Skip the navigation

Security firms knock heads over Shady RAT hacks

Attacks 'advanced' only in the sense they breached 'crappy defenses,' says analyst

August 22, 2011 04:19 PM ET

Computerworld - U.S. and Russian antivirus vendors took shots at each other as they quarreled over a recent report of a cyber campaign that allegedly infiltrated scores of Western governments, organizations and corporations.

The report, released earlier this month by McAfee, claimed that a half-decade-long hacker operation compromised more than 70 U.S. and foreign government agencies, defense contractors and international organizations to plant malware that in some cases hid on networks for years.

McAfee's report was picked up by numerous news outlets, and even caught the eye of Congress. On Aug. 10, Rep. Mary Bono Mack (R-Calif.), the chairman of the House subcommittee on commerce, manufacturing and trade, sent a letter (download PDF) to McAfee asking for more information on the intrusions.

McAfee dubbed the campaign "Shady RAT" and said it was an example of an "advanced persistent threat," or APT, a term that's been used widely by mainstream security companies, and in news reports, since Google claimed that Chinese hackers had breached its network.

Last Thursday, the CEO of Moscow-based Kaspersky Labs took exception to McAfee's conclusions, especially that the attacks were sophisticated enough to justify the "advanced" part of the APT label.

"We consider those conclusions to be largely unfounded and not a good measure of the real threat level," said Eugene Kaspersky, CEO and co-founder of the company that bears his name.

"We found no novel techniques or patterns used in this malware," Kaspersky continued in an entry titled "Shady RAT: Shoddy RAT" on his personal blog. "What we did find were striking shortcomings that reveal the authors' low level of programming skill and lack of basic web security knowledge."

This wasn't the first time Kaspersky's company criticized its rival. Three weeks ago, Kaspersky and other security firms questioned McAfee's claims.

Kaspersky also claimed that the Shady RAT attacks originated from a long-known botnet, and cited McAfee for "crying wolf."

"But [we] decided not to ring any alarm bells due to its very low proliferation.... It has never been on the list of the most widespread threats," said Kaspersky. "For years now, the industry has adopted the simple and helpful rule of not crying wolf."

That implied accusation got a reaction out of McAfee.

"He's missing the point," countered Phyllis Schneck, McAfee's vice president and CTO for the antivirus company's global public sector group, in a Friday blog post of her own. "It's not the sophistication of the attack that's important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture."

Schneck argued that Shady RAT was newsworthy because of the number of targeted agencies, organizations and companies, as well as the attack's duration and the amount of data allegedly taken. "Quiet, insidious, market-changing threats like these hide in the noise of botnets, 'hacks,' and other high-profile or nuisance events," Schneck said.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!