IOBit Steals Malwarebytes' Intellectual Property Options

[RubbeR DuckY]

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums (cached version, since they have now deleted the original) that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes' Anti-Malware software using the exact naming scheme we use to flag such keygens: Don't.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes' Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit's theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This "malware" does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can't publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don't want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, "dummy.exe". It is a harmless dummy executable that runs, displays a "Hello World" message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! -- the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes' Anti-Malware software and indeed it was flagged as "Don't.Steal.Our.Software.A". We scanned it with IOBit using their current build and database version and it was flagged as the same "Don't.Steal.Our.Software.A". We have included their log file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, "rogue.exe", matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other "fake.exe", matches an Adware.NaviPromo definition (screenshot). VirusTotal results for "fake.exe" and "rogue.exe" so you can see they are benign. You can see a screenshot of our detections here.

During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes' proprietary research and database from their software. We also demand IOBit be delisted from Download.com due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed.

[pcvirologist]

Download.com and Majorgeeks.com has been e-mailed by us to remove IOBit software.

[cnm]

Done. But -- how did they get your database? Isn't it protected?

[noblelord]

I have un-installed - most disturbing news indeed.

McAfee SiteAdvisor is also flagging iobit.com as red at the moment I notice, but this I suspect this is an FP.

[nosirrah]

Done. But -- how did they get your database? Isn't it protected?

We can't prevent the database from being accessed. We can make it tough but if we made it impossible, our app wouldn't be able to read it!

[B-boy/StyLe/]

If it's true, WHAT A SHAME ON THEM...

[nosirrah]

If it's true, WHAT A SHAME ON THEM...

"If" goes out the window when you add traps and then they fall into them . Fictitious defs that target internal use files , how on earth could they ever have them in their defs without theft ?

It would be very foolish of us to blog this if we we were not 100% sure .

[Swandog46]

But -- how did they get your database? Isn't it protected?

cnm, I assume they reverse-engineered it. While illegal and certainly technically non-trivial, it is not impossible, especially for someone skilled.

[Nexus6]

Wow, just installed that too, well let me find the uninstall button!!

[Falkra]

Can we help Malwarebytes ? If so, how ?

[Kikesan]

Some people posted this information at IOBit forums, but they remove the threads ¬¬
Let's wait for their response to this fact.

[Swandog46]

Can we help Malwarebytes ? If so, how ?

Falkra, as we said above:

"What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed."

EDIT: I also see IOBit hosted at Softpedia and Brothersoft.com, you could inform them too.

This post has been edited by Swandog46: Nov 2 2009, 09:34 PM

[Falkra]

This has be done (and WOT rankings). Can we blog about this, pointing to the first post ?

[elohelomg]

I would ask, for my sake, if you guys are SURE. By sure, i mean WITHOUT ANY DOUBT in your mind, and if that were the case, then by all means, take necessary countermeasures.

But I would ask, and urge you guys to hold back on attacks and wait for IOBIT to give their reasoning, or attempt to explain the situation. Because if they do have an explanation, and if it IS a valid one, then MBAM's name becomes somewhat stained. So PLEASE, wait for their response, thats all i ask.

[Swandog46]

@Falkra

Yes, you may indeed publicize this abuse of our intellectual property -- but please link to either our blog post or this forum post (or both):

http://malwarebytes.besttechie.net/2009/11...ctual-property/
http://www.malwarebytes.org/forums/index.php?showtopic=29681

[roddy32]

I just e-mailed Lee Koo at CNET about this. He does not run download.com but he runs the forums and I am sure he will let whoever needs to know about this.

[Falkra]

@Falkra

Yes, you may indeed publicize this abuse of our intellectual property -- but please link to either our blog post or this forum post (or both):

http://malwarebytes.besttechie.net/2009/11...ctual-property/
http://www.malwarebytes.org/forums/index.php?showtopic=29681

Ok, this is why I asked, to make sure I do it correctly, pointing to the good public documents.
I'll blog about this and spread the word. Only facts ("this" has been posted "there").

Thank you Swandog46.

[Swandog46]

I would ask, for my sake, if you guys are SURE. By sure, i mean WITHOUT ANY DOUBT in your mind, and if that were the case, then by all means, take necessary countermeasures.

We are 100% sure. We stand fully behind the research and conclusions in our blog/forum post above. We conducted this investigation thoroughly over a period of weeks until we were 100% sure of everything we wrote above. These were not statements we made lightly.

Believe me, we were as incredulous at first as we know may of you might be now. But facts are irrefutable. Try it for yourself: we gave you all the links and evidence you will need in the post above. Tell us if you disagree with our conclusions.

[elohelomg]

I just dont condone the idea of bashing a softwares name, without at least hearing their side of a story. But like i said, if you guys are 100% sure, I cannot suggest anything else. I can only ask that you hear their side of the story.

[Swandog46]

They stole our intellectual property. If they have a cogent explanation for this, I would like to hear it.