Malwarebytes claim: IObit is stealing signature databases

Discussion in 'other anti-malware software' started by webster, Nov 2, 2009.

Thread Status:
Not open for further replies.
  1. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753

    Can i give it a try? I repeated the test on the malware samples that i had used here:

    https://www.wilderssecurity.com/showthread.php?t=244614&page=15

    V.1.10 WITHOUT any updates, detects about 100 more than 1.20 with updated definitions.

    The difference with 1.10 in my previous test is of 1 sample only, probably because in my old test, i had updated before scanning, while this time i used 1.10 without updatng.

    Included are the 2 log files. You should start with 1.20 video first:

    http://www.filefront.com/14876475/Iobit.zip

    The samples are supposed to be late summer samples.

    The reason that i do custom scan in C: , is because in Win7x64 i don't get a right click context menu to scan just a folder with Iobit. I also stop the test after it passes the AMALWARE folder, cause there is no point in continuing and for my privacy.

    The reason that i did 2 separate videos, is that if you scan with 1.20, uninstall and then install 1.10, despite deleting manually the Iobit leftover folder in C:programs, the 1.10 shows that the last update was today. While i wanted to show that 1.10 was done with 40 days old definitions (no updates, just the signatures in the setup file). So i rebooted , launched Shadow Defender again and installed a "clean" v. 1.10, put again the malwares in C:programsx86 and made a 2nd video.



    - Devil's advocates:

    1) Somehow i rigged the test by using video editor.(good luck in proving that).

    2) I rigged the test by alterating the files between the tests (that's why i scroll slowly the files, so someone with patience may compare the hash names).

    3) Iobit deleted these detections by accident.

    4) The new Iobit database is incomplete , that's why 1.20 doesn't detect them. They just forgot to make an anouncement about that warning the users about getting incomplete database protection.

    5) They are 100+ false positives in 1.10 (the problem is, in my last test, Avast was detecting those and even some more).

    6) V. 1.10 works fine under Shadow Defender, while v.1.20 can't scan some files under Shadown Defender.


    Or there is another explanation. Iobit is "cleaning up" her database.



    The cleaning of their database, if accompanied by further silence, for me means that they just want the issue to be forgotten, to get out of the lights of "internet negative pubblicity" and slowly resume their activity with all this forgotten. As long as you don't admit something, time will pass and the issue will be forgotten for the large mass of users that don't read security fora. While if they did admit it, they would be banned by all download sites forever for that product.

    For me the position of "MBAM stop is or we will sue you, in the meantime we will remove the disputed database because we don't want further dispute", is more likely a way to say "Enough of this, we will clean our database from your files, you stop destroying our reputation and let's forget about it".


    EDIT:
    P.S: No, i am in no way affiliated in MBAM, i have started using MBAM free only lately actually, since i moved to Win7 x64, i am not even member of their forum. As a matter of fact, i should be more prone in licking Iobit's ass, since i got the 1 year free license offer from them and SAS Pro, since i have won a lifetime license of them in the past (but i don't run it yet, cause 2 drivers give error in x64 although it does seem to work fine.). I am also not against China or chinese products per se, i have been Twister's defender for 2 years in this forum. Also in my old post in Wilder's posted above, i was actually speaking well of Iobit before all this happened. So, if anything else, MBAM is the one company which has given me the least she could (a freeware version opposed to Iobit and SAS that gave me a paid version for free). Not to mention that Iobit also gave me safe and free porn, while MBAM never did. :D

    The thing is, if i had to give my chances to who's telling the truth, i 'd give 90% to MBAM and i hate it when a small vendor that doesn't have the power of Norton to strike back gets ripped.
     
    Last edited: Nov 7, 2009
  2. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    The problem is that you talk about things that i suppose 95% of those that read the forum, me included, have no idea. I haven't seen nor i know how to compare signatures.

    Let me ask you something. If they used the entire database, would they be able to deny they stole it? If i were to steal signatures and i had the way, i 'd mix signatures of various vendors plus my own signatures. This way, you get a mixed database that makes it easier to deny claims. Also, by adding your own , you have the best of both world. Both stolen and your own.

    I 've no idea how outsourcing of signatures is done and whether it's legal to do so. However, it seems that Iobit is removing signatures from her database instead of making lawsuit against MBAM. And this tells me something.

