Shady RAT: Shoddy RAT.

Last week, Congresswoman Mary Bono Mack (CA-45), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, sent a letter to Dmitri Alperovitch, Vice President of Threat Research at McAfee, requesting further information on his recently published report “Revealed: Operation Shady RAT.”

First of all I’d like to say straight out that we do not share the concerns surrounding the intrusion described in the report, which intrusion the report claims has resulted in the theft of sensitive information of multiple governments, corporations and non-profit organizations.

We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch.

We consider those conclusions to be largely unfounded and not a good measure of the real threat level. Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information.

I’d like to give my own answers to the key questions posed in the letter, to firmly establish the assessment of the situation by Kaspersky Lab as global security researchers – not only for the US, but for all nations concerned with cybercrime and advanced threats.

The report suggests the high-profile intrusions of recent months are neither sophisticated nor novel. How do these unsophisticated intrusions differ from the intrusions that were the focus of your report?

Many of the so-called “unsophisticated” intrusions that the IT security industry has discovered recently and which have been so prominent in the news should in fact be labeled just the opposite: “sophisticated”.

These sophisticated threats – such as TDSS, Zeus, Conficker, Bredolab, Stuxnet, Sinowal and Rustock – pose a much greater risk to governments, corporations and non-profit organizations than Shady RAT.

For example, TDSS controls one of the world’s largest zombie networks, made up of more than 4.5 million computers worldwide. It contains extremely sophisticated techniques and implements a whole range of risky payloads that can lead to the theft of sensitive information and even funds in bank accounts, to spam distribution, DDoS attacks and much more.

On the other hand, most security vendors did not even bother assigning a name to Shady RAT’s malware family, due to its being rather primitive.

Are such intrusions something the government and private sector can effectively prevent or mitigate on a continuing basis?

Most commercially-available anti-virus software is capable of preventing infection by the malware involved in Operation Shady RAT; most doesn’t require a special update to do so either, capable of detecting the malware generically.

Did the logs analyzed by McAfee reveal novel techniques or patterns that would be helpful in our efforts to combat cybercrime?

We are fairly sure that the logs that McAfee analyzed did not differ from the logs all the other security vendors analyzed.

Here are our findings: unlike malware from the abovementioned sophisticated samples, we found no novel techniques or patterns used in this malware. What we did find were striking shortcomings that reveal the authors’ low level of programming skill and lack of basic web security knowledge.

In addition, the way the malware spread – via masses of spam messages with infected files attached – is now considered to be old hat; most modern malware uses web attacks to get to target computers. Shady RAT also never used any advanced or previously unknown technologies for hiding itself in the system, any countermeasures against anti-viruses, or any encryption to protect the traffic between the servers and infected computers. Needless to say, these are features inherent only in sophisticated malware.

What is the greater target: intellectual property and national security information, or consumer information that can be used to perpetrate identity theft?

There is no evidence showing what sort of data has been acquired from infected computers, or if any data has been acquired at all.

We can only understand what data (if any) has been stolen by conducting an in-depth investigation within an affected organization to examine the actual access rights of the infected computers.

The report suggests that the more insidious intrusions are more likely to occur without public disclosure. Would more public disclosure help or harm industry efforts to fight this type of cybercrime?

Some of the more insidious intrusions take place without the general public becoming aware of them. What’s more, they can go undetected for some time before being discovered by the IT security industry, and this is likely to continue due to the nature of the architecture of modern software and the Internet.

However, regarding Shady RAT, the IT security industry did know about this botnet, but decided not to ring any alarm bells due to its very low proliferation – as confirmed by our cloud-based cyber-threat monitoring system and by other security vendors. It has never been on the list of the most widespread threats.

For years now the industry has adopted the simple and helpful rule of not crying wolf.

A very important question that has slipped off the radar is what state is behind this intrusion?

It’s not possible to give a straight and clear answer to this question; however, it looks overwhelmingly likely that no state is behind the Shady RAT botnet. How the botnet operates and the way the related malware is designed reveals startling fundamental defects hardly indicative of a well-funded cyber-attack backed up by a nation state.

A good example of a cyber-attack most likely backed by a nation state is Stuxnet. Just compare the number of vulnerabilities used, special techniques, and the various assessments of the development cost. With Shady RAT we are dealing with a lame piece of homebrew code that could have been written by a beginner.

