14 DAY TRIAL // Antivirus giant Kaspersky Lab claims that a recent McAfee report about a five-year long cyber espionage operation dubbed Shady RAT intentionally blows the threat out of proportions.
In a post on his blog, Kaspersky Lab co-founder and CEO Eugene Kaspersky claims that the RAT (remote administration tool) used in the attack was actually more shoddy than shady.
"We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch [McAfee's vice president of threat research]," the infosecurity veteran writes.
The report released by McAfee at the beginning of August got a lot of attention in the media by claiming that a nation state has been stealing sensitive information from large corporations, governments and non-profit organizations, for years.
According to Kaspersky, McAfee spinned the report to make it appear as if it uncovered a major cyber espionage operation by misrepresenting information.
Kaspersky Labs analysts found that many antivirus programs are capable of detecting the Shady RAT malware and most of them do so generically without the need of special signatures.
Furthermore, they claim the threat is primitive without exhibiting any novel techniques or characteristics. Actually, judging by the poor quality of the code, the creator most likely had little programming skill.
This conflicts McAfee's assessment that the attack was backed up by a nation state. "It looks overwhelmingly likely that no state is behind the Shady RAT botnet," Eugene Kaspersky says.
The report suggests that the primary target was intellectual property, but Kaspersky's researchers claim that "there is no evidence showing what sort of data has been acquired from infected computers, or if any data has been acquired at all."
Kaspersky's opinion is shared by security experts working for other vendors as well. For example, Symantec's Hon Lau wrote that "while this attack is indeed significant, it is one of many similar attacks taking place daily."
He also backed up Kaspersky Lab's findings regarding the malware. "Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case," he concluded.
Sophos' Graham Cluley echoed this by saying "To be honest, there's nothing particularly surprising in McAfee's report to those of us who have an interest in computer security."