Vulnerabilities / Threats
8/22/2011
09:57 AM
50%
50%

McAfee Blew Shady RAT Analysis, Kaspersky Says

Security expert Eugene Kaspersky dismissed the seriousness of the Shady RAT botnet and suggested McAfee was purposefully alarmist in its report.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
A war of words has emerged over McAfee's Shady RAT report, which traced the use of a set of remote access tools to a series of online attacks.

Eugene Kaspersky, CEO of Kaspersky Lab, alleged Thursday that McAfee--and in particular, Dmitri Alperovitch, McAfee's threat research VP and author of the report--purposefully mischaracterized the seriousness of the threat he found.

"We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch," said Kaspersky, in his blog post, titled "Shoddy RAT."

"We consider those conclusions to be largely unfounded and not a good measure of the real threat level," he said. "Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information."

According to Kaspersky, the malware used in the attack was widely known, but relatively unsophisticated, and would be worth just a few hundred dollars on the black market, compared with top botnets, which might fetch $2,000 to $3,000. "Most security vendors did not even bother assigning a name to Shady RAT's malware family, due to its being rather primitive," he said. Furthermore, he said, there was no evidence of a state sponsor behind the attacks.

Kaspersky's criticism came in the wake of a letter sent to McAfee's Alperovitch by Rep. Mary Bono Mack (R-Calif.), chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, seeking more details on Shady RAT.

Kaspersky's post also followed the publication, on Wednesday, of a story in SC Magazine, quoting McAfee's Alperovitch as saying, "If you think this is an unsophisticated botnet then you've got no clue, or you're not willing to talk about it."

That seemed to be a response to an analysis of Shady RAT published by Symantec researcher Hon Lau, which disputed that the attack was advanced, since the attackers made server configuration errors and used "relatively non-sophisticated malware" and other attack techniques. "Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them," said Lau, referring to two well-known and quite effective botnet and rootkit families used by criminals.

Kaspersky's criticism in turn triggered a response from McAfee. "He's missing the point," said Phyllis Schneck, McAfee's VP & CTO for global public sector at McAfee, in a blog post released Friday.

"It's not the sophistication of the attack that's important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture," she said. "It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary."

"Quiet, insidious, market-changing threats like these hide in the noise of botnets, 'hacks,' and other high-profile or nuisance events," she said.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.