IOBit’s Denial of Theft Unconvincing, IOBits piracy Options

[RubbeR DuckY]

Yesterday we presented evidence demonstrating that IObit is stealing and incorporating Malwarebytes' proprietary database and intellectual property into their software.

Our argument was that IObit detected, under the same names, fake malware files that we (1) built ourselves in-house, (2) never released to the Internet, and (3) added fake definitions for to our own database. We concluded that IObit must be stealing the definitions directly from our database. The indication of theft was not solely that they named some detections the same way -- at least not for real malware. Many vendors do that. However, since the fake malware name we made up ("Rogue.AVCleanSweepPro") does not actually exist anywhere in the wild, their use of it alone was a strong indication of theft.

Over the course of the following day IOBit engaged in a concerted campaign to suppress the evidence we presented. First they deleted the forum post showing their detection of a Malwarebytes' Anti-Malware keygen under the same name "Don't.Steal.Our.Software.A" we use to detect such keygens. Then they were able to have the Google cache version of the same page removed. (Fortunately the Bing cache version is still live and we also have screenshots of the thread archived.)

Next, they edited their database to remove detection of the "trap" definitions we disclosed in our report. But these were only a few examples, only a small subset of the definitions they have stolen from us! And to our great surprise, they did not remove all the stolen definitions from their database. We have attached more examples below of stolen definitions still appearing in the current IObit database.

Lastly, IObit issued a statement flatly denying any database theft or wrongdoing. They offer two arguments to support this denial:

1. They claim their database is constructed from anonymous Internet malware submissions. They claim furthermore that files like the fake files we created were submitted to them, named like we name malware, and that they included the submissions in their own database without changing the names.
   
   While this is at least plausible (if not likely) for the case of the Malwarebytes' keygen they detected as "Don't.Steal.Our.Software.A", it does not explain how they obtained a submission of the fake file "rogue.exe" we manufactured in-house, never submitted anywhere, and named with a fake malware name "Rogue.AVCleanSweepPro" that does not appear anywhere in the wild.
   
   IObit explained this as follows:
   
   

   For example, rogue.exe has the same signature code with the malware “NOTSURE.dll” (VirusTotal). “NOTSURE.dll” was submitted by someone called “KXX” and described as “Rogue.AVCleanSweepPro” detected by Malwarebytes.

   
   
   We invite you to search Google for "Rogue.AVCleanSweepPro" or just "AVCleanSweepPro". See if you can find a single place where anything called "Rogue.AVCleanSweepPro" was ever detected in the wild by Malwarebytes or anyone else. When we did this today, the only hits we got were for our own report yesterday and people talking about it. Before we published our report yesterday there was not a single hit on Google for either name. This malware name simply does not exist in reality. We made it up in-house. Only four members of Malwarebytes' management were privy to the information about the fake files and the fake names. Therefore, any suggestion that somehow someone submitted to IObit a piece of malware anyone detected anywhere as "Rogue.AVCleanSweepPro" is simply a lie.
   
   As for "NOTSURE.dll" itself, all this suggests is that IObit manufactured a file that matches both our "Rogue.AVCleanSweepPro" fake signature and other vendors' Trojan.Pugolbho signatures. This is not hard if you have already stolen the signature: after all, we also manufactured a dummy file matching the same "Rogue.AVCleanSweepPro" signature, in order to attach it to yesterday's report. This does not prove any file was submitted to IObit over the Internet, under the name "Rogue.AVCleanSweepPro".
   
   Attached are two more dummy files, "dummy1.exe" and "dummy2.exe", benign executables built in-house to match two of our database signatures for "Adware.NaviPromo" (screenshot). You can see on VirusTotal here and here that no other security vendors detect these dummies. You can also see here (log1, screenshot1, log2, screenshot2) that IObit does detect them still, using their current database, as the same "Adware.NaviPromo".
   
