Jump to content


Photo

IOBit Steals Malwarebytes' Intellectual Property


  • This topic is locked This topic is locked
142 replies to this topic

#1 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Root Admin
  • PipPipPipPipPipPip
  • 4,148 posts
  • Gender:Male

Posted 02 November 2009 - 02:59 PM

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums (cached version, since they have now deleted the original) that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes' Anti-Malware software using the exact naming scheme we use to flag such keygens: Don't.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes' Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit's theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This "malware" does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can't publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don't want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, "dummy.exe". It is a harmless dummy executable that runs, displays a "Hello World" message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! -- the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes' Anti-Malware software and indeed it was flagged as "Don't.Steal.Our.Software.A". We scanned it with IOBit using their current build and database version and it was flagged as the same "Don't.Steal.Our.Software.A". We have included their log file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, "rogue.exe", matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other "fake.exe", matches an Adware.NaviPromo definition (screenshot). VirusTotal results for "fake.exe" and "rogue.exe" so you can see they are benign. You can see a screenshot of our detections here.

During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes' proprietary research and database from their software. We also demand IOBit be delisted from Download.com due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed.
Marcin Kleczynski
Chief Executive Officer



Follow us: Twitter, Become a fan: Facebook

#2 pcvirologist

pcvirologist

    New Member

  • Members
  • Pip
  • 5 posts
  • Gender:Male
  • Location:Florida

Posted 02 November 2009 - 03:32 PM

Download.com and Majorgeeks.com has been e-mailed by us to remove IOBit software. :) ;)

#3 cnm

cnm

    New Member

  • Experts
  • Pip
  • 22 posts

Posted 02 November 2009 - 03:49 PM

Done. But -- how did they get your database? Isn't it protected?

#4 noblelord

noblelord

    New Member

  • Members
  • Pip
  • 1 posts

Posted 02 November 2009 - 03:50 PM

I have un-installed - most disturbing news indeed.

McAfee SiteAdvisor is also flagging iobit.com as red at the moment I notice, but this I suspect this is an FP.

#5 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 02 November 2009 - 03:51 PM

Done. But -- how did they get your database? Isn't it protected?



We can't prevent the database from being accessed. We can make it tough but if we made it impossible, our app wouldn't be able to read it!
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6 B-boy/StyLe/

B-boy/StyLe/

    FFreestyleRR

  • Experts
  • PipPipPipPipPip
  • 1,133 posts
  • Gender:Male
  • Location:Bulgaria

Posted 02 November 2009 - 04:05 PM

If it's true, WHAT A SHAME ON THEM... ;)
Posted Image
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - Posted Image

#7 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 02 November 2009 - 04:11 PM

If it's true, WHAT A SHAME ON THEM... ;)



"If" goes out the window when you add traps and then they fall into them . Fictitious defs that target internal use files , how on earth could they ever have them in their defs without theft ?

It would be very foolish of us to blog this if we we were not 100% sure .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 Swandog46

Swandog46

    Elite Member

  • Administrators
  • PipPipPipPipPip
  • 958 posts
  • Gender:Male

Posted 02 November 2009 - 04:14 PM

But -- how did they get your database? Isn't it protected?

cnm, I assume they reverse-engineered it. While illegal and certainly technically non-trivial, it is not impossible, especially for someone skilled.
Doug Swanson
Chief Technical Officer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 Nexus6

Nexus6

    New Member

  • Members
  • Pip
  • 1 posts
  • Gender:Male
  • Location:Off World Colonies

Posted 02 November 2009 - 04:19 PM

;) Wow, just installed that too, well let me find the uninstall button!!

#10 Falkra

Falkra

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 544 posts
  • Gender:Male
  • Location:France
  • Interests:Languages : French, Spanish, English.

Posted 02 November 2009 - 04:30 PM

Can we help Malwarebytes ? If so, how ?

#11 Kikesan

Kikesan

    Regular Member

  • Honorary Members
  • PipPip
  • 89 posts
  • Gender:Male
  • Location:Mexico

Posted 02 November 2009 - 04:30 PM

Some people posted this information at IOBit forums, but they remove the threads
Let's wait for their response to this fact.
--Sorry for my English, it's not my native language--
If my files are password-protected try with "123" or "infected" (without quotes)

-Kaspersky Gold Beta Tester-
In training at SWI Boot Camp.

