The Russian internet security firm Kaspersky is accused of sabotaging its rivals

Who watches the watchmen?
Who watches the watchmen?
Image: Reuters/Sergei Karpukhin
We may earn a commission from links on this page.

This post has been updated with a comment from Kaspersky.

Time to update your antivirus software, again. According to former employees of Kaspersky Lab who spoke with Reuters, the Russian antivirus company injected code into rival antivirus software in an effort to frustrate their customers—efforts that have been taking place for more than a decade.

The anonymous allegations against Kaspersky say it tricked its rivals into identifying “false positives” on user’s computers: making them think that innocuous files were malicious. The alleged exploit would have been possible because internet security firms rely on pooled information about potential threats, in order to offer more comprehensive protection.

Many of the antivirus companies share information through Google’s VirusTotal, a free malware and virus detection hub. This allows companies to make sure they are covered for the latest attacks, but it also allows them to lean heavily on others’ work, instead of finding new threats themselves.

According to Reuters, Kaspersky has for years complained about this borrowing, and co-founder Eugene Kaspersky eventually got fed up with the borrowing, ordering staff to inject malicious code into benign files to fool rival software—including Microsoft’s and Avast’s—into believing that benign files needed to be quarantined, or in some cases, deleted.

In a statement to Reuters, Kaspersky flatly rejected the claims, and the company did not immediately respond to Quartz’ request for comment. But Microsoft’s antimalware research director, Dennis Batchelder, told Reuters that he remembered instances of customers calling in to complain that necessary pieces of software—like the code to make a printer run—had been deemed a threat and put in quarantine. Although Microsoft didn’t investigate the provenance of the false positive, Batchelder’s team noticed that the software was picking up on code that was identical to lines in an actual malware file it had spotted days earlier.

Update (4:30pm ET): Kaspersky sent Quartz the following statement:

Contrary to allegations made in a Reuters news story, Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and illegal. Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false. As a member of the security community, we share our threat intelligence data and IOCs on advanced threat actors with other vendors, and we also receive and analyze threat data provided by others. Although the security market is very competitive, trusted threat data exchange is a critical part of the overall security of the entire IT ecosystem, and we fight hard to help ensure that this exchange is not compromised or corrupted.

In 2010, we conducted a one-time experiment uploading only 20 samples of non-malicious files to the VirusTotal multi-scanner, which would not cause false positives as these files were absolutely clean, useless and harmless. After the experiment, we made it public and provided all the samples used to the media so they could test it for themselves. We conducted the experiment to draw the security community’s attention to the problem of insufficiency of multi-scanner based detection when files are blocked only because other vendors detected them as being malicious, without actual examination of the file activity (behavior).

After that experiment, we had a discussion with the antivirus industry regarding this issue and understood we were in agreement on all major points.

In 2012, Kaspersky Lab was among the affected companies impacted by an unknown source uploading bad files to VirusTotal, which led to a number of incidents with false-positive detections. To resolve this issue, in October 2013, during the VB Conference in Berlin there was a private meeting between leading antivirus vendors to exchange the information about the incidents, work out the motives behind this attack and develop an action plan. It is still unclear who was behind this campaign.