    I mean, REALLY, you threaten pubblically with lawsuit unless MBAM stops it, MBAM goes one and sends letter to Major Geeks removing your product, Softpedia makes anouncement that you must "clear your name" , download.com no longer hosts the file itself and all you do is anounce "new version" that has WORSE detection rate than your previous version? Your reputation has been destroyed , MBAM didn't stop it and you remove signatures from your database? What happened to the lawsuit?

    I can't say that Iobit did this 100%, but let me tell you, even the way that Iobit handles the whole story, is shouting "i am guilty". From the way the handled the forum to the way they handled MBAM's attack and download site's slap and their new version release. So, it's not that everyone will get convinced, but most people on the net if you google "Iobit steals database" are prone to think Iobit has things to hide. That's all. I don't think that MBAM expects ALL people to believe them either. There are people who still beleive that NASA never got to the moon back in the Apollo mission, some people are hard to convince no matter what to say. I think MBAM have achieved their goal pretty well. 90%+ of the people in all kind of fora believe the MBAM version of the story. Google it yourself... And if i were MBAM i 'd be pretty happy with the result.

    Regards
     
    Last edited: Nov 7, 2009
  3. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    There are 2 technologies that we know for a fact they cant use and these came into play after their last major app update and are not compatible with their application . These sections were never copied .

    We knew this long before we had proof as virtually all malware we detect with these technologies was missed by IOBit and the ones they did hit did not match our naming .

    There was one specific IOBit update that had the maximum number of stolen defs around Oct. 20th . The integrated defs in 1.2 will not reflect the reality of past theft .

    In our very first report we mentioned that their may have been other vendors involved and this could explain what you saw , we have never actually confirmed this as this falls on the laps of those other vendors .

    As far as outsourcing goes , man that would be even more damning . I lead the database team and there is no chance in hell that I would EVER add definitions from a source that I did not personally know and work with , this is pure insanity as all of your control is lost .
     
  4. Anar

    Anar Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    31
    ~Comment containing proprietary information removed~


    I compared 1.10 defs.

    That is what contracts are for. But this is not a discussion about outsourcing pros and contras. We all do it ... you do it as well (you are using several third party components in your application). I just said that this is a likely possibility. If you guys would actually add all malware to your database instead of just a fraction you would much likely think about outsourcing as well.

    Which is ok. I don't intend to explain how anyone could do that. I just posted my thoughts. And nobody has to believe me.

    Ok, since you and nosirrah both brought up that point I will try to rephrase my previous comment to make it more clear what I want to say. After all English is not my native language so it's quite hard for me to bring my point accross.

    I didn't refer to IObit's database content in a whole compared to MBAM's. I was talking about MBAM's database content compared to IObit's. IObit's database does contain a lot more than MBAM's database. But if they have had stolen MBAM's database due to reversing you would see a much higher percantage of MBAM's database content inside IObit's. And I am not talking about just a few signatures either. I am talking about complete signature types that are missing. Signature types that would be relatively easy to implement if you had the intention to do so.

    Additionally your argumentation is flawed. Stealing only half of the database would cause the same bad reputation as stealing the whole. Your company's reputation would be screwed either way. So why just taking a fraction of the database instead of the whole?

    Who says they don't take legal actions against MBAM? If I were IObit (which I am not ... just in case) I would remove the signatures in question so the public can calm down and sue Malwarebytes. Thereby both preventing more damage to my reputation and defending my product. Keeping the signatures as they are now would just be like throwing more fuel into the fire.
     
    Last edited by a moderator: Nov 7, 2009
  5. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Your english is better than mine. It's just that obviously you know how to "view" signature databases and compare them, while i don't. So i can't understand you not because of the english, but because you see things that i can't see and can't understand. :D

    I think only you and Nosirrah can talk effectively about that. Cause i don't know what percentage of the 1 is in the other and can't verify it. The only thing that i can say, is "Is there a rule saying what percentage of the other you 'd better steal"? I mean, i unsderstand your question, but i don't see the perfect logic behind it. All i know is that if i were to steal databases, i 'd take some from more sources. In that way, there wouldn't be a crushing similarity with any other's vendor and hence i could more easily deny. It would also be harder to DETECT.

