Printable Version of Topic

Posted by: Grinler Nov 2 2009, 11:17 PM

The Malwarebytes', or MBAM, team announced today that IOBit, a software developer located in China, has been purposely stealing their malware definitions and incorporating it into their Security 360 product. As IOBit has been marketing their new security product strongly lately, this accusation could make their Security 360 product short lived.

It started with the MBAM team discovering a forum thread at the IOBit forum with a user questioning the scan results from their new Security 360 product. The scan result is:

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes' Anti-Malware v1.39\Key_Generator.exe, 9-30501

The definition classification of Don't.Steal.Our.Software.A. is the exact same one that Malwarebytes' uses in their virus definitions for various MBAM serial code generators. The MBAM staff found it strange that IOBit would detect MBAM keygens and at the same time use the classification that they themselves made up. This led them to become suspicious and to dig deeper into the IOBit virus definitions. What they discovered was that this was not a unique incident and that there were other definitions that were copied directly from their database as well.

To finally confirm that they were indeed stealing their definitions, MBAM created a definition for a fake and nonexistent Rogue program called Rogue.AVCleanSweepPro and created fake and harmless test files to go along with this test. This is not a real infection and was made up by the Malwarebytes' development team in order to catch IOBit in the act. Therefore, the only place this definition should exist is in the Malwarebytes program definitions. Within two weeks, though, IOBit was flagging this same infection under almost the exact same names. So let's recap. A company makes up a program and two weeks later it appears in another company's program? Seems pretty obvious that they are stealing their definitions.

Malwarebytes` has also stated that they have discovered that IOBit may have stolen definitions from other competitors databases as well. At this time we do not who these other competitors are and what was stolen. This is not the first time that malware definitions have been stolen from competitors, but no matter how you look at it, this is a criminal act as the virus definitions are the intellectual property of the creators.

After the announcement, there has been a strong community outcry on the purported behavior of IOBit as seen by the Malwarebytes's announcement topic listed below. As IOBit is located in China, there has not been much of a response back from them as of yet. The only thing we have seen are threads being deleted from the IOBit forums when the subject is broached, and just recently, and new thread created by a IOBit staff member that is supposed to be used to post questions about the accusations by Malwarebytes'.

We will continue to cover this and provide any updates as we get them.

 

Posted by: Amazing Andrew Nov 3 2009, 04:59 AM

More:
Google's cached version of the thread in question isn't working at the moment, http://cc.bingj.com/cache.aspx?q=%22http+forums+iobit+com+showthread+php+t+3325%22&d=4975839906562687&mkt=en-US&setlang=en-US&w=cef7093a,c4461288(http://www.boredomsoft.org/articles/Media/IOBit_MB_cache_screentshot.png)

IObit's response (dubious IMHO):
http://forums.iobit.com/showthread.php?p=28954 and http://blog.iobit.com/archives/95.html

Posted by: elise025 Nov 3 2009, 05:14 AM

Grinler, what would be a proper way at this moment to deal with IOBit software in logs?

Posted by: Grinler Nov 3 2009, 07:45 AM

At this point nothing. It is not our choice to demand a user stop using a software until this is all ironed out.

Posted by: Swandog46 Nov 3 2009, 10:51 AM

Amazing Andrew, thank you very much for the screenshot of IOBit forums. If the Bing cached version goes down too, may we use your screenshot (we can either link it, or, if you think the traffic is too much, re-host it ourselves) in a future blog post?

Posted by: Amazing Andrew Nov 3 2009, 01:23 PM

Please do. If you host it yourself, a little linky to my site would be appreciated!

Posted by: Swandog46 Nov 3 2009, 01:46 PM

If your site can handle the traffic, we will just link it. Thank you very much!

Posted by: Amazing Andrew Nov 3 2009, 01:49 PM

Have you seen the latest update to their response? They're posting LIVE MALWARE samples.

Posted by: ThunderZ Nov 3 2009, 02:21 PM

That is sadly hilarious.

Wonder how many of the HJT crew are now going to get stuck cleaning up what ever mess their d\l will create?

Posted by: Amazing Andrew Nov 3 2009, 04:15 PM

If it's any use to anyone, http://www.techspot.com/downloads/4875-iobit-security-offline-database-update.htmlfrom TechSpot (I have a local copy in case the link dies and needs to be mirrored.)

Posted by: GT500 Nov 3 2009, 05:50 PM

Nice find.

Posted by: boopme Nov 3 2009, 10:37 PM

Marcin made a new reply today...

http://www.malwarebytes.org/forums/index.php?showtopic=29772

Posted by: Bezukhov Nov 6 2009, 12:01 PM

I don't think I can continue using IObits 360 in good conscience any more. Not in light of this thread. Thank you for bringing this to my attention.

Posted by: case.bolt Nov 16 2009, 12:35 PM

sad really. mbam is such as great program, and the developers deserve many thanks and kudos for all their hard work. sad that a company feels so inadequate that they have to copy someone else's hard work.

Posted by: Maximus the Mad Nov 18 2009, 02:14 AM

I know some folks who work for MalwareBytes and I can't believe what I am reading! I hope all hosting sites take down the IObit theftware(there's a new category).

Posted by: Amazing Andrew Nov 18 2009, 03:12 AM

The http://blog.iobit.com/archives/122.html barely hints to the issue.

Posted by: garmanma Nov 18 2009, 03:22 PM

They sure did back down from their first declaration