McAfee Disclaims Claims of Chinese Involvement in 'Shady RAT'

hackingbear writes "In an interview with Chinese official Xinhua news agency, McAfee said no direct evidence suggests a particular nation such as China is behind Operation Shady RAT, a five-year cyber campaign discovered by McAfee. Alperovitch told Xinhua that they 'don't have direct evidence that conclusively points to a particular nation state' behind the scheme. So the same online security industry that has propagated Chinese cyber threats in front of Western media denies they made such suggestion of China, another of their major markets." Also on the Shady RAT front, reader kermidge writes with a post from Hon Lau at Symantec containing details lacking in McAfee's Wednesday report; included are examples of the vectors and commands used, along with cogent commentary.

Of Course Not

[WrongSizeGlass]

"don't have direct evidence that conclusively points to a particular nation state" behind the scheme

If all IP's point back to one country that country either is the victim of being a patsy "They must have routed all their traffic trough our unsuspecting country. We were set up! Those bastards!!" or they they did it. Do we think any country is going to admit it even if they are caught red handed? Of course not.

Re:Of Course Not

[cygtoad]

Red Chinese, Red Handed. Coincidence? I think not!

Re:Of Course Not

[gl4ss]

well, if you were doing shit like that on a payroll and had five years for it.. you could just setup some patsy proxies back and forth and preferably with countries which don't get along with each other.. kinda hard for them then to co-operate simultaneously to expose the whole chain, even if they wanted, and the police officials in each of those countries don't know if they want to co-operate or not as they don't know if it's approved or not operation.

Re:Of Course Not

[hairyfeet]

The problem with your theory is this: You don't blame the US government when old Spam King pounds the living shit out of FB do you? The USA is #1 in spamming last I checked (Amazing, we're #1 at something? why hasn't this been outsourced already?) but I doubt seriously Obama is sitting in the White House going "Hey, ya know what? Why isn't their more herbal viagra ads and cheap webcam whores in my inbox. That just ain't right. tell the guys at the Pentagon to get on that shit."

While I wouldn't be surprised if SOME of it is the Chinese government because to quote a line from one of my favorite movies :"You know how they do this? Its because they fucking steal, they steal every idea that ain't nailed down" and this is SOP among governments. We used to pay a bounty for any pilot that would bring us the latest Soviet fighters, Israel stole the Mirage V to make Nesher after they were embargoed, and the Chinese paid dirt farmers to dig up the F117 that crashed in Kosovo so they could snatch stealth tech.

But to say it is the government doing something you need more than an IP address coming from that country, hell you need more than an IP address coming from a governmental IP block. Or did everyone forget when the plans for Marine One and several other top secret highly classified docs ended up on Kazaa because some brain trust working in Washington decided to install P2P and share the whole drive? I kinda doubt that was SOP at the Pentagon even though it would have shown up as a government IP address. I can just imagine the doc written to support P2P in the government: "If the unit lacks sufficient adult entertainment or popular entertainment (as defined by 154c-current billboard (tm) top 100) then after getting approval from an immediate superior one may install ONE and ONLY one approved P2P from the approved list after watching training film 475f-How to get teh titties and tunez, P2P and you."

Re:Of Course Not

[rtfa-troll]

The problem with your theory is this: You don't blame the US government when old Spam King pounds the living shit out of FB do you?

The key difference here is that you know that it was the spam king because there was a public prosecution for the spamming. Show clear evidence of even an investigation by the Chinese authorities in cooperation with the companies making the reports and you would have a very clear point. China is not a country like Sudan where there is no effective government. They are fully capable of launching detailed police investigations into hacking if they wish to.

Re:Of Course Not

[SuricouRaven]

Wouldn't prove anything. China could easily just find some script kiddie and blame it on him. Expendable civilian.

Re:Of Course Not

[hairyfeet]

Not only that it is pretty common knowledge there are TWO sets of laws in China, one for when Chinese steal from outsiders, one for when Chinese steal from another Chinese. Chinese steals tech from a Brit or USA corp? Slap on the wrist. Another Chinese corp? Executed.

The reason this is because either directly or indirectly the stealing from outsiders benefits the Chinese by giving them the tech without the pesky R&D. As I said we have ALL done it. The Russians based the TU4 on B29s we had to set down there after bombing runs over Japan which they refused to give back and promptly ripped apart, The Atoll Missile was such a ripoff of the Sidewinder you could interchange parts and it would work perfectly, we had a bounty on any new Soviet planes that a defector could fly over to our side, the Israelis with Mirage, I could go on all day.

The Chinese aren't gonna give a fuck because it helps the Chinese, no different than if some USA corp figured out a way to fuck China over and at the same time give a couple of thousand US jobs? Hell they'd probably get a medal. it is just how the game is played.

Re:Of Course Not

[slick7]

"don't have direct evidence that conclusively points to a particular nation state" behind the scheme

If all IP's point back to one country that country either is the victim of being a patsy "They must have routed all their traffic trough our unsuspecting country. We were set up! Those bastards!!" or they they did it. Do we think any country is going to admit it even if they are caught red handed? Of course not.

Ooooh we might piss off our creditor.

Re:Of Course Not

Actually, you're completely wrong.

China is the ultimate in capitalism.
The Chinese don't care who they steal from (stealing is such a harsh word though, heavily inspired maybe?), so there is no real distinction of foreign or local. I'm afraid you've been watching too much biased news reportage.

Fear

[Nerdfest]

Once again confirming our suspicions about why there hasn't been an uproar from companies that matches the scale of the attack.

Re:Fear

[Virtucon]

Some of the companies and agencies are well aware of the damage that can be done by disclosure of this. Never mind that the F35 plans have been stolen and that other intellectual property has been taken. The theft reported here and others are condoned, possibly sponsored and maybe directly involved by China. That's not a scare tactic, it's a fact. China doesn't have to have direct involvement in this matter. They can provide technology, access and foster the culture that allows this to continue. There are Chinese Universities that constantly show up on my Internet facing servers trying to probe known vulnerabilities with Apache, IIS etc. Just kids poking around? Maybe but it's still malicious intent. The sad part about these thefts is that it doesn't take a lot to protect an organization from these kinds of attacks and I am absolutely angry at our government for not doing more to protect our interests here, blocking traffic is a start but there's others. Routine vulnerability assessments and other things go along with it.

There's a reason Firewalls exist and I think that companies who don't routinely look at the logs on their Firewalls, VPN servers and Web Servers are not only exposing themselves to undue risk but are not doing their due diligence to their share holders. I'm also puzzled why the US government hasn't asked many ISPs to start blocking address ranges originating from China. If that were to start happening I think the Chinese government would take these illegal activities more seriously, at least publicly.

Now, I'm not a China basher but this country has a vast stake in taking things from us to their benefit. 30 years ago, China was not even on the Radar economically but look at it now and most of that growth has been at the expense of one nation, the

We have allowed US Companies to ship, wholesale, key technologies to China that have allowed them to take about every good paying job in this nation and we wonder why we can't pay our bills in congress? It takes tax revenues to pay for bombers, wars and social programs and if 9 to 10% of your population is unemployed you won't be getting that much tax revenue. In fact, you'll be spending more on Social benefits to keep those folks from starving. Apple for example wants protecting for its products under US law but how many are employed at Foxconn making Apple products? Strange how a company with over $72B in cash doesn't start hiring people in the US a bit more. It's not just Apple, it's Microsoft, Cisco, GE and other companies looking for that really cheap labor to build and design their products. Yes, Globalization is the root cause but you can't ignore the fact that this country has lost manufacturing jobs in droves and where do they go? China and India. Fair trade should be fostered but not at the expense of your own country both in terms of it's economic viability but its social structure as well.

