Vulnerabilities / Threats
8/22/2011
09:57 AM
Connect Directly
RSS
E-Mail
50%
50%

McAfee Blew Shady RAT Analysis, Kaspersky Says

Security expert Eugene Kaspersky dismissed the seriousness of the Shady RAT botnet and suggested McAfee was purposefully alarmist in its report.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
A war of words has emerged over McAfee's Shady RAT report, which traced the use of a set of remote access tools to a series of online attacks.

Eugene Kaspersky, CEO of Kaspersky Lab, alleged Thursday that McAfee--and in particular, Dmitri Alperovitch, McAfee's threat research VP and author of the report--purposefully mischaracterized the seriousness of the threat he found.

"We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch," said Kaspersky, in his blog post, titled "Shoddy RAT."

"We consider those conclusions to be largely unfounded and not a good measure of the real threat level," he said. "Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information."

According to Kaspersky, the malware used in the attack was widely known, but relatively unsophisticated, and would be worth just a few hundred dollars on the black market, compared with top botnets, which might fetch $2,000 to $3,000. "Most security vendors did not even bother assigning a name to Shady RAT's malware family, due to its being rather primitive," he said. Furthermore, he said, there was no evidence of a state sponsor behind the attacks.

Kaspersky's criticism came in the wake of a letter sent to McAfee's Alperovitch by Rep. Mary Bono Mack (R-Calif.), chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, seeking more details on Shady RAT.

Kaspersky's post also followed the publication, on Wednesday, of a story in SC Magazine, quoting McAfee's Alperovitch as saying, "If you think this is an unsophisticated botnet then you've got no clue, or you're not willing to talk about it."

That seemed to be a response to an analysis of Shady RAT published by Symantec researcher Hon Lau, which disputed that the attack was advanced, since the attackers made server configuration errors and used "relatively non-sophisticated malware" and other attack techniques. "Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them," said Lau, referring to two well-known and quite effective botnet and rootkit families used by criminals.

Kaspersky's criticism in turn triggered a response from McAfee. "He's missing the point," said Phyllis Schneck, McAfee's VP & CTO for global public sector at McAfee, in a blog post released Friday.

"It's not the sophistication of the attack that's important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture," she said. "It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary."

"Quiet, insidious, market-changing threats like these hide in the noise of botnets, 'hacks,' and other high-profile or nuisance events," she said.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant