IOBit’s Denial of Theft Unconvincing

IOBit’s Denial of Theft Unconvincing, IOBits piracy

RubbeR DuckY View Member Profile	Nov 4 2009, 12:11 AM Post #1
Marcin Group: Root Admin Posts: 4,778 Joined: 15-October 05 Member No.: 1	Yesterday we presented evidence demonstrating that IObit is stealing and incorporating Malwarebytes' proprietary database and intellectual property into their software. Our argument was that IObit detected, under the same names, fake malware files that we (1) built ourselves in-house, (2) never released to the Internet, and (3) added fake definitions for to our own database. We concluded that IObit must be stealing the definitions directly from our database. The indication of theft was not solely that they named some detections the same way -- at least not for real malware. Many vendors do that. However, since the fake malware name we made up ("Rogue.AVCleanSweepPro") does not actually exist anywhere in the wild, their use of it alone was a strong indication of theft. Over the course of the following day IOBit engaged in a concerted campaign to suppress the evidence we presented. First they deleted the forum post showing their detection of a Malwarebytes' Anti-Malware keygen under the same name "Don't.Steal.Our.Software.A" we use to detect such keygens. Then they were able to have the Google cache version of the same page removed. (Fortunately the Bing cache version is still live and we also have screenshots of the thread archived.) Next, they edited their database to remove detection of the "trap" definitions we disclosed in our report. But these were only a few examples, only a small subset of the definitions they have stolen from us! And to our great surprise, they did not remove all the stolen definitions from their database. We have attached more examples below of stolen definitions still appearing in the current IObit database. Lastly, IObit issued a statement flatly denying any database theft or wrongdoing. They offer two arguments to support this denial: They claim their database is constructed from anonymous Internet malware submissions. They claim furthermore that files like the fake files we created were submitted to them, named like we name malware, and that they included the submissions in their own database without changing the names. While this is at least plausible (if not likely) for the case of the Malwarebytes' keygen they detected as "Don't.Steal.Our.Software.A", it does not explain how they obtained a submission of the fake file "rogue.exe" we manufactured in-house, never submitted anywhere, and named with a fake malware name "Rogue.AVCleanSweepPro" that does not appear anywhere in the wild. IObit explained this as follows: QUOTE For example, rogue.exe has the same signature code with the malware “NOTSURE.dll” (VirusTotal). “NOTSURE.dll” was submitted by someone called “KXX” and described as “Rogue.AVCleanSweepPro” detected by Malwarebytes. We invite you to search Google for "Rogue.AVCleanSweepPro" or just "AVCleanSweepPro". See if you can find a single place where anything called "Rogue.AVCleanSweepPro" was ever detected in the wild by Malwarebytes or anyone else. When we did this today, the only hits we got were for our own report yesterday and people talking about it. Before we published our report yesterday there was not a single hit on Google for either name. This malware name simply does not exist in reality. We made it up in-house. Only four members of Malwarebytes' management were privy to the information about the fake files and the fake names. Therefore, any suggestion that somehow someone submitted to IObit a piece of malware anyone detected anywhere as "Rogue.AVCleanSweepPro" is simply a lie. As for "NOTSURE.dll" itself, all this suggests is that IObit manufactured a file that matches both our "Rogue.AVCleanSweepPro" fake signature and other vendors' Trojan.Pugolbho signatures. This is not hard if you have already stolen the signature: after all, we also manufactured a dummy file matching the same "Rogue.AVCleanSweepPro" signature, in order to attach it to yesterday's report. This does not prove any file was submitted to IObit over the Internet, under the name "Rogue.AVCleanSweepPro". Attached are two more dummy files, "dummy1.exe" and "dummy2.exe", benign executables built in-house to match two of our database signatures for "Adware.NaviPromo" (screenshot). You can see on VirusTotal here and here that no other security vendors detect these dummies. You can also see here (log1, screenshot1, log2, screenshot2) that IObit does detect them still, using their current database, as the same "Adware.NaviPromo". IObit will likely claim once again that they received these files as anonymous submissions and added them to their database using the Malwarebytes names either by negligence or by chance. It is true that "Adware.NaviPromo" is a name used by multiple vendors, unlike "Rogue.AVCleanSweepPro", which we fabricated in-house. But isn't it interesting then that no other security vendor detects these dummy files (or any of the other dummies we have manufactured)? Only a single signature was added to the dummy files to make them detectable by Malwarebytes and IObit, and no other security vendors. Are we to conclude that IObit received these files as anonymous submissions and then chose to add them to their database using exactly the same signatures as we use, purely by chance? If these were common or obvious signatures, presumably other security vendors would be using them too, and the dummies should be detected by other vendors as well. But clearly they are not. Nor is this an isolated case; it has been the pattern for every example we have posted. While we realize this is not 100%-conclusive proof on its own, we hope you will agree in the context of the stronger evidence we have presented (the "Rogue.AVCleanSweepPro" detection above) that it is more than a little suspicious. IObit claims they could not have copied our database because theirs is larger than ours, 4.6 MB compared to 3.1 MB. This argument does not hold water. First of all, each of our databases is compressed and we can't easily compare the sizes of the plaintext database contents. Second, and far more importantly, if IObit has stolen not only our database but also the databases of other security vendors, as we strongly suspect they have, then of course their database would be larger. We have presented evidence of theft to other security vendors, although we will leave it to them to disclose information to the public. We have served CNET Download.com and MajorGeeks.com with infringement notifications under the United States Digital Millennium Copyright Act (DMCA). IObit software infringes Malwarebytes' copyright and intellectual property rights and we have requested it be removed (MajorGeeks.com has removed it already). Apparently IObit thought they could convince the community they had done no wrong. On the contrary, we have witnessed an outpouring of support for Malwarebytes and the hard work we put into our research and products, and we are humbled and thankful to everyone for it. -------------------- Marcin Kleczynski President and CEO Follow us: Twitter, Become a fan: Facebook