    I bet that you can talk with Nosirrah about the details, cause i am in no position to know anything about the details of the signatures, which are easy to implement, which shouldn't, which are "spiked" (trapped), etc.

    All i know is that v. 1.20 fully updated detects 100+ less samples in my testbed than 1.10 without updates. You draw your own conclusions from that.

    I differ with your opinion. It's easier to defend a partial database similarity than a huge database similarity. It's what you 're doing right now, isn't it? If they had ripped the entire database, how would you defend them right now? Your own line of defence is the answer to your own question.

    Oh, i hope they do! I know they threatened to but not taken yet (at least they didn't say so). We will be both here when they do or when they don't and we will see how it ends up in court , won't we?

    If I were Iobit and had stolen anything, i wouldn't remove anything, cause i did nothing bad and i would immediately anounce that i sue MBAM. This would show confidence and could probably help avoiding some sites removing my product. When you say "MBAM stop it right now or i sue, i ve stolen nothing", MBAM doesn't stop it and sites start one after the other removing your product, security specialists and MS MVPs start openly siding with MBAM and all you do is "I will update my database", you 're not helping youself IMHO. But that's a different view we have on this, it's ok. Cause you know, the public wasn't upset for the fact that the signatures where in Iobit's database. The public was upset that the signatures were claimed to be stolen from MBAM. Now, either they are stolen or not is the problem. Not whether you keep them in your database or remove them. Removing them, won't help you with public opinion. Convincing that they weren't stolen will. 2 different things.

    Just a curiocity. Why did Iobit remove the samples from my testbed too? They 're not mentioned in MBAM's anouncement and they are really malware according to Avast.
     
    Last edited: Nov 7, 2009
  6. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    If someone we contracted gave us a new DB chunk that deleted critical parts of several legit apps would people say "now that you have explained it we totally support you again" in reaction to us saying "its not our problem , our contracted DB guys did this , not us" .
     
  7. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Anyway, we don't have to agree that one must be convinced that either side is right. Personally i have written enough in this thread, done my own test, i won't convince you and you won't convince me.

    After a point, struggling to keep trying to convince the other becomes futile.

    I m off for some naruto hentai "malware" testing now (that one sure helped me take Iobit more seriously). :D
     
  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Sorry, i missed that one. So, you 're in the "business" too. Then, out of courtesy, if you wish, tell us, in which company do you work for?
     
  9. Anar

    Anar Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    31
    I just noticed ... you guys do outsource some parts of the signature generation. Fatdcuk is located in the UK according to his profile. You are based in the US. I would bet he is self-employed and not an employee of Malwarebytes. Therefore a contractor.
    And to reply to your comment ... obviously the people won't care who the signatures that caused the FP came from. So it wouldn't matter from a reputation point of view. It would matter from a legal point of view though.

    Would be perfectly explainable by my "contractor theory". They discovered that one of their contractors stole signatures and therefore removed all signatures originating from that contractor.

    I am contractor and work in software development. No current employer though because of the recession.
     
  10. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Just for the history, my samples are pubblically available on the internet in public forum, you need no contractor, just internet connection. A guy has put them in rapidshare, hundred of users or even more have them. I don't know much more about contractors. Anyway, even if the contractor stole signatures of MBAM or even if he included my samples in his "package" so they think they are illegal, well, you know that accepting stolen goods is punishable by law too, don't you? They should say so and sue their contractor. Having a stealing contractor , if he stole from MBAM, it's still Iobit's problem having stolen signatures. Maybe they didn't do it themselves, but it's still illegal. If i steal jewelery and i come to your jewel shop and you accept to buy them, the police will bust you too.

    What i understand is that they are doing "house cleaning" in their database. And in the process either on purpose (like to eliminate contractor's signatures) or by accident, they delete some definitions. I wouldn't do that if i was innocent.

    I see. I didn't even know that contractors exist. :D That's something interesting and new for me to learn, thanks.
     
  11. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    I work directly with all of my researchers and their geographic location is irrelevant . All of them are NDA employees and all of them report to and get work directly from me . Me and my top researchers train our new researchers and they don't get to do any real defs until they are fully ready and approved by the team and owners . I have also worked with Ade on multiple forums and projects for the last 4 years . I knew him far better than any person that might walk in our front doors looking for work .
     
