McAfee Blew Shady RAT Analysis, Kaspersky SaysSecurity expert Eugene Kaspersky dismissed the seriousness of the Shady RAT botnet and suggested McAfee was purposefully alarmist in its report.
(click image for larger view)
Slideshow: 10 Massive Security Breaches
A war of words has emerged over McAfee's Shady RAT report, which traced the use of a set of remote access tools to a series of online attacks.
Eugene Kaspersky, CEO of Kaspersky Lab, alleged Thursday that McAfee--and in particular, Dmitri Alperovitch, McAfee's threat research VP and author of the report--purposefully mischaracterized the seriousness of the threat he found.
"We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch," said Kaspersky, in his blog post, titled "Shoddy RAT."
"We consider those conclusions to be largely unfounded and not a good measure of the real threat level," he said. "Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information."
According to Kaspersky, the malware used in the attack was widely known, but relatively unsophisticated, and would be worth just a few hundred dollars on the black market, compared with top botnets, which might fetch $2,000 to $3,000. "Most security vendors did not even bother assigning a name to Shady RAT's malware family, due to its being rather primitive," he said. Furthermore, he said, there was no evidence of a state sponsor behind the attacks.
Kaspersky's criticism came in the wake of a letter sent to McAfee's Alperovitch by Rep. Mary Bono Mack (R-Calif.), chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, seeking more details on Shady RAT.
Kaspersky's post also followed the publication, on Wednesday, of a story in SC Magazine, quoting McAfee's Alperovitch as saying, "If you think this is an unsophisticated botnet then you've got no clue, or you're not willing to talk about it."
That seemed to be a response to an analysis of Shady RAT published by Symantec researcher Hon Lau, which disputed that the attack was advanced, since the attackers made server configuration errors and used "relatively non-sophisticated malware" and other attack techniques. "Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them," said Lau, referring to two well-known and quite effective botnet and rootkit families used by criminals.
Kaspersky's criticism in turn triggered a response from McAfee. "He's missing the point," said Phyllis Schneck, McAfee's VP & CTO for global public sector at McAfee, in a blog post released Friday.
"It's not the sophistication of the attack that's important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture," she said. "It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary."
"Quiet, insidious, market-changing threats like these hide in the noise of botnets, 'hacks,' and other high-profile or nuisance events," she said.
At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.