Reuters: Russian antivirus firm faked malware to harm rivals

Discussion in 'other anti-virus software' started by vlk, Aug 14, 2015.

  1. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Because the financial elite has decided we are at war again with Russia.
     
  2. JimmyJames321

    JimmyJames321 Registered Member

    Joined:
    Apr 6, 2015
    Posts:
    47
    “Reuters: Russian antivirus firm faked malware to harm rivals”

    It's wise that vlk named the thread the way it is. It's like saying “Guys, I want to draw your attention to this Reuters report and it is about a Russian AV vendor that did trickery!”; and the name of that vendor is obvious if you just look at the quoted link (even without clicking it). And vlk would have no further comment.
     
  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    And here I thought all the people of the world were brothers and sisters but only the government caused wars. Ya know? **word removed as per TOS wars LOL
     
    Last edited by a moderator: Aug 15, 2015
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    It is just the exact same title of the reuters article :D.
     
  5. JimmyJames321

    JimmyJames321 Registered Member

    Joined:
    Apr 6, 2015
    Posts:
    47
    This wise guy just posted it the way it is and made no comments on it !! ; )

    I just clicked on it again to check, actually vlk added "Reuters:" up front. LoL
     
    Last edited: Aug 15, 2015
  6. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,785
  7. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Having prejudice against Kaspersky just because they are Russian is silly. Then we should have equal standards with US based companies since US is notorious for spying after its citizens (and also people outside their borders). And yet people don't hold up to the same standards for that one (for some reason). That's hypocritical.

    And like I said, if you've fallen for this "prank", then you're a bad security company to begin with. Who says it's Kaspersky that was doing it, it may very well be malware writers of which there are plenty all over the world. In the end, it doesn't matter who made that, if you fall for it, you suck and you should re-evaluate your priorities as a security firm.
     
  8. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    509
    So let me get this straight, people avoid eastern companies because of evidence-less accusations from western media?
     
  9. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,785
    Western media, and people that grew up in these non-democracies.. Yes, I trust western governments more than those of Russian, China, Iran, North Korea, etc...
     
    Last edited: Aug 15, 2015
  10. JimmyJames321

    JimmyJames321 Registered Member

    Joined:
    Apr 6, 2015
    Posts:
    47
    Let's stop non-topic related discussions.
     
  11. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    509
    I thought accused parties are considered innocent until they are proven to be guilty, especially in democracies.

    On topic, so allegedly Kaspersky engineers could exploit several companies' automatic pattern (static sig or more likely heuristic pattern) generation systems and went on with this for several years. IF this is true, it is quite impressive.
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,062
    Location:
    Nicaragua
    Same here.

    Bo
     
  13. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,785
    You misunderstand the legal system vs peoples right to an opinion.
     
  14. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    509
    I believe I got an adequate understanding of what is what. I was just trying to rephrase what I said earlier: People would like to jump to conclusions without evidence (this part is not especially addressed to you , you should be able to see what I mean by going back in the thread) .
    Anyway, I believe we can agree that we disagree, since I don't want to drag this any further and derail the topic.

    Btw does anybody know if we have/ or had a rep from Kaspersky at current/any time?
     
  15. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    9,873
    Location:
    Lloegyr
    I believe Reuters is UK based. I don't know about the credibility of this story but I wasn't aware of any immediate Russian activity in my postcode area. It must be all down south somewhere. I think the moral of this story is not to believe everything you read in the press without convincing evidence. The press, even including Reuters, aren't averse to the occasional pork pie on slow news days.
     
  16. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    77,039
    Location:
    U.S.A.
    That's correct: https://en.wikipedia.org/wiki/Reuters.

    Let's Leave Governments/Politics Out of the Discussion, Otherwise This Thread Will Be Closed!
     
  17. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    9,873
    Location:
    Lloegyr
    I knew I was right about Reuters! ;):argh:
     
  18. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    To answer that question:

    There is no company out there that creates all of their signatures by hand. With 300k+ new malware samples per day, it is simply not feasible for every sample to be analyzed by a human. That is why pretty much every AV company automates the signature creation process at least to some degree.

    Every vendor has their own recipe for automated signatures. Some of them are rather primitive. Others are quite complex. In general though, by reverse engineering what the engine does and reverse engineering the content of the signature database, chances are you can figure out how the automated algorithm that picked these signatures operates and what parts of a malicious file it tends to select to create the signature from.

    Once you know how the signature is selected by the AV company's signature generation algorithm, you can craft a file that is malicious (which is required so it is even considered for signature creation in most cases), but has code that can be found in non-malicious files in those areas that the algorithm will pick to create the signature from. Now all you need to do is to get this manipulated malware file to the AV company by uploading it to VirusTotal for example. Then you just wait until it eventually ends up through the various sample exchanges at the AV company you targeted.

    Obviously it will be rather difficult to get an AV vendor to detect extremely common files like Windows components that way, as that will likely be prevented by the QA processes put in place after the actual signature generation. But for less common files, like the printer driver that was mentioned in the article, that is completely feasible.

    Are AV companies to blame here? I don't think so to be honest. It is not like someone uploaded a non-malicious file to VT that an evil AV "fake detected" and that detection was just copied by everyone. The file that was uploaded was indeed malicious. It was just crafted in a way to trick the proprietary signature selection algorithms used by the targeted AV company to select a bad signature. A similar attack is possible on human analysts by the way. Back in the day when automated sample processing wasn't a thing yet, you could look at signatures of an AV and recognize which of the analyst in the company did specific signatures if you looked at enough of them. The reason for that is that humans have habits and biases just like these automated systems have and knowing those, you can tempt a human into picking a bad signature as well.

    I hope these explanations clear up a few misconceptions about the accusations :).
     
  19. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    @
    Fabian Wosar, I wish there was an "upvote" system when such complete answers are given :)

    That was very informative, I appreciate your time to write that.
     
  20. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    But then again, some random person can do the same. Here are allegations against Kaspersky, but what if some random "script kiddie" did it? It just shows that companies have flawed inetrnal systems if anything. But it's just more juicy if one can blame a security firm for it than some random dude on the internet. Especially considering the conspiracy theorists screaming "antivirus companies make viruses" thing for years and years.
     
  21. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    I never said Kaspersky did it. I just explained how this could be done and confirm that the technical scenario outlined in the article, accusations and blame aside, are realistic and wanted to explain why they work.
     
  22. hjlbx

    hjlbx Guest

    This is a perfectly clear explanation.

    Thanks @Fabian Wosar ...
     
  23. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    571
    Location:
    USA
    Yes, thumbs up to @Fabian Wosar -- that was educational.

    As far as accusations go...they're only that, sans substance (I said the same thing about accusations about Qihoo cheating) and reflect more on the accuser rather than the accused.

    Eugene Kaspersky's blog was an entertaining read too.
     
  24. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,190
    @Fabian Wosar Thanks for the explanation. I had a fair idea of that anway, but your detailed explanation made it clearer.
     
  25. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,778
    Fabian Wosar,
    Thank you for your very interesting explanation how this works. Great education.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.