Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IOBit Stealing Databases from Other Vendors


  • Please log in to reply

#1
GT500

GT500

    Emsisoft Research

  • Visiting Consultant
  • 42 posts
I don't see this on your forums, so here it is in case you haven't heard yet. :)

(source)

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes' Anti-Malware software using the exact naming scheme we use to flag such keygens: Don't.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes' Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit's theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This "malware" does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can't publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don't want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, "dummy.exe". It is a harmless dummy executable that runs, displays a "Hello World" message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! -- the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes' Anti-Malware software and indeed it was flagged as "Don't.Steal.Our.Software.A". We scanned it with IOBit using their current build and database version and it was flagged as the same "Don't.Steal.Our.Software.A". We have included their log file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, "rogue.exe", matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other "fake.exe", matches an Adware.NaviPromo definition (screenshot). VirusTotal results for "fake.exe" and "rogue.exe" so you can see they are benign. You can see a screenshot of our detections here.

During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes' proprietary research and database from their software. We also demand IOBit be delisted from Download.com due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed.


  • 0

Advertisements


#2
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Thanks GT500, it has already been posted in a couple of other areas of the forums. :)
  • 0

#3
Troy

Troy

    Tech Staff

  • Technician
  • 8,841 posts
I run the paid version of MBAM and it's awesome. Shame on iobit! :)

(notice I didn't give them any capitals)
  • 0

#4
GT500

GT500

    Emsisoft Research

  • Topic Starter
  • Visiting Consultant
  • 42 posts

Thanks GT500, it has already been posted in a couple of other areas of the forums. :)


I had been wondering if it was in areas that I didn't have access to (nothing showed up in a search), but I figured that a public topic wouldn't be an issue. :)
  • 0

#5
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
No problems with publicly displaying the topic, yes, more people are informed that way. Just letting you know that staff here already knew about the issue. :)
  • 0

#6
vinod_r2

vinod_r2

    Member

  • Member
  • PipPip
  • 28 posts
I saw that on Mbam forums... shame on IObits.... :)
  • 0

#7
bartblaze

bartblaze

    Member

  • Member
  • PipPipPip
  • 139 posts
I am not that surprised I must say, although you'd never expect they would actually incorporate MBAM's whole database.

You can vote here on WOT: http://www.mywot.com...obit.com#page-1

Here is a declaration from IObit: http://forums.iobit....read.php?t=4807

And already the first funny pictures are arising ... :
Posted Image

MBAM will take legal steps for this, I hope they can achieve something :) .
  • 0

#8
vinod_r2

vinod_r2

    Member

  • Member
  • PipPip
  • 28 posts
Did you guys read there reply??????? :)

We did catch malware, by DOG heuristic engine,


I just hope Marcin takes this up and closes it off.
  • 0

#9
bartblaze

bartblaze

    Member

  • Member
  • PipPipPip
  • 139 posts
Latest news about this:

Yesterday we presented evidence demonstrating that IObit is stealing and incorporating Malwarebytes' proprietary database and intellectual property into their software.

Our argument was that IObit detected, under the same names, fake malware files that we (1) built ourselves in-house, (2) never released to the Internet, and (3) added fake definitions for to our own database. We concluded that IObit must be stealing the definitions directly from our database. The indication of theft was not solely that they named some detections the same way -- at least not for real malware. Many vendors do that. However, since the fake malware name we made up ("Rogue.AVCleanSweepPro") does not actually exist anywhere in the wild, their use of it alone was a strong indication of theft.

Over the course of the following day IOBit engaged in a concerted campaign to suppress the evidence we presented. First they deleted the forum post showing their detection of a Malwarebytes' Anti-Malware keygen under the same name "Don't.Steal.Our.Software.A" we use to detect such keygens. Then they were able to have the Google cache version of the same page removed. (Fortunately the Bing cache version is still live and we also have screenshots of the thread archived.)

Next, they edited their database to remove detection of the "trap" definitions we disclosed in our report. But these were only a few examples, only a small subset of the definitions they have stolen from us! And to our great surprise, they did not remove all the stolen definitions from their database. We have attached more examples below of stolen definitions still appearing in the current IObit database.

Lastly, IObit issued a statement flatly denying any database theft or wrongdoing. They offer two arguments to support this denial:

  • They claim their database is constructed from anonymous Internet malware submissions. They claim furthermore that files like the fake files we created were submitted to them, named like we name malware, and that they included the submissions in their own database without changing the names.

