Attacks/Breaches
8/11/2011
12:56 PM
Connect Directly
RSS
E-Mail
50%
50%

Shady RAT No China Smoking Gun

Kudos to McAfee for discovering attacks that go undiscovered too often, but questions about attack severity, sophistication, or nation-state backing remain.

Is Shady RAT one of the "the biggest series of cyberattacks in history," as some media outlets have claimed?

McAfee's revelation of the long-running attacks, which have operated on the sly since at least 2006 and compromised more than 70 organizations, was timed to coincide with the publication last week of a related expose in Vanity Fair, as well as the start of the annual Black Hat security conference. McAfee's security researchers have been investigating the attacks-which they dubbed Shady RAT for their use of stealthy remote access tools-for some time.

While the tools used in such attacks can steal information, such attacks apparently exist in relatively low volumes, at least compared with the flood of spam, phishing attacks, and generic malware businesses see daily. But that low volume also makes RAT-style attacks difficult to detect when they do get launched.

If this low volume and persistence sound familiar, that's because it recalls the modus operandi for an advanced persistent threat. Of course, APT is a fuzzy concept. As McAfee's own report on Shady RAT notes, "this term lately lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT." (Reference: RSA SecurID breach.) Generally, however, security experts define an APT as a threat involving attackers who can launch multiple exploits, advancing the underlying functionality along the way, to steal non-financial information of value, often operating without being detected.

The interesting APT-related angle to Shady RAT is that the attackers failed to update their Trojan software attack functionality for more than a year and failed to encrypt the server used to control the Trojans (often used by Chinese attackers). As a result, they left a trail that McAfee's researchers ultimately spotted and traced to the command-and-control server. The attackers had already installed Web traffic analysis tools on the server, further aiding researchers.

But simply discovering that server was somewhat unusual. "It was great that McAfee was able to get access to this data and show how it works," Joe Stewart, director of malware research for Dell SecureWorks, told me last week at Black Hat.

Some security researchers, however, dispute that Shady RAT would even qualify as an APT. "I would contend that it isn't, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case," said Symantec researcher Hon Lau in a blog post. "Sure, the people behind it are persistent, but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them."

While McAfee's discovery of the mechanics behind the Shady RAT attacks was new, the existence of the group was already known. Stewart said it's often referred to as the "Comment Crew," for using HTML comments as a mechanism for communicating with the botnet command-and-control servers the group operates. "They've got lots of infrastructure behind it, stuff we'll never get access to," he said. But the group has left tracks before. "One of the malware families belonging to this group is one that we saw using HTran, and sending its data back to China," Stewart said.

As a result of that traffic flow, security experts suspect the Comment Crew is operating from China. McAfee, while saying that it saw a solo "state actor" behind the attacks, stopped short of pointing fingers. Likewise, Alex Gostev, chief security expert for Kaspersky Lab, said that without hard evidence, people should beware jumping to conclusions about who's behind this attack, especially when it comes to the motives of criminal organizations.

For starters, Gostev said, the circumstances surrounding Shady RAT's discovery make the suggestion of state-sponsored hacking tenuous. "A situation in which a complicated and large-scale corporate espionage operation has alleged to have been undertaken for years but whose sophisticated organizers do not clean up their server access logs after them--this is something that can certainly be described as unusual," he said.

Furthermore, when it comes to how Shady RAT was used, McAfee has assumed--based on logs of connections between Web servers--that large organizations were spied on. But the report doesn't identity data that might have been stolen, or which specific Trojan applications were used, which makes it unclear what type of damage Shady RAT may even have caused, Gostev said.

"Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyberattack in history is premature," he said. "Until then, we will consider it an original way of approaching the start of the annual Black Hat conference in Las Vegas."

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.