Security firms knock heads over Shady RAT hacks

Attacks 'advanced' only in the sense they breached 'crappy defenses,' says analyst

U.S. and Russian antivirus vendors took shots at each other as they quarreled over a recent report of a cyber campaign that allegedly infiltrated scores of Western governments, organizations and corporations.

The report, released earlier this month by McAfee, claimed that a half-decade-long hacker operation compromised more than 70 U.S. and foreign government agencies, defense contractors and international organizations to plant malware that in some cases hid on networks for years.

McAfee's report was picked up by numerous news outlets, and even caught the eye of Congress. On Aug. 10, Rep. Mary Bono Mack (R-Calif.), the chairman of the House subcommittee on commerce, manufacturing and trade, sent a letter (download PDF) to McAfee asking for more information on the intrusions.

McAfee dubbed the campaign "Shady RAT" and said it was an example of an "advanced persistent threat," or APT, a term that's been used widely by mainstream security companies, and in news reports, since Google claimed that Chinese hackers had breached its network.

Last Thursday, the CEO of Moscow-based Kaspersky Labs took exception to McAfee's conclusions, especially that the attacks were sophisticated enough to justify the "advanced" part of the APT label.

"We consider those conclusions to be largely unfounded and not a good measure of the real threat level," said Eugene Kaspersky, CEO and co-founder of the company that bears his name.

"We found no novel techniques or patterns used in this malware," Kaspersky continued in an entry titled "Shady RAT: Shoddy RAT" on his personal blog. "What we did find were striking shortcomings that reveal the authors' low level of programming skill and lack of basic web security knowledge."

This wasn't the first time Kaspersky's company criticized its rival. Three weeks ago, Kaspersky and other security firms questioned McAfee's claims.

Kaspersky also claimed that the Shady RAT attacks originated from a long-known botnet, and cited McAfee for "crying wolf."

"But [we] decided not to ring any alarm bells due to its very low proliferation.... It has never been on the list of the most widespread threats," said Kaspersky. "For years now, the industry has adopted the simple and helpful rule of not crying wolf."

That implied accusation got a reaction out of McAfee.

"He's missing the point," countered Phyllis Schneck, McAfee's vice president and CTO for the antivirus company's global public sector group, in a Friday blog post of her own. "It's not the sophistication of the attack that's important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture."

Schneck argued that Shady RAT was newsworthy because of the number of targeted agencies, organizations and companies, as well as the attack's duration and the amount of data allegedly taken. "Quiet, insidious, market-changing threats like these hide in the noise of botnets, 'hacks,' and other high-profile or nuisance events," Schneck said.

She denied that the attacks came from a botnet, and accused Kaspersky of "getting botnets and advanced persistent threats confused."

But Schneck also backed McAfee away from the APT moniker -- which it used in the original report -- and instead said Shady RAT was better described by "successful persistent threat," or SPT.

"It was only as advanced as it needed to be," said Schneck, also distancing McAfee from the "sophisticated" tag it had given to Shady RAT earlier.

The back-and-forth between Kaspersky and McAfee is understandable, said John Pescatore, a Gartner analyst who covers security.

"The old days of antivirus companies like McAfee and Kaspersky seeing things real quickly because [malware] hits thousands of mailboxes, those days are over," said Pescatore. "Look at the industry. Desktop security is not doing that well, [so] they're dueling on how scary things are."

Technologies from smartphones and tablets to cloud-based computing and Apple's Mac are stealing usage share from Windows PCs, long the foundation of the antivirus industry, Pescatore pointed out.

APT is a misnomer, said Pescatore, and has come to define attacks that supposedly are launched by Chinese hackers, with the implication that they're backed by China's government.

"It's a big mistake to focus on where these attacks are coming from," said Pescatore, "The real issue is that they're targeted, aimed at one company or 10 companies or an industry."

Pescatore prefers to use the label "advanced targeted threats" when he's taking queries from Gartner clients about what they should do to protect themselves. And he puts much less emphasis on "advanced" than on "targeted."

"These attacks are only 'advanced' in the sense that they got by some defenses," he said, echoing Kaspersky's argument and McAfee's revised description of the hacker operation.

"The best examples this year were Sony and RSA," said Pescatore, talking about the hacks of the electronics giant and the security firm whose SecurID tokens are widely used in enterprises. "They were obviously targeted, but not by some super evil malware. They only succeeded because [they went up against] crappy defenses."

While traditional antivirus [vendors] may be able to spot and deflect many kinds of attacks, they're not well-equipped to handle targeted attacks. But there are technologies able to detect such attacks, if not entirely prevent them, Pescatore said, from the likes of vendors such as FireEye, not McAfee or Kaspersky.

"About every five years, we get in a phase when attacks get ahead of defenses, and we're in one now," said Pescatore.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies