Shady RAT No China Smoking Gun

Kudos to McAfee for discovering attacks that go undiscovered too often, but questions about attack severity, sophistication, or nation-state backing remain.

Mathew J. Schwartz, Contributor

August 11, 2011

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Is Shady RAT one of the "the biggest series of cyberattacks in history," as some media outlets have claimed?

McAfee's revelation of the long-running attacks, which have operated on the sly since at least 2006 and compromised more than 70 organizations, was timed to coincide with the publication last week of a related expose in Vanity Fair, as well as the start of the annual Black Hat security conference. McAfee's security researchers have been investigating the attacks-which they dubbed Shady RAT for their use of stealthy remote access tools-for some time.

While the tools used in such attacks can steal information, such attacks apparently exist in relatively low volumes, at least compared with the flood of spam, phishing attacks, and generic malware businesses see daily. But that low volume also makes RAT-style attacks difficult to detect when they do get launched.

If this low volume and persistence sound familiar, that's because it recalls the modus operandi for an advanced persistent threat. Of course, APT is a fuzzy concept. As McAfee's own report on Shady RAT notes, "this term lately lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT." (Reference: RSA SecurID breach.) Generally, however, security experts define an APT as a threat involving attackers who can launch multiple exploits, advancing the underlying functionality along the way, to steal non-financial information of value, often operating without being detected.

The interesting APT-related angle to Shady RAT is that the attackers failed to update their Trojan software attack functionality for more than a year and failed to encrypt the server used to control the Trojans (often used by Chinese attackers). As a result, they left a trail that McAfee's researchers ultimately spotted and traced to the command-and-control server. The attackers had already installed Web traffic analysis tools on the server, further aiding researchers.

But simply discovering that server was somewhat unusual. "It was great that McAfee was able to get access to this data and show how it works," Joe Stewart, director of malware research for Dell SecureWorks, told me last week at Black Hat.

Some security researchers, however, dispute that Shady RAT would even qualify as an APT. "I would contend that it isn't, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case," said Symantec researcher Hon Lau in a blog post. "Sure, the people behind it are persistent, but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them."

While McAfee's discovery of the mechanics behind the Shady RAT attacks was new, the existence of the group was already known. Stewart said it's often referred to as the "Comment Crew," for using HTML comments as a mechanism for communicating with the botnet command-and-control servers the group operates. "They've got lots of infrastructure behind it, stuff we'll never get access to," he said. But the group has left tracks before. "One of the malware families belonging to this group is one that we saw using HTran, and sending its data back to China," Stewart said.

As a result of that traffic flow, security experts suspect the Comment Crew is operating from China. McAfee, while saying that it saw a solo "state actor" behind the attacks, stopped short of pointing fingers. Likewise, Alex Gostev, chief security expert for Kaspersky Lab, said that without hard evidence, people should beware jumping to conclusions about who's behind this attack, especially when it comes to the motives of criminal organizations.

For starters, Gostev said, the circumstances surrounding Shady RAT's discovery make the suggestion of state-sponsored hacking tenuous. "A situation in which a complicated and large-scale corporate espionage operation has alleged to have been undertaken for years but whose sophisticated organizers do not clean up their server access logs after them--this is something that can certainly be described as unusual," he said.

Furthermore, when it comes to how Shady RAT was used, McAfee has assumed--based on logs of connections between Web servers--that large organizations were spied on. But the report doesn't identity data that might have been stolen, or which specific Trojan applications were used, which makes it unclear what type of damage Shady RAT may even have caused, Gostev said.

"Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyberattack in history is premature," he said. "Until then, we will consider it an original way of approaching the start of the annual Black Hat conference in Las Vegas."

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights