worry is that IObit (and possibly other companies pursuing similar strategies) will put effort into obfuscating their usage of stolen signatures. So instead of researching threats and creating new signatures and ways of battling malware they would research and implement ways of better hiding the fact that they use illegally obtained signatures. Then again I am no security expert so I can't say whether this fear is real or just pure theoretical speculation.

[nosirrah]

If ethics don't prevent that then the knowledge that we all have trap defs will . IOBit missed both of those chapters in "the rule book" .

[ePost]

Quote:

Originally Posted by nosirrah

If ethics don't prevent that then the knowledge that we all have trap defs will . IOBit missed both of those chapters in "the rule book" .

nosirrah, you guys at MBAM's staff wrote a few other companies about this theft. They too are victims of this. Do you think that we will some day hear more about these other AV-manufacturers? Will some of the other vendors go public or is that classified information? I'd like to know a bit about their reaction...