August 14, 2015
The abracadabra of anonymous sources.
Who killed JFK?
Who’s controlling the Bermuda Triangle?
What’s the Freemasons’ objective?
Easy! For it turns out that answers to these questions couldn’t be more straightforward. All you have to do is add: ‘according to information from anonymous sources‘, and voila! — there’s your answer — to any question, about anything, or anyone. And the answers are all the more credible – not because of their… credibility – but because of the level of prestige commonly ascribed to the particular media outlet that broke the story.
note to self: when I publish my next APT report, I'll make sure to quote at least two anonymous sources, for added credibility.
— Stefan Tanase (@stefant) August 14, 2015
Just recently, Reuters got a ‘world exclusive’ of jaw-dropping proportions in the antivirus world. The article, filled with sensational – false – allegations, claims Kaspersky Lab (KL), creates very specific, targeted malware, and distributes it anonymously to other anti-malware competitors, with the sole purpose of causing serious trouble for them and harming their market share. Oh yes. But they forgot to add that we conjure all this up during steamy banya sessions, after parking the bears we ride outside.
I don’t usually read @reuters. But when I do, I see false positives. For the record: this story is a complete BS: https://t.co/m0Rcy2Vm6Y
— Eugene Kaspersky (@e_kaspersky) August 14, 2015
The Reuters story is based on information provided by anonymous former KL employees. And the accusations are complete nonsense, pure and simple.
Disgruntled ex-employees often say nasty things about their former employers, but in this case, the lies are just ludicrous. Maybe these sources managed to impress the journalist, but in my view publishing such an ‘exclusive’ – WITHOUT A SHRED OF EVIDENCE – is not what I understand to be good journalism. I’m just curious to see what these ‘ex-employees’ tell the media next time about us, and who might believe their BS.
The reality is that the Reuters story is a conflation of a number of facts with a generous amount of pure fiction.
To be honest: its quite annoying all these insinuating stories about Kaspersky. Haven't seen any solid evidence nor trustworthy sources.
— Rickey Gevers (@UID_) August 14, 2015
In 2012-2013, the anti-malware industry suffered badly because of serious problems with false positives. And unfortunately, we were among the companies badly affected. It turned out to be a coordinated attack on the industry: someone was spreading legitimate software laced with malicious code targeting specifically the antivirus engines of many companies, including KL. It remains a mystery who staged the attack, but now I’m being told it was me! I sure didn’t see that one coming, and am totally surprised by this baseless accusation!
Here’s how it happened: in November 2012 our products produced false positives on several files that were in fact legitimate. These were the Steam client, Mail.ru game center, and QQ client. An internal investigation showed that these incidents occurred as the result of a coordinated attack by an unknown third party.
For several months prior to the incidents, through intra-industry information-exchange channels such as the VirusTotal website, our anti-malware research lab repeatedly received numerous slightly modified legitimate files of Steam, Mail.ru and QQ. The creator(s) of these files added pieces of malicious code to them.
@DavisSec –> I agree. @e_kaspersky is very enthusiastic about #cybersecurity, but an industry saboteur seems unlikely. cc:@josephmenn
— John Bumgarner (@JohnBumgarner) August 14, 2015
Later we came to the conclusion that the attackers might have had prior knowledge of how different companies’ detection algorithms work and injected the malicious code precisely in a place where auto systems would search for it.
These newly received modified files were evaluated as malicious and stored in our databases. In total, we received several dozen legitimate files containing malicious code.
False positives started to appear once the legitimate owners of the files released updated versions of their software. The system compared the files to the malware database – which contained very similar files – and deemed the legitimate files malicious. After that, we upgraded our detection algorithms to avoid such detections.
Meanwhile the attacks continued through 2013 and we continued to receive modified legitimate files. We also became aware that our company was not the only one targeted by this attack: other industry players received these files as well and mistakenly detected them.
@davidu @josephmenn @e_kaspersky Vikram @symantec has stated they deeply investigated the FP issue in '13 and findings != K
— Christopher M Davis (@DavisSec) August 14, 2015
In 2013 there was a closed-door meeting among leading cybersecurity and other software industry players that also suffered from the attack – as well as vendors that were not affected by the problem but were aware of it. During that meeting the participants exchanged information about the incidents, tried to figure out the reasons behind them, and worked on an action plan. Unfortunately no breakthrough occurred, though some interesting theories regarding attribution were expressed. In particular, the participants of the meeting considered that some other AV vendor could be behind the attack, or that the attack was an attempt by an unknown but powerful malicious actor to adjust its malware in order to avoid detection by key AV products.
We had investigated these attacks but could not find out who was behind them. We had some suspects, Kaspersky was not one of them.
— Liam O'Murchu (@liam_omurchu) August 14, 2015
Accusations such as these are nothing new. As far back as the late nineties I’d take with me to press conferences a placard with the word ‘No!’ on it. It saved me so much time. I’d just point to it when every third question was: “Do you write viruses yourselves, for your product to then ‘cure’ the infections?” Oh yeah. Sure. And still today I get asked the same all the time. Do they really think an 18+ year-old business built 100% on trust would be doing such things?
I really like @josephmenn but I am having a hard time with this @e_kaspersky story. I simply can't see them doing that.
— Christopher M Davis (@DavisSec) August 14, 2015
It seems some folks just prefer to presume guilt until innocence is proven. I guess there’ll always be folks like that. C’est la vie. But I really do hope that people will see through these anonymous, silly and groundless accusations… What I can say for sure is that we’ll continue working very closely with the industry to make the digital world safer, and that our commitment and resolve to expose cyberthreats regardless of their source or origin won’t waiver.
.@kaspersky rubbishes claims they poisoned competitors with false positivesTweet