The Inquirer-Home

Security industry is divided over Shady Rat

Will the real severity please stand up
Thu Aug 18 2011, 12:00

SECURITY INDUSTRY heavyweight Eugene 'the Virus Pope' Kaspersky has called out McAfee over its "alarmist" Shady Rat report.

Shady Rat popped out of the sideboard earlier this month after having been chased round a virtual kitchen by McAfee's security rolling pin for five years. Its severity, which was pretty severe by McAfee's accounts, was taken as fact by all. Except it seems Kaspersky.

At the time, as it reeled from the scale and size of the attacked firms, McAfee was stunned by Shady Rat. "Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators," said Dmitri Alperovitch, VP of threat research at McAfee as he ushered in one of the scariest reports The INQUIRER has seen since it left school.

However, under the headline, "Shady RAT: Shoddy RAT" Kaspersky has publicly doubted many of the claims made in the McAfee report and has had his doubts publicly doubted in turn by Mikko Hypponen of the rival security firm F-Secure.

"I'd like to say straight out that we do not share the concerns surrounding the intrusion described in the report, which intrusion the report claims has resulted in the theft of sensitive information of multiple governments, corporations and non-profit organizations," Kaspersky wrote.

"We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch."

The report has really ticked off Kaspersky, who peers down on it from behind a door on his blog, and he called it "alarmist", a word that we presume security experts and businesses do not take likely but rather might take offence to.

"We consider those conclusions to be largely unfounded and not a good measure of the real threat level," Kaspersky added. "Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information."

Shady Rat, says Kaspersky is not as scary a threat as some other well known and equally headline grabbing alternatives, including TDSS, Zeus, Conficker, Bredolab, Stuxnet, Sinowal and Rustock, which he said are sophisticated and "pose a much greater risk to governments, corporations and non-profit organizations than Shady RAT".

McAfee's analysis must be flawed, according to Kaspersky, as if it had been performed accurately it would have uncovered flaws within the design of Shady Rat itself. "We found no novel techniques or patterns used in this malware," he added. "What we did find were striking shortcomings that reveal the authors' low level of programming skill and lack of basic web security knowledge."

He added that the IT industry has long been aware of the botnet, but decided to keep mum about it. He also said, in what must be considered a dig at McAfee, "For years now the industry has adopted the simple and helpful rule of not crying wolf."

The question of whether there are any nation states behind the botnet or any of its intrusions was also dispatched by Kaspersky, who said that it was unlikely in this case because of the amateurishness of the Shady Rat design.

"A good example of a cyber-attack most likely backed by a nation state is Stuxnet. Just compare the number of vulnerabilities used, special techniques, and the various assessments of the development cost," he said, while explaining that in this case the code looked "homebrew" and could have been penned by a "beginner".

"With Shady RAT we are dealing with a lame piece of homebrew code that could have been written by a beginner," he said, explaining that few "evil states" would launch targeted attacks from the same command and control server for half a decade."

This part of the analysis seems to have kicked off another debate in the security industry, this one between the Russian Kaspersky and the Finnish Mikko Hypponen of F-Secure.

"For a reason or another, Eugene doesn't seem to believe that state-sponsored espionage has gone online. Which it has," wrote Mikko as he stepped into the arena.

We'll keep our eye on this one. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015