Posts in this topic

RubbeR DuckY IOBit’s Denial of Theft Unconvincing Nov 4 2009, 12:11 AM

goldhound What a nasty and sleazy world is out there! We... Nov 4 2009, 03:41 AM

Devanche Solanki Well thats an anti virus product for you. I think ... Nov 4 2009, 03:41 AM

vladmir Never heard of the company before today. wow, you ... Nov 4 2009, 03:56 AM

jeff davis I put up screenshots of Hijack.DisplayProperties b... Nov 4 2009, 04:19 AM

lavallie I am a news reporter, and have serious concerns ab... Nov 4 2009, 04:33 AM

GT500 QUOTE (lavallie)... Secondly, and maybe this is ju... Nov 4 2009, 06:06 AM

lavallie QUOTE (GT500 @ Nov 4 2009, 07:06 AM) I am... Nov 4 2009, 06:16 AM

bags QUOTE (lavallie @ Nov 4 2009, 05:33 AM) I... Nov 4 2009, 08:11 PM

ShanOw I too am unconvinced by this counter arguement; bu... Nov 4 2009, 06:59 AM

nosirrah QUOTE (ShanOw @ Nov 4 2009, 01:59 AM) I t... Nov 4 2009, 07:18 AM

ShanOw Thankyou for clearing up those point, but I have o... Nov 4 2009, 07:24 AM

nosirrah QUOTE (ShanOw @ Nov 4 2009, 02:24 AM) Tha... Nov 4 2009, 07:36 AM

ShanOw **You really need an "edit" button to st... Nov 4 2009, 07:26 AM

ddpkts Guys, compare this: http://db.iobit.com/deal/sdsu... Nov 4 2009, 11:12 AM

S!Ri QUOTE (ddpkts @ Nov 4 2009, 12:12 PM) Guy... Nov 4 2009, 11:24 AM

ddpkts QUOTE (S!Ri @ Nov 4 2009, 11:24 AM) s... Nov 4 2009, 11:28 AM

mbyuser my HOSTS file blocks this site; hxxp://www.spywar... Nov 4 2009, 12:19 PM

Blaze Nicely written Marcin, it is stunning they just in... Nov 4 2009, 12:58 PM

Tweene Hello I was surprised to read something like thi... Nov 4 2009, 01:01 PM

formerIobitUser check out this on Iobit form it gets better Here Nov 4 2009, 01:17 PM

Falkra Hello, the mentionned toolbar is from conduit, an... Nov 4 2009, 01:26 PM

GT500 QUOTE (Falkra)Hello, the mentionned toolbar is fr... Nov 4 2009, 04:24 PM

Falkra That's even worse than classic opt-out methods... Nov 4 2009, 04:34 PM

Madness423 has there been any updates on this ??? Have they e... Nov 4 2009, 06:11 PM