  12. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Oh, in case you missed it, since there are many pages in this thread, here's what Iobit says about the origin of MBAM's "claimed" samples:


    Which goes against the theory of the contractor, as far as at least the malware samples mentioned by MBAM goes.


    I also find weird, that they also detect the registry key "Hijack.DisplayProperties". Some user exported the key after scanning with MBAM, renamed the registry key to "HiJack.DisplayProperties" and submitted it to Iobit where the same (obviously) naive analyst included the detection of a harmless registry key with the same name?

    Because i doubt a contractor would sent... a Windows registry key as "sample". Which is false positive by the way 100% of the times you change your display settings.
     
  13. Dr who

    Dr who Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    46
    If i understand from information around the web this is not a case of 100 signatures,not even a thousand but whoever copy and pasted a large chunk of the hacked MBAM database.The only stuff not copied was the stuff their engine could'nt process.
    You have confirmed this since you have been peeking into both unpacked databases.

    So they snipped what was not compatable with IO engine and your telling me that massive chunk of data inserted into the IObit database went unnoticed by anyone at IObit360 HQ. Yeah right like hell!

    Even if they broke it down into smaller chunks over time they would extremely noticable increases in their database size increase because of sheer volume of signatures added.

    I'm sorry but for a software developer your arguement is thin.

    Databases that double insize tend to get noticed by develelopers and coworkers a like at the time and questions would be asked internally.

    No bones about it IObit database for a unspecified period of time contained signatures that were block copy and pasted from the unencrypted MBAM database.

    Theft is theft no matter if it is outsourced or inhouse:shifty:
     
  14. Anar

    Anar Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    31
    Though they are not employees but are self-employed and therefore are contractors (otherwise an NDA would not be neccessary - at least not where I live). I bet they will sent invoices every month and will have to take care of taxes, social security and other social receivables themselves as well (which wouldn't be the case if they were employees - at least not where I live).

    And there goes your "I lead the database team and there is no chance in hell that I would EVER add definitions from a source that I did not personally know and work with" argument. But as I said ... it's not about outsourcing pros and cons. I just explained my theory based on my observations.

    Right. But if IObit did in fact reverse engineer MBAM in-house, they could have and would have implemented the missing signature types, don't you think?

    Let's do a little test: Go to a large contractor site. Like for example http://www.rentacoder.com. Look for projects involving Spyware. You would be surprised.

    Or the contractor did it from the beginning and noone noticed it so far. Huge database growth is normal for young applications. It could be unnoticed.

    Lawyers would disagree. I think the US has a principle of utmost good faith as well.
     
  15. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Well, if they did get illegal samples but didn't do it consciously , but were fooled by a contractor (i don't know how easy that is), at least they have an attenuation factor.

    Of course it's not MBAM's business to know that. MBAM's business was to find out if the database was stolen and it was a success to actually suspect that it may be stolen.

    Of course i suppose when identical names , specially if on false positives start accumulating , you become suspicious.

    This guy who before all this exploded, also noted the "interesting" thing about the false positive:

    http://www.freeantivirushelp.com/blog/?tag=/hijack.displayproperties

    I am actually thinking of starting a poll about that later, to see how many antiviruses, flag that particular key. I expect it to be only MBAM and Iobit.
     
  16. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    My prediction about this case:

    - For whatever reasons, Iobit will just wait until the story is forgotten and won't sue MBAM.

    - If the story is about a contractor that fooled them really, they may sue the contractor and ruin him.

    They will leave the rest to time, that heals everything and makes people forget.
     
  17. Anar

    Anar Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    31
    Ok, since I got a few PMs I want to clarify one thing:

    I don't want to deny that IObit's database has large portions of definitions that are equal to Malwarebytes' definitions. I even would go so far that I would say that someone did copy Malwarebytes' signatures.

    What I don't understand is why IObit would go through the trouble of reversing MBAM in order to only copy half of it (* this is a figure of speech, it's not exactly 50% of MBAM's signatures they copied ... though I could calculate the exact value). Somehow - for me - that doesn't make much sense. For me the only logical thing would be that they didn't and instead someone else did.