Re:Fear

Reality

Re:Fear

[rtfa-troll]

Fair trade should be fostered but not at the expense of your own country both in terms of it's economic viability but its social structure as well.

I think that's the wrong attitude. If fair trade is fostered then that's fine. If the other country does better out of it then that's just spreading the wealth about fairly. The problem is that currently the trade is not fair. There must be equivalent or better situations in terms of environmental conditions, working conditions, and freedom. Those are reasonable things to insist on for fair trade. In the meantime, you can't insist on a set of IP laws which let the US use all of China's inventions for free (gunpowder, toilet paper, the seismometer, the restaurant menu etc.) whilst demanding that the Chinese pay for the use of US inventions (bits of people's DNA, the particularly strange layout of the FAT file system and how to work around it's limitations, Microsoft Windows, Winnie the Pooh (that was American, wasn't it) etc.).

Re:Fear

[microbox]

There must be equivalent or better situations in terms of environmental conditions, working conditions, and freedom.

I could not agree more. I am against tariffs as a protectionist measure; however, I think that a $$$ tariff on worker's rights, environmental conditions and other such things would do a lot to stabalise the current race-to-the-bottom that has gutted the US manufacturing industry.

So... you want to pay your workers 10c per day? Fine, we will slap a tariff on that assume they got $8 per hour.

The only problem with such a measure, is that it would become highly political, and thus butchered so that it does not work.

Why is this supposed to be a government attack?

[aaaaaaargh!]

Reading the details I really wonder why this is supposed to be a government-backed up attack. Neither the trojan nor the attack vector described by the guy from Symantec look very sophisticated to me. From a government-sponsored attack I'd at least expect some previously unknown exploits, rootkit, traffic tunneling, anti-virus product circumvention and generally more efforts to hide that there is a trojan or an outgoing connection.

There must be something missing. So, what's so special about this particular persistent attack?

Re:Why is this supposed to be a government attack?

So, what's so special about this particular persistent attack?

It's part of the rollout of Red Scare v3.0

Re:Why is this supposed to be a government attack?

[httptech]

Hardly any of the trojans used by Chinese APT actors are sophisticated at all. All these sophisticated features you listed are fine if you're only looking to launch a single-purpose attack, like a Stuxnet. The Chinese APT actors want to maintain a long-term presence even after they are discovered on the network.

As the sophistication of the malware rises, so does the cost/time involved, so it limits how many trojans you can deploy at once. Once your super-sophisticated trojan with rootkit, traffic tunneling, AV circumvention, strong encryption, disk and network stealth features gets discovered, your capability to maintain a long-term presence ends and you have to develop another one from scratch. There are only so many programmers working at this skill level, you don't find them every day.

The Chinese APT actors' answer to the problem is simply to throw a ton of different entry-level programmers at the problem. Each one basically uses the same feature requirements list and comes up with a completely different malware codebase, each one by default undetected by AV since it is brand new. Then each actor group goes after their targets using a set of those malware families. If one is discovered, that's OK, because nine more are probably still live on the victim network.

Re:Why is this supposed to be a government attack?

full-disclosure/disclaimer: this is a subject i worked on for a couple of years for a .gov. Everything I say here makes people unhappy, but it's not illegal and does not constitute my disclosure of classified information. If you send the FBI back to my house, I will tell them to pound sand again-- OUO is not a legal protection.

What you're not entirely getting is that this isn't meant to be a super-stealth operation, someone described it as a digital smash and grab, which is pretty astute. They don't care if you know they broke into 100 machines yesterday, they got the data they wanted before you figured it out/cleaned it up, and tomorrow there will be another few thousand emails yielding more compromised machines, rewind, repeat.

