Comment Eugene Kaspersky is a complex character and capable of many things, but Friday's allegations that he ordered staff to deliberately sabotage rival antivirus packages smells fishy.
On the one hand, the problem of AV products flagging up false positives is well known. Signature-file detection of software nasties is dated, and of limited use, but it still forms the core of most computer security suites.
More ReadingSymantec/GeoTrust revokes some SSL certificates for .pw TLDViral virus bunfight: Dr Web tested rivals like Kaspersky LabSurprise! World stunned to learn that AT&T is in the NSA's pocketKaspersky: Freemasons coded fake malware in the Bermuda TriangleChoc Factory patches zero day Google for Work hack hole
Tricking antimalware tools into deleting or quarantining legit operating system files is not as uncommon as you may think: tools and websites like VirusTotal accept files from the public and pass them on to antimalware engines to automatically analyze and memorize. It's an easy way to feed a lot of bad data into a company's antivirus engine.
Dennis Batchelder, director of research for the Microsoft Malware Protection Center, gave an excellent presentation on the topic at the 2013 Virus Bulletin conference. After the event, antivirus vendors had an informal confab to work out where all these bogus malware samples were coming from.
The considered opinion then, according to some of those there, was that it was an industry-wide problem that probably stemmed from malware writers trying to bork antivirus engines. Almost all security software vendors, including Kaspersky, had been fed harmless files manipulated into appearing to be malicious, seemingly in an attempt to investigate how malware detection engines worked.
The antivirus industry has always been good at collaboration. From the earliest days of the industry, email lists were set up to share malware samples and signatures with competitors, although the discovering company got to name the sample, got the bragging rights, and bagged the publicity.
According to the Reuters report, Kaspersky Lab decided to break this solidarity pact, and allegedly spent ten years seeding legit files with malware inserted in an attempt to cripple rivals. The Russian biz was, apparently, furious with its rivals ripping off its technology.
White-hat hackers and infosec students also screw around with antivirus engine submissions, Gunter Ollmann, former CTO at IOActive, pointed out today. It's also almost certain that government malware writers run portions of their code through the detection systems to see if they are flagged up.
Kaspersky Lab did do something along those lines back in 2010, but with a couple of crucial differences. Firstly, the firm was open about what it was doing and published the results of its findings. Secondly, you'd have to be mad to do this on a large scale because sooner or later the news would get out.
How do you solve a problem like Eugene?
Eugene Kaspersky comes across as a bit of a mad scientist. Your humble hack visited the Moscow offices of Kaspersky Lab roughly a decade ago, and Mr K was a character even then.
Kaspersky had an odd-looking bone on his desk when we went around the building, and I asked him what it was. He explained it was a walrus penis bone (many mammals have a penis bones) and that he used it to encourage his staff. He then demonstrated the bone's motivational powers by playfully whacking a staffer on the shoulder with it.
His response to Friday's allegations was typical of the man. He took to Twitter to call the claims "complete BS" and then went off on a bit of a rant.
Of course we make false positives. In banya, then riding bears to the beach. We have an fp factory 6 miles north of the Kremlin— Eugene Kaspersky (@e_kaspersky) August 14, 2015
But is this mercurial nature enough to consider trying sabotage? It's unlikely – he had a lot to lose, and very little to gain, and would risk crippling his own business. He's slightly eccentric at times, not insane.
Security researchers are, on the whole, smart. They are adept at spotting weaknesses and narrowing down flaws in software, and finding new ways to exploit these holes while bypassing complex protection mechanisms. It's likely that if one of their own was doing this, it would have been noticed.
If it had been shown that Kaspersky was trying to bork other companies then so much of the collaboration that any security firm relies on in the antivirus space would have evaporated like vodka in a blast furnace. Eugene would be cutting off his nose to spite his face. It's not impossible, but not likely either.
Certainly some of his contemporaries don’t think Kaspersky is guilty on this one. Liam O’Murchu, manager of operations for Symantec and a keen competitor of Kaspersky, was quick to point out that as far as he was concerned, the story was most-likely wrong.
We had investigated these attacks but could not find out who was behind them. We had some suspects, Kaspersky was not one of them.— Liam O'Murchu (@liam_omurchu) August 14, 2015
Time for Occam's razor
It's probable Reuters' sources are a couple of pissed-off ex-staffers who've had too many playful pokes from a penis bone, or just didn't get on with Kaspersky (the bloke), or felt they weren't paid or appreciated enough. And, as a result, somewhere along the line, the experiment in 2010 has been misinterpreted or misunderstood, and now it's making headlines in 2015.
Alternatively, it's possible Kaspersky Lab really did try for years to derail its competitors via dodgy samples. But it's difficult to see a clear benefit in the longterm, plus it is easy to detect, and the risks are appalling.
This isn’t the first time Kaspersky has been hit by accusations of foul play: in May, Bloomberg published a hit piece accusing the Russian firm of being far too cozy with Russian intelligence, which again was denied at the time and no further news has come to light on the topic.
Kaspersky Lab is strong among antivirus firms for investigating state-sponsored malware, particularly software nasties coming from the Five Eyes nations of the US, UK, Canada, Australia, and New Zealand. It led the way blowing the gaff on Stuxnet, the US-Israeli Iranian nuke-lab cyber-weapon, and its Duqu cousin. None of this will have pleased Uncle Sam's intelligence agencies.
Is it possible there's an underhand PR campaign against the Russian firm? There's no direct evidence of such a plot but they've been hatched before. It's doubtful anyone in the NSA or GCHQ will weep salty tears if Kaspersky's firm went down under a deluge of bad press. ®