S!Ri Hey, what's going wrong with 'em ? http:/... Nov 4 2009, 06:16 PM

Amethyst QUOTE (S!Ri @ Nov 4 2009, 06:16 PM) H... Nov 4 2009, 06:26 PM

S!Ri QUOTE (Amethyst @ Nov 4 2009, 07:26 PM) M... Nov 4 2009, 06:33 PM

lordpake No porn in that page, sadly must be me adblocker... Nov 4 2009, 06:32 PM

SpySentinel Suprise suprise, its IOBit. I think MBAM IP Blocke... Nov 4 2009, 06:35 PM

Mystery Hmm, from the Google search results on the domain ... Nov 4 2009, 06:55 PM

Amethyst I didn't leave the page up more than a couple ... Nov 4 2009, 06:56 PM

MysteryFCM Based on a couple things I'm seeing on there, ... Nov 4 2009, 07:07 PM

Mystery Thanks for the info MysteryFCM So then this - ap... Nov 4 2009, 07:26 PM

MysteryFCM Btw, iobit also deleted ALL of the comments that w... Nov 4 2009, 08:02 PM

Falkra QUOTE (MysteryFCM @ Nov 4 2009, 09:02 PM)... Nov 4 2009, 10:06 PM

Mystery QUOTE (Falkra @ Nov 5 2009, 12:06 AM) Jus... Nov 4 2009, 10:53 PM

Amethyst I didn't even see the download button, didn... Nov 4 2009, 08:03 PM

Oldcrow I kept getting WOT Blocks on 10bit, also Malwareby... Nov 4 2009, 08:04 PM

SpySentinel The Discussion in there forum is getting very ugly... Nov 4 2009, 08:10 PM

bags BTW, To add to the previous note, while not a pro... Nov 4 2009, 08:29 PM

GT500 QUOTE (bags)... I do expect IObit to lose this bat... Nov 4 2009, 08:37 PM

noknojon QUOTE (GT500 @ Nov 5 2009, 07:37 AM) Pers... Nov 5 2009, 07:18 AM

RubbeR DuckY bags, It is unfortunate when a security company f... Nov 4 2009, 08:35 PM

exile360 QUOTE (RubbeR DuckY @ Nov 4 2009, 02:35 P... Nov 4 2009, 10:32 PM

Amethyst QUOTE (Oldcrow @ Nov 4 2009, 09:04 PM) I ... Nov 4 2009, 10:41 PM

chimpy It possibly blocked stuff as one person on there (... Nov 4 2009, 10:43 PM

mbyuser i did install IOBit,then unistaled it later. the t... Nov 4 2009, 10:47 PM

MysteryFCM I believe they changed the toolbar sometime in the... Nov 4 2009, 10:55 PM

budchekov Conduit Toolbars are "TRUSTe Certified",... Nov 6 2009, 02:24 AM

Falkra I never saw spam bots or similar structures create... Nov 4 2009, 11:07 PM

wildman You have been banned for the following reason: Reg... Nov 5 2009, 02:32 AM

Oldcrow Thanks Bill. I was on MG and can't find anythi... Nov 5 2009, 02:54 AM

zaphod QUOTE (Oldcrow @ Nov 4 2009, 07:54 PM) Th... Nov 5 2009, 07:03 AM

uByte QUOTE IObit will likely claim once again that they... Nov 5 2009, 05:09 PM

GT500 QUOTE (uByte)Wouldn't they have a record of th... Nov 5 2009, 06:16 PM

1time I saw this free giveaway of software worth $1... Nov 5 2009, 08:31 PM

Beenthere They shall be bound to a wooden cross with their f... Nov 5 2009, 08:31 PM

GT500 QUOTE (Beenthere)Aaaaand I thought this expression... Nov 5 2009, 08:34 PM

DragonMaster Jay QUOTE (Beenthere @ Nov 5 2009, 03:31 PM) ... Nov 6 2009, 02:55 AM

GT500 QUOTE (DragonMaster Jay)Wow, disturbing. You woul... Nov 6 2009, 03:04 AM

wildman Ah, I see where some sites have removed all IoBit ... Nov 6 2009, 02:07 AM

