McAfee made headlines this week by reporting on what some in the media are calling one of the largest series of cyber attacks ever. Yet, researchers at Symantec and Sophos say otherwise. McAfee’s Shady RAT isn’t something new, and some basic Google searches show the attackers themselves are far from sophisticated.
McAfee’s report, an outline of which is available here, names the US, India, South Korea, Canada, Taiwan, Vietnam, the United Nations, and the International Olympic Committee, as victims in a massive attack campaign carried out by unknown attacker(s). In all, some 72 organizations were identified by McAfee, hit by attacks that started in 2006.
“In 2006, the year that the logs begin, we saw only eight intrusions…In 2007, the pace of activity jumped by a whopping 260 percent to a total of 29 victim organizations. In 2008, the count went up further to 36 victims, including the United Nations and the World Anti-Doping Agency, and to 38 in 2009. Then the number of intrusions fell to 17 in 2010 and to 9 in 2011, likely due to the widespread availability of the countermeasures for the specific intrusion indicators used by this specific actor,” McAfee’s Dmitri Alperovitch wrote on the company blog.
Commenting on the report, Sophos’ Graham Cluley said there was nothing surprising about it.
“To be honest, there's nothing particularly surprising in McAfee's report to those of us who have an interest in computer security,” he said.
“For instance, we already all know that companies get targeted by hackers, who install malware to gain remote access to their computers and data. What the report doesn't make clear is precisely what information was stolen from the targeted organisations, and how many computers at each business were affected.”
Symantec, using the company’s own research sources and data from the McAfee’s report, outlined the three stages the attackers used to snag their victims. The first stage is a basic method often used to target a given company - Phishing.
“The emails follow the typical targeted attack modus operandi—that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. The attached file contains the details promised in the email text, as part of a social engineering ploy,” Symantec’s Hon Lau explained.
Once the email attachment is opened, various exploits are leveraged. If a system is unpatched, then a Trojan is installed and the second stage starts. This next step is where things get interesting. The attackers are using an organization’s own protection against them, as they circumvent IPS/IDS rules on a given network.
“This is an interesting ploy used by the attackers to hide the commands. Many firewalls are configured to allow image and HTML files to pass through HTTP traffic. Without close inspection, based on the context provided by the Trojan sample, these images and HTML files look totally legitimate,” Lau added.
The downloaded images use steganography to hide commands within an image. When the Trojan downloads an HTML file, the commands needed are within the HTML source code, encrypted and later converted into base-64. If the second stage is a success, the Trojan will start the third step by connecting to a remote system and opening a remote shell on the infected host. Once that is completed, the attacker has full control and can run commands at will.
“While this attack is indeed significant, it is one of many similar attacks taking place daily. Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets,” Lau said.
However, the data used by McAfee for their report, also the same information used by Symantec, demonstrates just how far from advanced the attackers were. While persistent, the attackers were either careless or clueless, as they left one of the primary servers used in the attack wide open.
Simple searches on Google reveal traffic logs that reach as far back as March 2007, and are recording hits to this day. Based on passive examination of the logs, it can be confirmed that in May 2009, a system at the United Nations Office in Geneva visited the malicious server once, resulting in 2,969 files being transferred.
Likewise, while the UN was being attacked, the mail server from the American Soybean Association made 776 visits to the same server, resulting in 996 files being moved around. The Tech Herald is still researching the logs, and will report additional information as soon as it can be verified and organized.
“…is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them,” concluded Lau in his post.