    That is all I wanted to say and discuss about. I don't have a grudge against MBAM and I am not an IObit fanboy (though I have an account over there since I intended to participate in their testing contest). I just have personal doubts after taking an in-depth look at it and wanted to share my opinion.
     
  18. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    @ Anar,

    Your theory of a contractor, sounds plausible. Albeit, Iobit until now has not verified this theory (you saw what they said about their investigation). But i wouldn't say it's improbable for larger pieces.

    Personally, i can't exclude them from having done all this by themselves either though. Because for me it's perfectly logical NOT to steal the 100%, because you increase drammatically the chances that someone will notice the similarity. Unless Iobit was expecting to be suspected and "caught" so she should think "well, since i will be busted anyway, i may as well take it all". But this is something that you want to do WITHOUT raising suspicion and thus getting caught. So the less you get from more sources, the better the chances that you will pass un-noticed.

    It's like the thieves after the bank robbery, you know? Where they say "Guys, don't spend the money right away, or they will catch us". They don't think "Since they will catch us, we may as well go immediately and buy a Ferrari and enjoy it".

    Or, you stole some diamonds and you need to pass from airport check. Where's the best place to hide them? a) In a bag on their own, b) Amongst other , legal diamonds which are 3 times the numbers of the stolen ones and hope nobody will recognize the stolen ones. I would pick the latter. You know, the same principle of "keeping my diamonds in the freezer inside the ice cube generator", because this way a thief will not notice you have a bunch of diamonds inside ice cubes (hopefully). Of course you can stack all your diamonds in an angle of the freezer in a bag and write on them "diamonds here". I wouldn't do that. Stealing the entire MBAM database, for me is equal to shouting "MBAM database here people!".

    If i were at their place and wanted to steal, i 'd take a 15-20% of MBAM and that's it. I 'd try to take another 15% from someone else and so one. It would be less easy to be detected. I 'd also try to use different detection names for as many samples as possible.
     
    Last edited: Nov 7, 2009
  19. qpok

    qpok Registered Member

    Joined:
    Apr 3, 2008
    Posts:
    63
    My worry is that IObit (and possibly other companies pursuing similar strategies) will put effort into obfuscating their usage of stolen signatures. So instead of researching threats and creating new signatures and ways of battling malware they would research and implement ways of better hiding the fact that they use illegally obtained signatures. Then again I am no security expert so I can't say whether this fear is real or just pure theoretical speculation.
     
  20. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    If ethics don't prevent that then the knowledge that we all have trap defs will . IOBit missed both of those chapters in "the rule book" .
     
  21. ePost

    ePost Registered Member

    Joined:
    Feb 23, 2009
    Posts:
    105
    nosirrah, you guys at MBAM's staff wrote a few other companies about this theft. They too are victims of this. Do you think that we will some day hear more about these other AV-manufacturers? Will some of the other vendors go public or is that classified information? I'd like to know a bit about their reaction...
     
  22. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    I cant confirm anything other than what our investigation found looked funny and needs to be looked into . We did not do any confirmation on our own for other vendors and that is totally up to them where they go from here . I can say that some of what looked funny is in plain sight and if anyone wants to look into it they can go right ahead .
     
  23. ePost

    ePost Registered Member

    Joined:
    Feb 23, 2009
    Posts:
    105
    Thanks. A bit funny that the other vendors didn't get back to you - they could at least have said thank you. But I realize that whatever they said or didn't say - it's not for us to know. Such correspondence is not a public matter...
     
  24. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    The right way to have handled this was silently until actual facts are proven in a court of law and/or by outside parties. This has turned into a huge publicity stunt - MalwareBytes has destroyed a competitors reputation.

    Many sites that MalwareBytes forced IOBit off of SELL MBAM without disclosing that fact - now they are forced to remove IOBit - I wonder if forcing out a higher rated product helped MBAM's sales? Of course it does.

    Who's gets accused next? SUPERAntiSpyware? AdAware? CounterSpy? AVG?
     
  25. Dr who

    Dr who Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    46
    Of course Nick,

    You would have handled it completely differently(but that will not known unless you find yourself in that same predicament).

    Nick follow this logic...if they had'nt of robbed MBAM database contents then there would have been no news or outcry!

    Unbelievable that you overlook that one major detail.

    Are you jealous they did'nt use your signatures ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.