Our argument was that IObit detected, under the same names, fake malware files that we (1) built ourselves in-house, (2) never released to the Internet, and (3) added fake definitions for to our own database. We concluded that IObit must be stealing the definitions directly from our database. The indication of theft was not solely that they named some detections the same way -- at least not for real malware. Many vendors do that. However, since the fake malware name we made up ("Rogue.AVCleanSweepPro") does not actually exist anywhere in the wild, their use of it alone was a strong indication of theft.
Over the course of the following day IOBit engaged in a concerted campaign to suppress the evidence we presented. First they deleted the forum post showing their detection of a Malwarebytes' Anti-Malware keygen under the same name "Don't.Steal.Our.Software.A" we use to detect such keygens. Then they were able to have the Google cache version of the same page removed. (Fortunately the Bing cache version is still live and we also have screenshots of the thread archived.)
Next, they edited their database to remove detection of the "trap" definitions we disclosed in our report. But these were only a few examples, only a small subset of the definitions they have stolen from us! And to our great surprise, they did not remove all the stolen definitions from their database. We have attached more examples below of stolen definitions still appearing in the current IObit database.
Lastly, IObit issued a statement flatly denying any database theft or wrongdoing. They offer two arguments to support this denial:
- They claim their database is constructed from anonymous Internet malware submissions. They claim furthermore that files like the fake files we created were submitted to them, named like we name malware, and that they included the submissions in their own database without changing the names.
While this is at least plausible (if not likely) for the case of the Malwarebytes' keygen they detected as "Don't.Steal.Our.Software.A", it does not explain how they obtained a submission of the fake file "rogue.exe" we manufactured in-house, never submitted anywhere, and named with a fake malware name "Rogue.AVCleanSweepPro" that does not appear anywhere in the wild.
IObit explained this as follows:
For example, rogue.exe has the same signature code with the malware “NOTSURE.dll” (VirusTotal). “NOTSURE.dll” was submitted by someone called “KXX” and described as “Rogue.AVCleanSweepPro” detected by Malwarebytes.
We invite you to search Google for "Rogue.AVCleanSweepPro" or just "AVCleanSweepPro". See if you can find a single place where anything called "Rogue.AVCleanSweepPro" was ever detected in the wild by Malwarebytes or anyone else. When we did this today, the only hits we got were for our own report yesterday and people talking about it. Before we published our report yesterday there was not a single hit on Google for either name. This malware name simply does not exist in reality. We made it up in-house. Only four members of Malwarebytes' management were privy to the information about the fake files and the fake names. Therefore, any suggestion that somehow someone submitted to IObit a piece of malware anyone detected anywhere as "Rogue.AVCleanSweepPro" is simply a lie.
As for "NOTSURE.dll" itself, all this suggests is that IObit manufactured a file that matches both our "Rogue.AVCleanSweepPro" fake signature and other vendors' Trojan.Pugolbho signatures. This is not hard if you have already stolen the signature: after all, we also manufactured a dummy file matching the same "Rogue.AVCleanSweepPro" signature, in order to attach it to yesterday's report. This does not prove any file was submitted to IObit over the Internet, under the name "Rogue.AVCleanSweepPro".
Attached are two more dummy files, "dummy1.exe" and "dummy2.exe", benign executables built in-house to match two of our database signatures for "Adware.NaviPromo" (screenshot). You can see on VirusTotal here and here that no other security vendors detect these dummies. You can also see here (log1, screenshot1, log2, screenshot2) that IObit does detect them still, using their current database, as the same "Adware.NaviPromo".
IObit will likely claim once again that they received these files as anonymous submissions and added them to their database using the Malwarebytes names either by negligence or by chance. It is true that "Adware.NaviPromo" is a name used by multiple vendors, unlike "Rogue.AVCleanSweepPro", which we fabricated in-house. But isn't it interesting then that no other security vendor detects these dummy files (or any of the other dummies we have manufactured)? Only a single signature was added to the dummy files to make them detectable by Malwarebytes and IObit, and no other security vendors. Are we to conclude that IObit received these files as anonymous submissions and then chose to add them to their database using exactly the same signatures as we use, purely by chance? If these were common or obvious signatures, presumably other security vendors would be using them too, and the dummies should be detected by other vendors as well. But clearly they are not. Nor is this an isolated case; it has been the pattern for every example we have posted. While we realize this is not 100%-conclusive proof on its own, we hope you will agree in the context of the stronger evidence we have presented (the "Rogue.AVCleanSweepPro" detection above) that it is more than a little suspicious.
- IObit claims they could not have copied our database because theirs is larger than ours, 4.6 MB compared to 3.1 MB. This argument does not hold water. First of all, each of our databases is compressed and we can't easily compare the sizes of the plaintext database contents. Second, and far more importantly, if IObit has stolen not only our database but also the databases of other security vendors, as we strongly suspect they have, then of course their database would be larger. We have presented evidence of theft to other security vendors, although we will leave it to them to disclose information to the public.
Apparently IObit thought they could convince the community they had done no wrong. On the contrary, we have witnessed an outpouring of support for Malwarebytes and the hard work we put into our research and products, and we are humbled and thankful to everyone for it.
Original post: http://www.malwareby...showtopic=29772