Jump to content

IOBit Steals Malwarebytes' Intellectual Property


Recommended Posts

  • Root Admin

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums (cached version, since they have now deleted the original) that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes' Anti-Malware software using the exact naming scheme we use to flag such keygens: Don't.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes' Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit's theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This "malware" does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can't publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don't want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, "dummy.exe". It is a harmless dummy executable that runs, displays a "Hello World" message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! -- the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes' Anti-Malware software and indeed it was flagged as "Don't.Steal.Our.Software.A". We scanned it with IOBit using their current build and database version and it was flagged as the same "Don't.Steal.Our.Software.A". We have included their log file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, "rogue.exe", matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other "fake.exe", matches an Adware.NaviPromo definition (screenshot). VirusTotal results for "fake.exe" and "rogue.exe" so you can see they are benign. You can see a screenshot of our detections here.

During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes' proprietary research and database from their software. We also demand IOBit be delisted from Download.com due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed.

  • Like 1
Link to post
If it's true, WHAT A SHAME ON THEM... ;)

"If" goes out the window when you add traps and then they fall into them . Fictitious defs that target internal use files , how on earth could they ever have them in their defs without theft ?

It would be very foolish of us to blog this if we we were not 100% sure .

Link to post
Can we help Malwarebytes ? If so, how ?

Falkra, as we said above:

"What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed."

EDIT: I also see IOBit hosted at Softpedia and Brothersoft.com, you could inform them too.

Edited by Swandog46
Link to post

I would ask, for my sake, if you guys are SURE. By sure, i mean WITHOUT ANY DOUBT in your mind, and if that were the case, then by all means, take necessary countermeasures.

But I would ask, and urge you guys to hold back on attacks and wait for IOBIT to give their reasoning, or attempt to explain the situation. Because if they do have an explanation, and if it IS a valid one, then MBAM's name becomes somewhat stained. So PLEASE, wait for their response, thats all i ask.

Link to post
@Falkra

Yes, you may indeed publicize this abuse of our intellectual property -- but please link to either our blog post or this forum post (or both):

http://malwarebytes.besttechie.net/2009/11...ctual-property/

http://www.malwarebytes.org/forums/index.php?showtopic=29681

Ok, this is why I asked, to make sure I do it correctly, pointing to the good public documents.

I'll blog about this and spread the word. Only facts ("this" has been posted "there").

Thank you Swandog46.

Link to post
I would ask, for my sake, if you guys are SURE. By sure, i mean WITHOUT ANY DOUBT in your mind, and if that were the case, then by all means, take necessary countermeasures.

We are 100% sure. We stand fully behind the research and conclusions in our blog/forum post above. We conducted this investigation thoroughly over a period of weeks until we were 100% sure of everything we wrote above. These were not statements we made lightly.

Believe me, we were as incredulous at first as we know may of you might be now. But facts are irrefutable. Try it for yourself: we gave you all the links and evidence you will need in the post above. Tell us if you disagree with our conclusions.

Link to post

I have been peeping around these forums for a bit and finally made a forums account.

I will email all the sites but can't find a proper e-mail to contact download.com/cnet or brothersoft

Could someone post here and/or message me a list of e-mails who host IOBit software?

Thanks for the help and best wishes for the Malwarebytes team!

Link to post
... But like i said, if you guys are 100% sure, I cannot suggest anything else. I can only ask that you hear their side of the story.

As Bruce mentioned in a reply above, fake (and quite harmless) 'malware' was created, and not published. IOBit had no access to it, but the detection was added to the MBAM database. It became obvious theft when IOBit began detecting something that wasn't real with almost the same name that we use, and which was not made public until today. There is no other possible conclusion. It defies logic that they could have done anything other than steal the database.

Their side of the story should be "We are sorry, and we will stop stealing the databases of other vendors." They should also offer to pay the various vendors for the use of their databases.

What has happened here is not just unethical or immoral. It is illegal.

Link to post
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.