Two employees have told Reuters that a secret campaign targeted Microsoft, AVG, Avast Software and others fooling some of them into deleting or disabling important files on their customers’ PCs.
Some of the attacks were ordered by Kaspersky Lab’s co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology.
Kaspersky Lab has strongly denied that it had tricked competitors into categorising clean files as malicious, so-called false positives and said that such actions were “unethical, dishonest and their legality is at least questionable”.
However Microsoft, AVG and Avast have previously said that unknown parties had tried to induce false positives in recent years, although they had no comment when Reuters alleged it was Kaspersky.
The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky’s selection of competitors to sabotage.
“It was decided to provide some problems” for rivals, said one ex-employee. “It is not only damaging for a competing company but also damaging for users’ computers.”
Kaspersky’s team is alleged to have reverse engineered competitors’ virus detection software to figure out how to fool them into flagging good files as malicious.
It was easier thanks to the fact that security companies to share more information with each other, industry experts said. They licensed each other’s virus-detection engines, swapped malware, and sent suspicious files to third-party aggregators like VirusTotal.
The collaboration also allowed companies to borrow heavily from each other’s work instead of finding bad files on their own, it’s alleged.
In one technique, it’s alleged Kaspersky’s engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.
Then, when competitors ran the file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was stuffed.
Kaspersky denied using this technique and said that it had been a victim of such an attack in November 2012, when an “unknown third party” manipulated Kaspersky into misclassifying files from Tencent, Mail.ru and the Steam gaming platform as malicious.
The former Kaspersky employees said Microsoft was one of the rivals that was targeted because many smaller security companies followed the Vole’s lead in detecting malicious files.