#12 Swandog46

Swandog46

    Elite Member

  • Administrators
  • PipPipPipPipPip
  • 958 posts
  • Gender:Male

Posted 02 November 2009 - 04:32 PM

Can we help Malwarebytes ? If so, how ?

Falkra, as we said above:

"What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed."

EDIT: I also see IOBit hosted at Softpedia and Brothersoft.com, you could inform them too.

Edited by Swandog46, 02 November 2009 - 04:34 PM.

Doug Swanson
Chief Technical Officer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 Falkra

Falkra

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 544 posts
  • Gender:Male
  • Location:France
  • Interests:Languages : French, Spanish, English.

Posted 02 November 2009 - 04:35 PM

This has be done (and WOT rankings). Can we blog about this, pointing to the first post ?

#14 elohelomg

elohelomg

    New Member

  • Members
  • Pip
  • 4 posts

Posted 02 November 2009 - 04:36 PM

I would ask, for my sake, if you guys are SURE. By sure, i mean WITHOUT ANY DOUBT in your mind, and if that were the case, then by all means, take necessary countermeasures.

But I would ask, and urge you guys to hold back on attacks and wait for IOBIT to give their reasoning, or attempt to explain the situation. Because if they do have an explanation, and if it IS a valid one, then MBAM's name becomes somewhat stained. So PLEASE, wait for their response, thats all i ask.

#15 Swandog46

Swandog46

    Elite Member

  • Administrators
  • PipPipPipPipPip
  • 958 posts
  • Gender:Male

Posted 02 November 2009 - 04:37 PM

@Falkra

Yes, you may indeed publicize this abuse of our intellectual property -- but please link to either our blog post or this forum post (or both):

http://malwarebytes....ctual-property/
http://www.malwareby...showtopic=29681
Doug Swanson
Chief Technical Officer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#16 roddy32

roddy32

    New Member

  • Experts
  • Pip
  • 46 posts
  • Gender:Male
  • Location:Kansas, USA
  • Interests:Nascar and Red Sox baseball

Posted 02 November 2009 - 04:38 PM

I just e-mailed Lee Koo at CNET about this. He does not run download.com but he runs the forums and I am sure he will let whoever needs to know about this.
Log'n'Rock Computer Security

Microsoft MVP Consumer Security 2006-2012

#17 Falkra

Falkra

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 544 posts
  • Gender:Male
  • Location:France
  • Interests:Languages : French, Spanish, English.

Posted 02 November 2009 - 04:39 PM

@Falkra

Yes, you may indeed publicize this abuse of our intellectual property -- but please link to either our blog post or this forum post (or both):

http://malwarebytes....ctual-property/
http://www.malwareby...showtopic=29681


Ok, this is why I asked, to make sure I do it correctly, pointing to the good public documents.
I'll blog about this and spread the word. Only facts ("this" has been posted "there").

Thank you Swandog46.

#18 Swandog46

Swandog46

    Elite Member

  • Administrators
  • PipPipPipPipPip
  • 958 posts
  • Gender:Male

Posted 02 November 2009 - 04:42 PM

I would ask, for my sake, if you guys are SURE. By sure, i mean WITHOUT ANY DOUBT in your mind, and if that were the case, then by all means, take necessary countermeasures.


We are 100% sure. We stand fully behind the research and conclusions in our blog/forum post above. We conducted this investigation thoroughly over a period of weeks until we were 100% sure of everything we wrote above. These were not statements we made lightly.

Believe me, we were as incredulous at first as we know may of you might be now. But facts are irrefutable. Try it for yourself: we gave you all the links and evidence you will need in the post above. Tell us if you disagree with our conclusions.
Doug Swanson
Chief Technical Officer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 elohelomg

elohelomg

    New Member

  • Members
  • Pip
  • 4 posts

Posted 02 November 2009 - 04:45 PM

I just dont condone the idea of bashing a softwares name, without at least hearing their side of a story. But like i said, if you guys are 100% sure, I cannot suggest anything else. I can only ask that you hear their side of the story.

#20 Swandog46

Swandog46

    Elite Member

  • Administrators
  • PipPipPipPipPip
  • 958 posts
  • Gender:Male

Posted 02 November 2009 - 04:49 PM

They stole our intellectual property. If they have a cogent explanation for this, I would like to hear it.
Doug Swanson
Chief Technical Officer

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users