   IObit will likely claim once again that they received these files as anonymous submissions and added them to their database using the Malwarebytes names either by negligence or by chance. It is true that "Adware.NaviPromo" is a name used by multiple vendors, unlike "Rogue.AVCleanSweepPro", which we fabricated in-house. But isn't it interesting then that no other security vendor detects these dummy files (or any of the other dummies we have manufactured)? Only a single signature was added to the dummy files to make them detectable by Malwarebytes and IObit, and no other security vendors. Are we to conclude that IObit received these files as anonymous submissions and then chose to add them to their database using exactly the same signatures as we use, purely by chance? If these were common or obvious signatures, presumably other security vendors would be using them too, and the dummies should be detected by other vendors as well. But clearly they are not. Nor is this an isolated case; it has been the pattern for every example we have posted. While we realize this is not 100%-conclusive proof on its own, we hope you will agree in the context of the stronger evidence we have presented (the "Rogue.AVCleanSweepPro" detection above) that it is more than a little suspicious.
   
   
2. IObit claims they could not have copied our database because theirs is larger than ours, 4.6 MB compared to 3.1 MB. This argument does not hold water. First of all, each of our databases is compressed and we can't easily compare the sizes of the plaintext database contents. Second, and far more importantly, if IObit has stolen not only our database but also the databases of other security vendors, as we strongly suspect they have, then of course their database would be larger. We have presented evidence of theft to other security vendors, although we will leave it to them to disclose information to the public.

We have served CNET Download.com and MajorGeeks.com with infringement notifications under the United States Digital Millennium Copyright Act (DMCA). IObit software infringes Malwarebytes' copyright and intellectual property rights and we have requested it be removed (MajorGeeks.com has removed it already).

Apparently IObit thought they could convince the community they had done no wrong. On the contrary, we have witnessed an outpouring of support for Malwarebytes and the hard work we put into our research and products, and we are humbled and thankful to everyone for it.

[goldhound]

What a nasty and sleazy world is out there!
Well done Marcin and MBAM!

[Devanche Solanki]

Well thats an anti virus product for you. I think you guys should file a lawsuit since they can't fess up. Oh and also I wanna tell Download.com and softpedia.org and some other sites but I don't know how to email them please give me their email or someone explain to me how to do it thank you! IObit shoudle taken down for such theft hope they go broke.

[vladmir]

Never heard of the company before today. wow, you learn something new everyday.

[jeff davis]

I put up screenshots of Hijack.DisplayProperties being detected on both software. It is in fact a non malware detection. This instance occurs under Vista 64bit Windows Ultimate. See here

http://www.freeantivirushelp.com/blog/post...d-Download.aspx

[lavallie]

I am a news reporter, and have serious concerns about two things. First, the alleged theft of intellectual property from MalwareBytes by another company. Secondly, and maybe this is just my suspicious nature, could this company be involved in GENERATING malicious software?

It would seem plausible to me that a company that would steal another companies software, would also be involved in disassembling it and producing a super virus/infestation that would bypass the that software.

I welcome your comments.

Bill

[GT500]

... Secondly, and maybe this is just my suspicious nature, could this company be involved in GENERATING malicious software?

I am not aware of any information showing IOBit making or distributing malicious software (either openly or under the table).

Now it is interesting to note that McAfee considers some of their stuff to be spyware or "potentially unwanted software". It looks like the classification is based mainly on the toolbar that gets installed with a couple of the programs from IOBit, and the servers that the installer contacts, but I am not a researcher and thus could be wrong.

[lavallie]

I am not aware of any information showing IOBit making or distributing malicious software (either openly or under the table).

Now it is interesting to note that McAfee considers some of their stuff to be spyware or "potentially unwanted software". It looks like the classification is based mainly on the toolbar that gets installed with a couple of the programs from IOBit, and the servers that the installer contacts, but I am not a researcher and thus could be wrong.

Thanks GT, you have just confirmed that these folks maybe need serious observation..... Again, if they know HOW it works, then they know HOW it breaks!!!

Bill

[ShanOw]

I too am unconvinced by this counter arguement; but I also have a few questions lined up to play devils advocate.