On the black market the Shady RAT malware would be valued at not much more than a couple hundred dollars. Even if an “evil” state were to decide to launch a targeted attack, it could buy much more sophisticated malware for just $2,000 – $3,000. And most certainly the evil state wouldn’t use the same command and control server for five years, and then keep it operating after it was revealed in the world media that it had been exposed – allowing security researchers to conduct in-depth analysis of the botnet.

We believe that this act was performed by rather novice criminals who were testing the ground, but who didn’t improve their skills much at all since the date they started the botnet.

To summarize the Shady RAT report:

Was it the most sophisticated attack ever?

No.

Was it the longest-lasting attack ever?

No.

Was it a historically unprecedented transfer of wealth?

No.

Is there proof that 71 organizations were compromised and had data leaked?

No.

Was it backed up by a state?

No.

Does Shady RAT deserve much attention?

No.

Useful link: Comment from Alex Gostev, Kaspersky Lab’s Chief Security Expert

27 Responses to “Shady RAT: Shoddy RAT.”

  1. Amen! I’m glad you said what needed to be said.

    I routinely remove viruses from systems that are running McAffe and all this fear, uncertainty and doubt (FUD) is just to sell more products that do not work and especially maybe get a US government contract to sell the US govt “protection”

  2. Guess you missed the recent show on China’s government run CCTV 7, “Military Technology: Internet storm is coming” that showed camera footage of Chinese government systems launching attacks against a U.S. target?

Trackbacks/Pingbacks

  1. Kaspersky disputes McAfee's Shady Rat report | TechRepublic - August 18, 2011

    […] on the eve of the BlackHat and DEFCON conventions earlier this month. In his blog post “Shady RAT: Shoddy RAT“, Kaspersky harshly criticizes the report as alarmist and even accuses that it […]

  2. Kaspersky says McAfee report is all bark and no bite | National Cyber Security - August 19, 2011

    […] in a blog post Thursday, Eugene Kaspersky said his company is not too concerned about the report, arguing that the […]

  3. Eugene Kaspersky juge le rapport Shady RAT de McAfee "infondé" | Exanders.fr - August 19, 2011

    […] des spécifités techniques) diffère grandement des conclusions formulées par M.Alperovitch » explique Eugène Kaspersky. « Nous considérons que ces conclusions sont largement infondées et ne donnent pas une bonne […]

  4. McAfee miente sobre Shady Rat, acusa CEO de Kaspersky | bSecure - August 20, 2011

    […] Kaspersky, CEO y fundador de la firma de seguridad que lleva su nombre, arremetió en su blog contra el reporte de McAfee en el que la firma aseguraba haber detectado la operación de […]

  5. Acusa CEO de Kaspersky a McAffe de mentir sobre operación Shady Rat | Netmedia.info › El portal de la comunidad IT - August 20, 2011

    […] Kaspersky, CEO y fundador de la firma de seguridad que lleva su nombre, arremetió en su blog contra el reporte de McAfee en el que la firma aseguraba haber detectado la operación de […]

  6. Ты суслика видишь? А он – есть! | Nota Bene - August 22, 2011

    […] пиара и пойдёт речь. И мы на прошлой неделе изрядно пошумели в зарубежной прессе на эту тему. А […]

  7. McAfee Blew Shady RAT Analysis, Kaspersky Says | National Cyber Security - August 22, 2011

    […] differs greatly from the conclusions made by Mr. Alperovitch,” said Kaspersky, in his blog post, titled “Shoddy […]

  8. SECURITY FIRMS KNOCK HEADS OVER SHADY RAT HACKS » KASPERSKY, MCAFEE, MCAFEES, SHADY, SCHNECK, COMPUTERWORLD » GADGETTECHNEWS.CO.CC - August 22, 2011

    […] used &#1110n th&#1110&#1109 malware,” Kaspersky continued &#1110n &#1072n access titled “Dishonest RAT: Shoddy RAT” &#959n h&#1110&#1109 private blog. “Wh&#1072t w&#1077 &#1281&#1110&#1281 learn w&#1077r&#1077 […]

  9. Shady RAT… Shoddy RAT… What about “Shouty RATT” | SecurityCurve - August 23, 2011

    […] the blog post from Kaspersky suggests that their opinion of the malware is that it isn’t really much of a to-do at all and […]

  10. Security firms knock heads over Shady RAT hacks | National Cyber Security - August 23, 2011

    […] no novel techniques or patterns used in this malware,” Kaspersky continued in an entry titled “Shady RAT: Shoddy RAT” on his personal blog. “What we did find were striking shortcomings that reveal the […]

  11. Security firms knock heads over Shady RAT hacks « Linux News « 123linux tutorials - August 23, 2011

    […] no novel techniques or patterns used in this malware,” Kaspersky continued in an entry titled “Shady RAT: Shoddy RAT” on his personal blog. “What we did find were striking shortcomings that reveal the […]

  12. Security firms knock heads over Shady RAT hacks | Stop Spam Tips - August 23, 2011

    […] no novel techniques or patterns used in this malware,” Kaspersky continued in an entry titled “Shady RAT: Shoddy RAT” on his personal blog. “What we did find were striking shortcomings that reveal the […]

  13. Security firms knock heads over Shady RAT hacks | LocatePC | Locate your stolen computer or stolen laptop - Works for both Mac and PC - August 23, 2011

    […] no novel techniques or patterns used in this malware,” Kaspersky continued in an entry titled “Shady RAT: Shoddy RAT” on his personal blog. “What we did find were striking shortcomings that reveal the […]

  14. Hacker Smack Talk Escalates | National Cyber Security - August 23, 2011

    […] Kaspersky’s blog was particularly hard hitting, dismissing McAfee’s claims as being “largely unfounded and not a good measure of the […]

  15. HACKER SMACK TALK ESCALATES » BART, GARCIA, ANTISEC, MCAFEE, SHIONOGI, SHADY » TECH MAGAZINE - August 23, 2011

    […] Kaspersky’s blog was particularly hard hitting, dismissing McAfee’s claims as being “largely unfounded and not a good measure of the […]

  16. Hacker Smack Talk Escalates | eTechwar - August 24, 2011

    […] Kaspersky’s blog was particularly hard hitting, dismissing McAfee’s claims as being “largely unfounded and not a good measure of the […]

  17. McAfee Defends Its Position on Operation Shady RAT | WebProNews - August 26, 2011

    […] Kaspersky, the co-founder of Kaspersky Lab, also had some words to share about what he calls “Shoddy RAT.” He said it was a botnet that did not deserve as much […]

  18. August 2011 Cyber Attacks Timeline (Part I) « Il Blog di Paolo Passeri - August 29, 2011

    […] of RAT based cyber attacks with no particular features (see for instance the comment by Sophos, Kaspersky and […]

  19. The Culture of “Cyber” Minimizes Effective Data Sharing - August 30, 2011

    […] In early August, McAfee publicly shared their Shady RAT findings, electing to unilaterally disclose a report that carried the potential to disrupt law enforcement and counter-intelligence (LE/CI) operations [3].  Following the disclosure, McAfee’s Dmitri Alperovitch spent a fair amount of time defending the report from industry insiders who denounced it as nothing short of an opportunistic marketing attempt.  Despite the industry backlash, the report also served as a catalyst for copycat disclosures and commentary from competitors such as Dell SecureWorks [4], Symantec [5] and Kaspersky [6]. […]

  20. August 2011 Cyber Attacks Timeline « Il Blog di Paolo Passeri - September 2, 2011

    […] of RAT based cyber attacks with no particular features (see for instance the comment by Sophos, Kaspersky and […]

  21. Malware in august: un an de la primul troian care ataca platforma de operare Android. Top virusi/malware | Devirusare.com - September 15, 2011

    […] http://eugene.kaspersky.com/2011/08/18/shady-rat-shoddy-rat/ […]

  22. Rooting out Rootkits. | Nota Bene - November 16, 2011

    […] or rootkit ‘authorities’ out there. For example, McAfee’s superbly PR’ed  Shady RAT incident (behind which it was assumed stood a nation state) was deemed (not by me!) a crowning […]

  23. McAfee Blew Shady RAT Analysis | Information Security Consultants | NCX Group - December 1, 2011

    […] differs greatly from the conclusions made by Mr. Alperovitch,” said Kaspersky, in his blog post, titled “Shoddy […]

  24. Rooting out Rootkits. | Eugene Kaspersky - November 6, 2012

    […] or rootkit ‘authorities’ out there. For example, McAfee’s superbly PR’ed  Shady RAT incident (behind which it was assumed stood a nation state) was deemed (not by me!) a crowning […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: