Initial thoughts on Malwarebytes versus IObit


Malwarebytes accusation that IObit has infringed on their intellectual property has received a bit of attention in news and and blogs, and a good deal more discussion about what happened—or did not happen, or may have happened—is occurring in various web forums and mailing lists. 

Having worked in the anti-malware industry for a number of years (even so far back as *gasp* when it was called the anti-virus industry) I had some small interest in the matter, however, I have more interest, frankly, in clearing up what I see as a lot of confusion.  So, just to be clear, the opinions expressed are my own, and not those of my current or any past employer.  If I got something right, or there’s a part you agree with, that’s probably because of something I learned from one of my smart co-workers.  If, on the other hand, I got something wrong, or you disagree with it, violently or otherwise, well, that’s probably my fault.

As I understand it, there seem to be several related issues:

  • Malwarebytes has accused IObit of copying a percentage (up to 100%, it appears) of MBAM’s threat signature database and including it in IObit Security 360.
  • Malwarebytes has accused IObit of identifying threats using the exact same names that Malwarebytes uses to detect those threats.
  • Malwarebytes has salted their threat signature database with signatures for nonexistent threats, and claims that IOBit Security 360 detects files containing those signatures, identifying them with identical (or nearly identical) names used by MBAM.
  • IObit has stated that the detection of one of the salted false positives occurred because it was sent to them anonymously and that they used the name of the file as it was uploaded to them to identify it in IObit Security 360.

The anti-malware industry shares samples, meta-data about samples and for high-profile threats may share information such as reverse-engineering and detection techniques.  Anti-malware companies even swap product licenses with each other:  It can be helpful to prioritize the incoming firehose of samples not just with your own internally-developed tools, but with a competitor’s products as well.  These relationships often extend back for years and decades, and they continue to go on, unabated.

There is, however, a difference between copying a competitor’s naming conventions in toto, which indicates many things about the copier, such as laziness and not having enough resources to properly conduct threat identification, and reverse-engineering a competitor’s product to decrypt their signature database and import it into yours, which may be a civil law or a criminal law (or both) matter.

There’s nothing particular novel or new about what Malwarebytes has done with salting their threat signature database.  When I was at my previous employer in the anti-virus field, we regularly added fake entries to our virus signatures, and when those signatures appeared in competitor’s products, we had discussions with them.  Generally, all it took was a phone call (or a fax) to stop that behavior.  Those were done privately, though, and never reached a point where lawyers (or the public) had to get involved.

One thing I hope everyone keeps in mind is that this is a very complex issue, not just from a technical and legal perspectives, but from cultural and perhaps even geopolitical ones as well.  I believe Malwarebytes is an American company and IObit is a Chinese one.  As such, it very possible that IObit’s employees do not communicate as effectively as people who are native English speakers. If you are a native English speaker and reading this, think about how difficult it might be for you to respond to message in Cantonese or Mandarin.

I suspect this is ultimately going to be settled in a court of law, or at least by lawyers, rather than in the court of public opinion, and would caution people to try and take a cautious and balanced view of the issue until then.


Aryeh Goretsky

Horowitz, Michael. ComputerWorld Blogs – IObit accused of stealing from Malwarebytes.
Kleczynski , Marcin. Malwarebytes blog – IOBit’s Denial of Theft Unconvincing.
Landesman, Mary. About.Com – IOBit Steals Malwarebytes’ Intellectual Property.
Mills, Elinor. CNet News – Malwarebytes accuses rival of software theft.
unknown. IObit blog – Declaration from IObit
unknown. Malwarebytes blog – IOBit Steals Malwarebytes’ Intellectual Property.

REV. 2009105.2312

Leave a comment

Filed under Computers and Internet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s