In 2006, there was a long-string of office 0days deployed, they're what this trojan was actually packaged in, and mcaffee is wrong in that it's quite a bit older than they realize. They actually have specific signatures for older variants of the same program (not their generic trojan detectors). This HTML based version was a response to increased inspection of outbound SSL traffic and ensuring it actually conformed to SSL, and was sorta a 2nd generation tool in that respect; prior generations ended up known as trojan.zlb which was rediscovered as backdoor.recivird and so on. Techniques are repeated at new agencies, so say you broke into agency X and over a year you started out using ZLB or whatever and then you move onto the samples from TFA as ZLB gets blocked. Now say X years later you break into agency Y-- they restart with variants of ZLB and progress along the same timeline until something makes them modify it, this is how you end up with ZLB discovered in 2006/7 and recivird in 2009.

Prior to the 2005/6 0day festival, my experience had been that all exploits used were unpatched but publicly disclosed vulnerabilities, however when we countered that and thought we won, that's when they unleashed a myriad of 0days on us-- trust me, the article just skipped over the fact that they were indeed finding their own vulnerabilities.

So to directly answer your question-- what makes it special is simply the tenacity, it never ends, it comes in these huge waves that absolutely overwhelm your incident response. They burn out, quit, get new jobs and tomorrow there will be another round of emails sent.

Pop quiz: remember this? http://slashdot.org/story/06/06/10/1749258/Nuclear-Agency-Worker-Information-Hacked I can't finish this thought, because that will make people unhappy, fill in the blanks.

Re:Why is this supposed to be a government attack?

spot-on, although saying 'chinese apt' defeats the purpose of using the term 'apt' ;]

They're focused on a long-term evolutionarily stable attack sequence; the bold part is key.

Re:Why is this supposed to be a government attack?

[gl4ss]

Reading the details I really wonder why this is supposed to be a government-backed up attack. Neither the trojan nor the attack vector described by the guy from Symantec look very sophisticated to me. From a government-sponsored attack I'd at least expect some previously unknown exploits, rootkit, traffic tunneling, anti-virus product circumvention and generally more efforts to hide that there is a trojan or an outgoing connection.

There must be something missing. So, what's so special about this particular persistent attack?

Obviously, you've been missing the point of government deals. case in point: security of several us governmental organizations websites, emails etc(proven last time by todays release from anon), quality of governmental contractors in general. you really think China has it any better?

Oh my God

The Chinese must have gotten to McAfee as well.

Not contradictory

[DaveGod]

Alperovitch told Xinhua that they "don't have direct evidence that conclusively points to a particular nation state" behind the scheme.

The McAfee report on Tuesday had said that the campaign was likely sponsored by a nation state because of the breadth and tenacity of the attacks and the information that was accessed.

Not having read the original report nor the full interview transcript (neither of which seem like reliable sources), I don't see anything contradictory. Combine the quotes and it's still perfectly reasonable:

The McAfee report says that the campaign was likely sponsored by a nation state because of the breadth and tenacity of the attacks and the information that was accessed. However, they don't have direct evidence that conclusively points to a particular nation state.

This is why...

You should never get your security analyses from the same people who sell security products.

It's like asking a car dealer how expensive a car you need.

Re:This is why...

Mcafee: Setting fire to the stables, after the horse has bolted.

Re:This is why...

[hackingbear]

In my original post, I raise the question that this is not a cyberwar but a marketing campaign aim to grab money from taxpayers around the world. Yet such important points are edited out by /.

Re:This is why...

[Frosty+Piss]

...from the same people who sell security products.

McAfee sells security products?

Re:This is why...

I still wonder why the rise of computer viruses also came about when mcafee started to grow.

So many generic do nothing unique viruses. And mcafee pounding the drum to upgrade as they moved from a free/shareware service to a paid program.
Convienent.

plausible deniability

[lseltzer]

It's one of the basic problems with these attacks. There's always plausible deniability.

Re:plausible deniability

[torgosan]

You're right, plausible deniability and all.

