McAfee Disclaims Claims of Chinese Involvement in 'Shady RAT'

hackingbear writes "In an interview with Chinese official Xinhua news agency, McAfee said no direct evidence suggests a particular nation such as China is behind Operation Shady RAT, a five-year cyber campaign discovered by McAfee. Alperovitch told Xinhua that they 'don't have direct evidence that conclusively points to a particular nation state' behind the scheme. So the same online security industry that has propagated Chinese cyber threats in front of Western media denies they made such suggestion of China, another of their major markets." Also on the Shady RAT front, reader kermidge writes with a post from Hon Lau at Symantec containing details lacking in McAfee's Wednesday report; included are examples of the vectors and commands used, along with cogent commentary.

Why is this supposed to be a government attack?

[aaaaaaargh!]

Reading the details I really wonder why this is supposed to be a government-backed up attack. Neither the trojan nor the attack vector described by the guy from Symantec look very sophisticated to me. From a government-sponsored attack I'd at least expect some previously unknown exploits, rootkit, traffic tunneling, anti-virus product circumvention and generally more efforts to hide that there is a trojan or an outgoing connection.

There must be something missing. So, what's so special about this particular persistent attack?

Not contradictory

[DaveGod]

Alperovitch told Xinhua that they "don't have direct evidence that conclusively points to a particular nation state" behind the scheme.

The McAfee report on Tuesday had said that the campaign was likely sponsored by a nation state because of the breadth and tenacity of the attacks and the information that was accessed.

Not having read the original report nor the full interview transcript (neither of which seem like reliable sources), I don't see anything contradictory. Combine the quotes and it's still perfectly reasonable:

The McAfee report says that the campaign was likely sponsored by a nation state because of the breadth and tenacity of the attacks and the information that was accessed. However, they don't have direct evidence that conclusively points to a particular nation state.

This is why...

You should never get your security analyses from the same people who sell security products.

It's like asking a car dealer how expensive a car you need.

Re:This is why...

[hackingbear]

In my original post, I raise the question that this is not a cyberwar but a marketing campaign aim to grab money from taxpayers around the world. Yet such important points are edited out by /.

Re:This is why...

[Frosty+Piss]

...from the same people who sell security products.

McAfee sells security products?

Re:Of Course Not

[gl4ss]

well, if you were doing shit like that on a payroll and had five years for it.. you could just setup some patsy proxies back and forth and preferably with countries which don't get along with each other.. kinda hard for them then to co-operate simultaneously to expose the whole chain, even if they wanted, and the police officials in each of those countries don't know if they want to co-operate or not as they don't know if it's approved or not operation.

Remember, FWIW, "china has a massive botnet"...

[drobety]

Manning’s alleged chat logs diff:

(05:13:21 PM) bradass87: oh, btw... china has a massive botnet
(05:13:31 PM) bradass87: 45+ million, grows 100,000 every two weeks
(05:14:44 PM) bradass87: it pings eucom and pacom servers every two weeks at the same time... spread out slightly to prevent the bandwidth from being detected (it was identified at 20 million in late 2008)
(05:15:53 PM) bradass87: 45+ million ip addresses... i figure they must have a pre-installed system on consumer electronics
(05:20:00 PM) bradass87: are you familiar with the Byzantine problem sets?
(05:22:15 PM) info@adrianlamo.com: nope
(05:23:10 PM) bradass87: Byzantine is the code word for all the chinese infiltration problem sets... the ones that get .mil info... as well as penetrate google (like what became public earlier this year)
(05:23:16 PM) bradass87: yahoo, etc
(05:23:23 PM) bradass87: mostly .gov and .mil
(05:23:46 PM) bradass87: there are several sub-problem sets...
(05:24:15 PM) bradass87: Byzantine Candor, for instance
(05:24:51 PM) bradass87: its what 95% of information warfare people work on in DoD
(05:25:15 PM) bradass87: china can knock out any network in the world with a DDos
(05:36:07 PM) bradass87: their gateways throughout the world are clearly identified, and are being tracked carefully

Re:Of Course Not

[hairyfeet]

The problem with your theory is this: You don't blame the US government when old Spam King pounds the living shit out of FB do you? The USA is #1 in spamming last I checked (Amazing, we're #1 at something? why hasn't this been outsourced already?) but I doubt seriously Obama is sitting in the White House going "Hey, ya know what? Why isn't their more herbal viagra ads and cheap webcam whores in my inbox. That just ain't right. tell the guys at the Pentagon to get on that shit."

While I wouldn't be surprised if SOME of it is the Chinese government because to quote a line from one of my favorite movies :"You know how they do this? Its because they fucking steal, they steal every idea that ain't nailed down" and this is SOP among governments. We used to pay a bounty for any pilot that would bring us the latest Soviet fighters, Israel stole the Mirage V to make Nesher after they were embargoed, and the Chinese paid dirt farmers to dig up the F117 that crashed in Kosovo so they could snatch stealth tech.

But to say it is the government doing something you need more than an IP address coming from that country, hell you need more than an IP address coming from a governmental IP block. Or did everyone forget when the plans for Marine One and several other top secret highly classified docs ended up on Kazaa because some brain trust working in Washington decided to install P2P and share the whole drive? I kinda doubt that was SOP at the Pentagon even though it would have shown up as a government IP address. I can just imagine the doc written to support P2P in the government: "If the unit lacks sufficient adult entertainment or popular entertainment (as defined by 154c-current billboard (tm) top 100) then after getting approval from an immediate superior one may install ONE and ONLY one approved P2P from the approved list after watching training film 475f-How to get teh titties and tunez, P2P and you."

Re:Of Course Not

[hairyfeet]

Not only that it is pretty common knowledge there are TWO sets of laws in China, one for when Chinese steal from outsiders, one for when Chinese steal from another Chinese. Chinese steals tech from a Brit or USA corp? Slap on the wrist. Another Chinese corp? Executed.

The reason this is because either directly or indirectly the stealing from outsiders benefits the Chinese by giving them the tech without the pesky R&D. As I said we have ALL done it. The Russians based the TU4 on B29s we had to set down there after bombing runs over Japan which they refused to give back and promptly ripped apart, The Atoll Missile was such a ripoff of the Sidewinder you could interchange parts and it would work perfectly, we had a bounty on any new Soviet planes that a defector could fly over to our side, the Israelis with Mirage, I could go on all day.

The Chinese aren't gonna give a fuck because it helps the Chinese, no different than if some USA corp figured out a way to fuck China over and at the same time give a couple of thousand US jobs? Hell they'd probably get a medal. it is just how the game is played.