1: If there program is build based on your database/db-structure, how is it that they got it to work with other A/V products, such as Trend Micro?
2: Why does there program scan significantly faster* - even when not scanning just executable or files below a certain size? Its reading the same database right?
3: How did they manage to create a portable version using your database when I've seen it claimed here before that it isn't do-able?

*I have been testing IOBit 360 for a few months.

[nosirrah]

I too am unconvinced by this counter arguement; but I also have a few questions lined up to play devils advocate.

1: If there program is build based on your database/db-structure, how is it that they got it to work with other A/V products, such as Trend Micro?
2: Why does there program scan significantly faster* - even when not scanning just executable or files below a certain size? Its reading the same database right?
3: How did they manage to create a portable version using your database when I've seen it claimed here before that it isn't do-able?

*I have been testing IOBit 360 for a few months.

1: You are confusing database and application . The two function together but are by far not the same thing . One interacts with malware and the other interacts with the OS and other applications . Think of open office and MS office . Both can open and work with xls docs but are very different apps from very different companies .

2: Again , you are confusing application with database . You can take code that does identical things and code it twice , once as some form of interpreted language and again as pure assembly . Obviously they will function at very different speeds even though the function is identical .

3: Again , you are confusing application with database . There are no database changes that either company can make that will in any way effect the ability to become a portable application .


I think you are missing the obvious point here , if all you have to do is create an application because the database is coming from outside sources it stands to reason that you can put an disproportional amount of resources into the code .

[ShanOw]

Thankyou for clearing up those point, but I have one further questions.

How did they create an application that reads YOUR database faster than YOUR program can? [metaphor]It seems logical to me that the person who wrote a book would be able to understand the story better (faster) than the person who simply bought (stole) the book.

[ShanOw]

**You really need an "edit" button to stop double posting.

Just realized your final sentence clears this up. Oops and sorry - I hope you like my snazzy metaphor anyway.

[nosirrah]

Thankyou for clearing up those point, but I have one further questions.

How did they create an application that reads YOUR database faster than YOUR program can? [metaphor]It seems logical to me that the person who wrote a book would be able to understand the story better (faster) than the person who simply bought (stole) the book.

Reading the database has nothing to do with the scanner . Open both apps , as soon as you see the GUI the database in already read so once the scanner starts reading the database is long over . There is also technology in our database they have not copied as their application is unable to use this technology and thus these blocks were not copied . We knew this long before they fell into our traps as they were missing some malware that we hit with our most advanced technology .

[ddpkts]

Guys,

compare this: http://db.iobit.com/deal/sdsubmit/index.php vs http://www.spywarevoid.com
IObit has stolen the design from spywarevoid! I know, cause it was made by my web designer and I personally coded that blog.

Now I truly believe, they're thiefs.

[S!Ri]

Guys,

compare this: http://db.iobit.com/deal/sdsubmit/index.php vs http://www.spywarevoid.com
IObit has stolen the design from spywarevoid! I know, cause it was made by my web designer and I personally coded that blog.

Now I truly believe, they're thiefs.

spywarevoid, huhu
http://siri-urz.blogspot.com/2009/10/secur...fake-rogue.html

PS I know this has nothing to do with iobit, and it's my point of view of spywarevoid, not the MBAM team.

[ddpkts]

spywarevoid, huhu
http://siri-urz.blogspot.com/2009/10/secur...fake-rogue.html

PS I know this has nothing to do with iobit, and it's my point of view of spywarevoid, not the MBAM team.

S!Ri,
I know your opinion about that blog but I'm not about it, I'm about iobit

[mbyuser]

my HOSTS file blocks this site;

hxxp://www.spywarevoid.com

bit off base,still the links live,wouldnt it be best to de-link that live link.

[Blaze]

Nicely written Marcin, it is stunning they just integrated MBAM's whole database into their product (correct me if I'm wrong)

Also, you stated that they possibly stole other (parts of) databases of security vendors, may you provide us with the names of these other 'victims' ?

I agree on all what is written here, and I admire the way you guys are standing strong to this.

[Tweene]

Hello


I was surprised to read something like this from a "security enterprise", no comment

[formerIobitUser]

check out this on Iobit form it gets better

Here