As an aside, anytime I set a box in the DMZ and review access logs, the majority of IPs attempting access are from CN. Which tells me there are LOTS of pwned boxes in CN...or...they're up to something.

I vote for the latter. Just sayin'...

Re:plausible deniability

[rtfa-troll]

Except that there is another report which has just been released which gives a direct link to China for . If McAfee don't have direct evidence, that means that they have released the report before they completed the work; they should have done something to identify the end point. Someone should discuss with one of the security services to put a poisoned document with an MSWord zero day which phones home when given a chance into one of their document caches and then see where it turns up.

Re:plausible deniability

There ARE lots of pwned boxes in .CN. People are still running XP SP1/2 there with no security updates because of the 80% pirated windows rate means 80% can't pull down patches, casual users are stuck with whatever was on the install media and they aren't informed enough to crack WGA.

Re:plausible deniability

Two websites will help you determine this

www.flagcounter.com which gives you a nation based visitor counter and any proxy server list like hidemyass.com

Re:plausible deniability

[lseltzer]

Old wive's tale. Pirated Windows users can download service packs and critical updates.

Re:plausible deniability

Which tells me there are LOTS of pwned boxes in CN...or...they're up to something.

Or that their law enforcement doesn't have the resources or know-how, or just don't give a shit about some foreign law enforcement agency.

Seriously, it's hard enough getting any kind of hacking investigated when you're a US business being hacked by someone IN the US itself. Why would anyone expect China to be any different, or care any more?
I mean, things are getting a little better, but all through the 90's and even the early 00's if you reported hacking to the FBI they'd laugh at you.

It certainly could be

[lseltzer]

If they can be effective using mundane attacks and get away with it why shouldn't they? Not all attacks need to be Stuxnet-level sophisticated.

Re:It certainly could be

this!

hey larry, you should really look into this more, Mcaffee missed a lot of details and has the timeline wrong, it's older and bigger than they think. They just rediscovered part of ghost-net, which is part of titan rain, which is part of whatever term they use now-- probably APT because of the volume of unclassified people handling stuff.

hypothetically speaking, years ago i heard someone sent krebs a bunch of related documents, however im told he was not terribly interested because they were from around 2005 or 2006 and like 2-3 years old at the time. I hope they realize that even if you're talking about malware $they first deployed in say 2001/2002 that there's a good chance a variant of it is still in use in 2011.
 

Re:It certainly could be

[lseltzer]

I know others have found more, but McAfee were very clear that there could have been more, but they were only reporting what was in the logs they found. Anyway the point stands that you don't need especially sophisticated stuff to achieve success, especially once you have a beachhead inside the organization.

Re:It certainly could be

[LeperPuppet]

The more sophisticated the attack, the smaller the pool of suspects. An attack only needs to be sophisticated enough to succeed and additional complexity may cause additional problems. If an attacker achieves their goals with a unsophisticated attack, then they leave a larger pool of suspects for investigators to focus on.

It's the "Chinese official Xinhua news agency"

[drobety]

Since it's the "Chinese official Xinhua news agency", the readers will understand that whatever they read, the truth is actually the opposite.

Re:It's the "Chinese official Xinhua news agency"

[millennial]

That's exactly what I was thinking. Who says that they actually even talked with someone from McAfee, or if they did, that this is what McAfee said? If China's running a massive cyberwar and a security company calls you out for it, what else would they do but claim to have spoken with the security company and gotten a denial? This reeks of Chinese propaganda.

Buy it now

Buy your copy of McAfee, certified by the venerable government of China, now!

Shady RAT Checker

Am I Under a Shady RAT attack? http://www.shadyratchecker.com/

because in

[nimbius]

the global realm of capitalism, sticking your dick in the eye of the second largest
economy in the world is still considered poor enough form. Besides, one would conject
the source of an attack is not Mcaffee's priority, rather its vector, mitigation, methods and
ostensibly its impact.

nations, now they do a bang-up job of figuring out what enemy-du-jour of the state has perpetrated
the heinous act of knowing more about computers than they do.

"industry"? "propagated"?

the same online security industry that has propogated Chinese cyber threats

I don't think that word means what you think it means. or that other word.

More info on "Shady Rat"

[Deliveranc3]

Anyone know what this is purported to be about?

Re:More info on "Shady Rat"

shady rat is aurora renamed. aurora is ghostnet renamed. ghostnet is titan name renamed. If you wait, someone else will discover it and name it again. https://www-secure.symantec.com/connect/blogs/truth-behind-shady-rat has some technical details; from that you can look around and find older samples that were submitted to AV companies years ago.

Re:More info on "Shady Rat"

Yes, it's the new Chinese decade which started 5 years ago. There are 5 more years before the decade of the Shady OX. It doesn't have quite the same ring to it, but maybe Steve Jobs can help with the PR. Perhaps the decade of the Shady Os X?

Remember, FWIW, "china has a massive botnet"...

[drobety]

Manning’s alleged chat logs diff:

(05:13:21 PM) bradass87: oh, btw... china has a massive botnet
(05:13:31 PM) bradass87: 45+ million, grows 100,000 every two weeks
(05:14:44 PM) bradass87: it pings eucom and pacom servers every two weeks at the same time... spread out slightly to prevent the bandwidth from being detected (it was identified at 20 million in late 2008)
(05:15:53 PM) bradass87: 45+ million ip addresses... i figure they must have a pre-installed system on consumer electronics
(05:20:00 PM) bradass87: are you familiar with the Byzantine problem sets?
(05:22:15 PM) info@adrianlamo.com: nope
(05:23:10 PM) bradass87: Byzantine is the code word for all the chinese infiltration problem sets... the ones that get .mil info... as well as penetrate google (like what became public earlier this year)
(05:23:16 PM) bradass87: yahoo, etc
(05:23:23 PM) bradass87: mostly .gov and .mil
(05:23:46 PM) bradass87: there are several sub-problem sets...
(05:24:15 PM) bradass87: Byzantine Candor, for instance
(05:24:51 PM) bradass87: its what 95% of information warfare people work on in DoD
(05:25:15 PM) bradass87: china can knock out any network in the world with a DDos
(05:36:07 PM) bradass87: their gateways throughout the world are clearly identified, and are being tracked carefully

Sony rootkit goes undetected by these people..yet

same industry that allowed the SONY rootkit to go undetected even though they knew of it and the only av to catch it ...well he sold out now too.
OH NO your at there mercy now..../me runs around screaming in circles "the worlds at an end ahhhhhhh"....

"No direct evidence" HA

[poity]

There was no direct evidence that Google was functioning as a pawn in US foreign policy regarding China, but that didn't stop Xinhua from alluding to the allegations (that came from their political superiors).
http://news.xinhuanet.com/english2010/sci/2010-01/24/c_13148771.htm
Maybe Xinhua isn't the best source for a neutral perspective.

So...

[daath93]

So, what the article is really saying is that McAfee in an interview with Xinhua (a subsidiary of State-owned Assets Supervision and Administration Commission of the State Council "SASAC") denied that they thought the "Gubm't did it". Awesome.

No news here.

Kiss it some more to keep it Walmart cheep.

[Dusanyu]

Big Business continues to kiss the Chinese Governments butt out of fear of loosing there cheep sweatshop labor. Nothing to see here wake me up when McAfee makes a Free Tibet version of there product. or GM Signs the Dali lama as a spokes person.

Mr. President...

I'm beginning to smell a big fat commie rat!

how to lower your stock price in a day

[hesaigo999ca]

Wow, i am sure the share holders are happy to hear that McAfee's credibility went out the window when they contradicted themselves from a previous report. Now, I can never fully trust what they say, as I see, they are either wrong...and dont know what they are doing, or are quick to contradict themselves, when the payday is big enough.