Report: The missing data from Operation Shady RAT

Last week McAfee released a report focused on a Command & Control (C&C) server, which systematically attacked organizations across the globe over the last five years. At the same time, additional information that IT teams may find useful was withheld from the final draft of McAfee’s report. After examining the same C&C, here is an unedited breakdown of the logs and other observations.

McAfee’s report, “Revealed: Operation Shady RAT”, generated a ton of buzz in the press last week. It earned most of the attention due to the timing of its release, during the BlackHat Security Conference in Las Vegas, and McAfee’s excellent PR machine.

IT departments and team leaders focused on the nature of the report, which is a breakdown of a C&C server responsible for targeted attacks on “…more than 70 global companies, governments, and non-profit organizations during the last five years.” This naturally caused some concern.

However, the report only offered information that would give the most media worthy impact. McAfee denies that the report was an attempt to make sales, and you can’t blame them for releasing it during a major security event. Still, plenty of details never made it into the final report. Information that could be useful to IT teams investigating these types of attacks, in order to form response plans or develop risk management strategies.

After McAfee published their findings, Symantec offered some additional insight into the methods used by the criminals running the C&C. This was done to highlight the steps used in order to attract victims to their server. Still, while one type attack was pointed out by Symantec, there was another layer of attack left unmentioned.

Using the data from McAfee, as well as the information from Symantec, The Tech Herald was able to locate the C&C used by the criminals during Operation Shady RAT, as well as four other minor servers related to it. Over the last 5 years there have been more than 90 organizations, and thousands of individuals, lured to a single URL. This domain is operating solely for the purpose of mass infection and information theft.

The organizations named in this breakdown, some of them mentioned previously by McAfee, are likely well aware of the attacks. This, in our opinion, is due to the fact many of them were hit several years ago.

The data collected starts on April 10, 2006, the date for the first recorded event. We ended our data analysis on July 31, 2011. McAfee’s report was released this month, and other vendors and researchers are visiting the still active server. The Tech Herald has reported this server to its hosting ISP, as well as any other upstream provider we could discover. However, as of August 8, 2011, it was still actively recording traffic.

McAfee and Symantec were able to gain data from this C&C, the same way we did. The operators installed two sets of logging software on it. Webalizer as well as ModLogan are both present, and these applications track traffic as far back as April 2006. The mistake the operators made was leaving the server wide open to the public.

In addition, McAfee said they withheld the names of attacked organizations, as they didn’t have “sufficient information to accurately identify them” from the logs. With a bit of searching and research, we were able to identify not only the organizations attacked, but in some cases, the exact system compromised. While we will list the organizations in this report, we will not list the network maps or compromised system by name or IP.

Attack Methods:

As mentioned by Symantec, the criminals behind the C&C use Phishing as one of two methods to lure victims into their trap. The Phishing attack is in three stages, Symantec’s Hon Lau explained.

“The emails follow the typical targeted attack modus operandi—that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth.”

Once the email attachment is opened, various exploits are leveraged. If a system is unpatched, then a Trojan is installed and the second stage starts. This next step is where things get interesting. The attackers are using an organization’s own protection against them, as they circumvent IPS/IDS rules on a given network.

“This is an interesting ploy used by the attackers to hide the commands. Many firewalls are configured to allow image and HTML files to pass through HTTP traffic. Without close inspection, based on the context provided by the Trojan sample, these images and HTML files look totally legitimate,” Lau added.

The downloaded images use steganography to hide commands within an image. When the Trojan downloads an HTML file, the commands needed are within the HTML source code, encrypted, and later converted into base-64. If the second stage is a success, the Trojan will start the third step by connecting to a remote system and opening a remote shell on the infected host. Once that is completed, the attacker has full control and can run commands at will.

In our research, there was another level to the attacks. While the three stages remain the same, the criminals also used SEO, or Search Engine Optimization. The SEO aspect was just as important in these attacks, as it offered a wider net to snag victims.

Each page hosted on the C&C is malicious, but content targeted developers. There were also four other minor servers used, which would leverage SEO in order redirect victims to the C&C. Below is a small list of search terms, which led victims to the C&C itself. We discovered more than 200 of them in all.

c# recursive tutorial
using a database in c# turorial
usage statistics comtoway 2009
topmost window c
topmost window borland
set z-order topmost c
set windows application always on top cbuilder
set window topmost c style
nonclient area of the cwnd object
no repaint c builder
mscorlib.dll builder c
c builder system command return value
c builder shortcut key
c builder setwindowpos
c builder serialization
c builder mdi child
cwinapp builder c -visual
cwnd cbuilder example
cwnd borland c builder
.net passing stack unmanaged dll
how to set window z ordering c
hideapplication builder c
gdi drawing tutorial c#
programming with borland c builder

There were other searches, related to keywords based on pornography and pharmaceutical spam, which were directed from the other minor servers. However, as you can see from the list, the criminals were looking for developers and passive surfers.

When it comes to developers, while their source code would be of value, they are just another entry point into an organization. The open nature of the C&C, as well as the simple text-based content, offered an easy path for the various search engines.

Below are examples of passive indexing by search bots. The first number represents hits. The second number represents visits.

306,159     119,560     Msn live page
20,037       7,439        msnbot/2.0b
9,759         4,659       Google
4,806         816          Yahoo
3,340         795          msnbot/1.1
4,024         125          Googlebot-Image/1.0

Victim Breakdown:

McAfee offered a basic breakdown year over year in their report. However, in this section, we will include some additional information that McAfee did not. It should be noted that the total number of visits is the statistic we used to select rank. This is because a single visit can translate into an unlimited number of hits in some cases.

To simplify, hits are the number of requests made to the C&C during the recorded period. Visits are only recorded after the first request for a page on the C&C is made by the client. As long as a client is making requests (hits) during a given session before it expires, then each hit is tabulated within the same visit.

Files are the total number of hits that resulted in something being sent back to the client as it connected to the C&C. Not all hits will result in a file being delivered. This is due to browser cache or server errors, such as 404s. The KB statistics represent the total amount of data transferred between the client and the C&C during each hit within the recorded time frame.

The Tech Herald used these stats as proof that a host visited the C&C, and weighted the severity of the potential for a successful attack, based on the number of visits, the hits, and files. Most of the malicious HTML pages on the C&C range from 5k to 15k in size on average. Malicious images are slightly higher, ranging from 10k to 20k in size.

Each time a HTML page or image was loaded, the C&C would target the host with a number of exploits in an attempt to deliver Malware. If successful, the attack moves on to other stages. The following are 92 recorded entries form April 2006 to July 2011, with statistics placed in the following order: visits, hits, files, traffic.

These are the top organizations and networks with confirmed visits and traffic. Please note that telecommunications carriers are referenced because of business clients using their services.

Where possible the carrier is excluded and customer listed, when IP information, DNS information, or direct accesses, allowed for this level of connection.



As the previous page shows, there are some notable organizations on the list. Given the nature of the Malware used in the attacks, as well as the methods deployed to spread it, it’s clear the criminals are targeting information.

It’s not known, as McAfee noted, what the harvested data was used for. With targets such as the Olympic Committee’s in Japan, China, and the US, in addition to defense contractors, IT services organizations, The Associated Press, and the United Nations, there is plenty of data to be had, all of it of value in some way.

To round out the information collected from the server logs, the following data is presented. If anything, it is here to ensure that IT teams and other interested researchers have additional details to go on.

Months with the most traffic (Top 20) - 2006 to July 2011

Note: Statistics are placed in the following order: visits, hits, files, and traffic.


The traffic to the C&C dropped off significantly in 2010. The reason for this is unknown, but what traffic did come to the server was driven by many of the same companies and locations, as well as the development related searches.

Locations with the most hits (Top 20) - 2006 to July 2011:

1. Taiwan
2. Israel
3. Japan
4. Canada
5. US Government
6. Russian Federation
7. United States
8. United Kingdom
9. Poland
10. Old style Arpanet (ARPA)
11. Netherlands
12. Indonesia
13. Germany
14. China
15. Austria
16. Denmark
17. France
18. Australia
19. Ukraine
20. Finland

Top Browser Agents by total visits [Total - Agent]:

141,949 - Shopping Online
128,002 - htmp page
119,560 - Msn live page
39,357 - HELLO Microsoft
38,400 - Windows NT8.0
34,265 - DPSF
23,627 - MSIE 7.0
11,853 - Netscape 4.x
11,081 - Homier Home Page
10,089 - MSIE 6.0
7,439 - msnbot/2.0b
6,883 - Microsoft Internet Explorer 8.0
5,000 - MSDN SurfBear
4,659 - Google home
2,145 - Netscape 5.x
2,142 - Windows MSIE 8.0
1,567 - DPSF[DPFUN]
1,220 - SPSVCDLL[TT05974]

Recorded Operating System by total visit [Hits - Total - OS]:

258,492  -  33,156  -  Windows NT
2,296  -  1,000  -  Win32
23,922  -  894  -  Windows
7,049  -  275  -  Windows 98
6,002  -  157  -  Macintosh
16,559  -  125  -  Win16
2,206  -  121  -  Linux i686
529  -  56  -  Windows 95
955  -  53  -  Linux
603  -  32  -  Linux x86_64
208  -  16  -  Linux 2.4.x
175  -  10  -  FreeBSD
277  -  10  -  Mac_PowerPC
135  -  8  -  Windows XP
434  -  6  -  Windows CE
75  -  5  -  OpenBSD
88  -  5  -  Windows.NT 5.0
205  -  3  -  Windows 2000
33  -  3  -  Windows 3.1
10  -  2  -  Windows XP 5.1
8  -  1  -  FreeBSD i386
2  -  1  -  Win2000
30  -  1  -  Windows 95/98/2000/NT
22  -  1  -  Windows ME

Some of the additional data in the logs show that, at least in 2010, this server was known to both researchers and security vendors. There are several instances where IP addresses within the logs, those belonging to victimized organizations, as well as directories on the C&C were subject to search probes. Yet, despite this, the C&C continued to operate. The reason for this is unknown.

There is plenty of information in the Symantec report, as well as our own, that would allow someone reading them to locate the main C&C used in the attacks. Our advice is that you do not do this.

In the month of August alone, traffic on this C&C has spiked, which means that the criminals may gain an interest in actively using it again. We observed traffic on this server starting to climb shortly before the McAfee report was published, and again it spiked immediately after. Several instances in the logs show that the server was accessed within Microsoft Office, proving Symantec’s point, or because a search term led a client to the C&C itself.

The best mitigation to prevent attacks like the one this server helped to propagate is to ensure that an organization's systems and software are always kept up to date. The vulnerabilities targeted by this C&C are not new. They have all been patched at some point in the past.

Another way to catch attempts from similar attacks is to ensure that any endpoint protection, such as anti-Virus on a desktop, is maintained and updated. In addition, monitoring traffic logs within an organization for unknown connections to and from a domain, will allow C&Cs such as this one to standout. IPS detections aimed at known exploits and back channel communications will help, but are not foolproof.

McAfee did a great job pointing out the risks that attacks like this pose to an organization, and Symantec outlined the attack methods with solid clarity. It is our hope that the additional details we have, will offer IT teams a chance see that just because less than a few megabytes of traffic head to an unknown host, it doesn’t mean it should be ignored.

In fact, there are many cases where the same host connected to the C&C repeatedly, sending small amounts traffic each time, which eventually added up. There were over 2 million GET requests made to the C&C during its five year run, and the end result of an attack is a remote shell on the infected host. So it goes without saying really that this is a huge amount of infection attempts. Many of which were often noticed after the fact.

The McAfee report is here. Symantec’s write-up is here. If an organization has a need for the full set of data we collected for this story, email us and we would be happy to discuss it. Likewise, information regarding the C&C itself will be provided on a case by case basis.


Just for those who may need it, Seculert has a tool, which will check your organization's IP address against the C&C logs. Check it out here.

Update 2:

On Tuesday (8-9-2011), the C&C domain was finally suspended by its webhost.

Update 3:

University of Texas El Paso
4,934 - 16,519 - 16,513 - 770,041 KB

Additional information has caused us to alter the data for the University of Texas at El Paso (UTEP). The IP addresses listed in the logs were used by Cyber Share, an academic program that includes several universities across North America.

The block of IP addresses discovered in the C&C logs were assigned to TELUS Communications (AS852). We have confirmed that while UTEP participates in the Cyber Share program, the IP addresses discovered were not assigned to them. At the time the report was written, UTEP was the primary reference to Cyber Share in the information available to us.

As such, we have updated the list on page three. The new marker is below.

Cyber Share (TELUS - AS852)
4,934 - 16,519 - 16,513 - 770,041 KB

Update 4:

While researching further for this report, several companies - SMB to Mid-Enterprise range - have told us of two vendors using this report in their sales pitches. Actually, one vendor is cutting and pasting whole sections of this report into their pitch emails. While we cannot name the firms or the vendors, we can tell you this:

Each of the victims in this report were using established security products, from major vendors in the InfoSec world. No single vendor is perfect, and many of them missed both the Malware and the C&C functions leveraged by Shady RAT. This is why the C&C server lasted for as long as it did, and why it was effective; no one was able to detect and stop this type of attack. If anything, the Malware was discovered with passive detection long after it did its job.

IPS and IDS defenses are not going to help when a criminal uses a valid - trusted - file format such as .jpg or .gif, in combination with pure HTML to launch an attack. The attackers used steganography and SSI within the source code of HTML to deliver instructions to a compromised system. Each system was compromised via vulnerabilities in 3rd-party software, or via directly with SEO Poisoning or Phishing.

If you are shopping for new security solutions, such as contracted services or hardware appliances, don’t buy because of a pitch and a single report. Moreover, don’t buy because you are afraid of Shady RAT. Buy because the solution fits your organization’s needs and goals.

Like this article? Please share on Facebook and give The Tech Herald a Like too!