DragonMaster Jay I am convinced that IOBit is guilty in this situat... Nov 6 2009, 03:49 AM

wildman Keep us informed as to what is truly going on. I d... Nov 6 2009, 03:56 AM

Beenthere QUOTE (DragonMaster Jay @ Nov 6 2009, 03... Nov 6 2009, 07:51 AM

zaphod Just to let you know, there's alot of suspicio... Nov 6 2009, 11:35 AM

DragonMaster Jay Actually, zaphod, I am a regular over there and I ... Nov 6 2009, 02:14 PM

J.Rawlson Well IObit have taken the download off of there ow... Nov 6 2009, 02:34 PM

DragonMaster Jay IOBit has done quite a few things that indirectly ... Nov 6 2009, 04:06 PM

zaphod There ain't enough digital kitty litter in cyb... Nov 6 2009, 04:08 PM

jedi IObit Security 360 pulled by Softpedia: http://www... Nov 6 2009, 04:14 PM

Lif3h4cker QUOTE (jedi @ Nov 6 2009, 05:14 PM) IObit... Nov 6 2009, 05:26 PM

schrauber Hi, I follow both threads since they started and ... Nov 6 2009, 05:49 PM

GT500 QUOTE (schrauber)I have also talked with a few peo... Nov 6 2009, 05:58 PM

wildman Okay. my neck is going out on a limb, but here goe... Nov 6 2009, 06:05 PM

DragonMaster Jay Added criticism entry on IOBit Security 360 Wikipe... Nov 6 2009, 06:46 PM

GT500 QUOTE (DragonMaster Jay)Added criticism entry on I... Nov 6 2009, 07:00 PM

zaphod Ya know, I mentioned this somewhere else, maybe it... Nov 6 2009, 06:59 PM

DragonMaster Jay MS-MVP Minty White did a review of IOBit Security ... Nov 6 2009, 07:13 PM

GT500 QUOTE (DragonMaster Jay)MS-MVP Minty White did a r... Nov 6 2009, 07:38 PM

DragonMaster Jay QUOTE (GT500 @ Nov 6 2009, 02:38 PM) That... Nov 6 2009, 07:40 PM

Amethyst QUOTE (GT500 @ Nov 6 2009, 08:00 PM) I ad... Nov 6 2009, 08:01 PM

nosirrah I did a pulled from web test right now . These are... Nov 6 2009, 08:14 PM

nosirrah Our scan of the same folder attached , scan log is... Nov 6 2009, 08:19 PM

IndiGenus This post today in the IObit forum. QUOTE I just ... Nov 6 2009, 08:25 PM

nosirrah QUOTE (IndiGenus @ Nov 6 2009, 03:25 PM) ... Nov 6 2009, 08:27 PM

nosirrah I am getting multiple requests to reinstall IOBit ... Nov 6 2009, 08:44 PM

nosirrah Obviously we can expect IOBit to say these are all... Nov 6 2009, 08:52 PM

Fatdcuk Not sure if this is related to your findings Bruce... Nov 6 2009, 09:21 PM

GT500 QUOTE (Fatdcuk)But the inhouse competition IObit w... Nov 6 2009, 09:25 PM

Beenthere QUOTE (zaphod @ Nov 6 2009, 07:59 PM) I h... Nov 6 2009, 09:34 PM

Triple Helix The proof is in the pudding! TH Nov 6 2009, 09:35 PM

Jasper the Rasper Feelings are certainly running high over there htt... Nov 6 2009, 10:31 PM

zaphod QUOTE (Jasper the Rasper @ Nov 6 2009, 03... Nov 7 2009, 12:08 AM

GT500 QUOTE (zaphod)... They could have at least blamed ... Nov 7 2009, 12:26 AM

wildman Well I must have ruffled some feathers, because so... Nov 7 2009, 04:14 AM

melvin_deal There are some here that confuse members of the Io... Nov 7 2009, 11:41 AM

GT500 QUOTE (melvin_deal)If any of you believe in Yahweh... Nov 7 2009, 11:58 AM

exile360 While I certainly see your point GT, I still think... Nov 7 2009, 12:14 PM

nosirrah I will go on record here saying that I only suppor... Nov 7 2009, 12:17 PM

3 Pages

1 2 3 >

« Next Oldest · Malwarebytes News · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: