Discussion in 'other anti-virus software' started by vlk, Aug 14, 2015.
Because the financial elite has decided we are at war again with Russia.
“Reuters: Russian antivirus firm faked malware to harm rivals”
It's wise that vlk named the thread the way it is. It's like saying “Guys, I want to draw your attention to this Reuters report and it is about a Russian AV vendor that did trickery!”; and the name of that vendor is obvious if you just look at the quoted link (even without clicking it). And vlk would have no further comment.
And here I thought all the people of the world were brothers and sisters but only the government caused wars. Ya know? **word removed as per TOS wars LOL
It is just the exact same title of the reuters article .
This wise guy just posted it the way it is and made no comments on it !! ; )
I just clicked on it again to check, actually vlk added "Reuters:" up front. LoL
More smoke. There's a reason I avoid Russian and Chinese software.
Having prejudice against Kaspersky just because they are Russian is silly. Then we should have equal standards with US based companies since US is notorious for spying after its citizens (and also people outside their borders). And yet people don't hold up to the same standards for that one (for some reason). That's hypocritical.
And like I said, if you've fallen for this "prank", then you're a bad security company to begin with. Who says it's Kaspersky that was doing it, it may very well be malware writers of which there are plenty all over the world. In the end, it doesn't matter who made that, if you fall for it, you suck and you should re-evaluate your priorities as a security firm.
So let me get this straight, people avoid eastern companies because of evidence-less accusations from western media?
Western media, and people that grew up in these non-democracies.. Yes, I trust western governments more than those of Russian, China, Iran, North Korea, etc...
Let's stop non-topic related discussions.
I thought accused parties are considered innocent until they are proven to be guilty, especially in democracies.
On topic, so allegedly Kaspersky engineers could exploit several companies' automatic pattern (static sig or more likely heuristic pattern) generation systems and went on with this for several years. IF this is true, it is quite impressive.
You misunderstand the legal system vs peoples right to an opinion.
I believe I got an adequate understanding of what is what. I was just trying to rephrase what I said earlier: People would like to jump to conclusions without evidence (this part is not especially addressed to you , you should be able to see what I mean by going back in the thread) .
Anyway, I believe we can agree that we disagree, since I don't want to drag this any further and derail the topic.
Btw does anybody know if we have/ or had a rep from Kaspersky at current/any time?
I believe Reuters is UK based. I don't know about the credibility of this story but I wasn't aware of any immediate Russian activity in my postcode area. It must be all down south somewhere. I think the moral of this story is not to believe everything you read in the press without convincing evidence. The press, even including Reuters, aren't averse to the occasional pork pie on slow news days.
That's correct: https://en.wikipedia.org/wiki/Reuters.
Let's Leave Governments/Politics Out of the Discussion, Otherwise This Thread Will Be Closed!
I knew I was right about Reuters!
To answer that question:
There is no company out there that creates all of their signatures by hand. With 300k+ new malware samples per day, it is simply not feasible for every sample to be analyzed by a human. That is why pretty much every AV company automates the signature creation process at least to some degree.
Every vendor has their own recipe for automated signatures. Some of them are rather primitive. Others are quite complex. In general though, by reverse engineering what the engine does and reverse engineering the content of the signature database, chances are you can figure out how the automated algorithm that picked these signatures operates and what parts of a malicious file it tends to select to create the signature from.
Once you know how the signature is selected by the AV company's signature generation algorithm, you can craft a file that is malicious (which is required so it is even considered for signature creation in most cases), but has code that can be found in non-malicious files in those areas that the algorithm will pick to create the signature from. Now all you need to do is to get this manipulated malware file to the AV company by uploading it to VirusTotal for example. Then you just wait until it eventually ends up through the various sample exchanges at the AV company you targeted.
Obviously it will be rather difficult to get an AV vendor to detect extremely common files like Windows components that way, as that will likely be prevented by the QA processes put in place after the actual signature generation. But for less common files, like the printer driver that was mentioned in the article, that is completely feasible.
Are AV companies to blame here? I don't think so to be honest. It is not like someone uploaded a non-malicious file to VT that an evil AV "fake detected" and that detection was just copied by everyone. The file that was uploaded was indeed malicious. It was just crafted in a way to trick the proprietary signature selection algorithms used by the targeted AV company to select a bad signature. A similar attack is possible on human analysts by the way. Back in the day when automated sample processing wasn't a thing yet, you could look at signatures of an AV and recognize which of the analyst in the company did specific signatures if you looked at enough of them. The reason for that is that humans have habits and biases just like these automated systems have and knowing those, you can tempt a human into picking a bad signature as well.
I hope these explanations clear up a few misconceptions about the accusations .
Fabian Wosar, I wish there was an "upvote" system when such complete answers are given
That was very informative, I appreciate your time to write that.
But then again, some random person can do the same. Here are allegations against Kaspersky, but what if some random "script kiddie" did it? It just shows that companies have flawed inetrnal systems if anything. But it's just more juicy if one can blame a security firm for it than some random dude on the internet. Especially considering the conspiracy theorists screaming "antivirus companies make viruses" thing for years and years.
I never said Kaspersky did it. I just explained how this could be done and confirm that the technical scenario outlined in the article, accusations and blame aside, are realistic and wanted to explain why they work.
This is a perfectly clear explanation.
Thanks @Fabian Wosar ...
Yes, thumbs up to @Fabian Wosar -- that was educational.
As far as accusations go...they're only that, sans substance (I said the same thing about accusations about Qihoo cheating) and reflect more on the accuser rather than the accused.
Eugene Kaspersky's blog was an entertaining read too.
@Fabian Wosar Thanks for the explanation. I had a fair idea of that anway, but your detailed explanation made it clearer.
Thank you for your very interesting explanation how this works. Great education.