    While this is at least plausible (if not likely) for the case of the Malwarebytes' keygen they detected as "Don't.Steal.Our.Software.A", it does not explain how they obtained a submission of the fake file "rogue.exe" we manufactured in-house, never submitted anywhere, and named with a fake malware name "Rogue.AVCleanSweepPro" that does not appear anywhere in the wild.

    IObit explained this as follows:



    We invite you to search Google for "Rogue.AVCleanSweepPro" or just "AVCleanSweepPro". See if you can find a single place where anything called "Rogue.AVCleanSweepPro" was ever detected in the wild by Malwarebytes or anyone else. When we did this today, the only hits we got were for our own report yesterday and people talking about it. Before we published our report yesterday there was not a single hit on Google for either name. This malware name simply does not exist in reality. We made it up in-house. Only four members of Malwarebytes' management were privy to the information about the fake files and the fake names. Therefore, any suggestion that somehow someone submitted to IObit a piece of malware anyone detected anywhere as "Rogue.AVCleanSweepPro" is simply a lie.

    As for "NOTSURE.dll" itself, all this suggests is that IObit manufactured a file that matches both our "Rogue.AVCleanSweepPro" fake signature and other vendors' Trojan.Pugolbho signatures. This is not hard if you have already stolen the signature: after all, we also manufactured a dummy file matching the same "Rogue.AVCleanSweepPro" signature, in order to attach it to yesterday's report. This does not prove any file was submitted to IObit over the Internet, under the name "Rogue.AVCleanSweepPro".

    Attached are two more dummy files, "dummy1.exe" and "dummy2.exe", benign executables built in-house to match two of our database signatures for "Adware.NaviPromo" (screenshot). You can see on VirusTotal here and here that no other security vendors detect these dummies. You can also see here (log1, screenshot1, log2, screenshot2) that IObit does detect them still, using their current database, as the same "Adware.NaviPromo".

    IObit will likely claim once again that they received these files as anonymous submissions and added them to their database using the Malwarebytes names either by negligence or by chance. It is true that "Adware.NaviPromo" is a name used by multiple vendors, unlike "Rogue.AVCleanSweepPro", which we fabricated in-house. But isn't it interesting then that no other security vendor detects these dummy files (or any of the other dummies we have manufactured)? Only a single signature was added to the dummy files to make them detectable by Malwarebytes and IObit, and no other security vendors. Are we to conclude that IObit received these files as anonymous submissions and then chose to add them to their database using exactly the same signatures as we use, purely by chance? If these were common or obvious signatures, presumably other security vendors would be using them too, and the dummies should be detected by other vendors as well. But clearly they are not. Nor is this an isolated case; it has been the pattern for every example we have posted. While we realize this is not 100%-conclusive proof on its own, we hope you will agree in the context of the stronger evidence we have presented (the "Rogue.AVCleanSweepPro" detection above) that it is more than a little suspicious.

  • IObit claims they could not have copied our database because theirs is larger than ours, 4.6 MB compared to 3.1 MB. This argument does not hold water. First of all, each of our databases is compressed and we can't easily compare the sizes of the plaintext database contents. Second, and far more importantly, if IObit has stolen not only our database but also the databases of other security vendors, as we strongly suspect they have, then of course their database would be larger. We have presented evidence of theft to other security vendors, although we will leave it to them to disclose information to the public.
We have served CNET Download.com and MajorGeeks.com with infringement notifications under the United States Digital Millennium Copyright Act (DMCA). IObit software infringes Malwarebytes' copyright and intellectual property rights and we have requested it be removed (MajorGeeks.com has removed it already).

Apparently IObit thought they could convince the community they had done no wrong. On the contrary, we have witnessed an outpouring of support for Malwarebytes and the hard work we put into our research and products, and we are humbled and thankful to everyone for it.


Source: http://www.malwareby...showtopic=29772
  • 0

#10
Troy

Troy

    Tech Staff

  • Technician
  • 8,841 posts

Caution: The following file is a malware that will harm your PC. Test it on your own risk.


What on earth is iobit doing? This is just stupid.
  • 0

#11
GT500

GT500

    Emsisoft Research

  • Topic Starter
  • Visiting Consultant
  • 42 posts

What on earth is iobit doing? This is just stupid.


They are scrambling around like chickens with their heads cut off trying to prove the untrue.

They also probably assumed that both IOBit and MBAM would remove the file if people did test with it.
  • 0

#12
vinod_r2

vinod_r2

    Member

  • Member
  • PipPip
  • 28 posts

What on earth is iobit doing? This is just stupid.


They are scrambling around like chickens with their heads cut off trying to prove the untrue.

They also probably assumed that both IOBit and MBAM would remove the file if people did test with it.



LoL.... :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP