Eugene Kaspersky dismisses Shady RAT report and likens malware to 'a lame piece of homebrew'

News by Dan Raywood

McAfee's Shady RAT report has been dismissed by Kaspersky Lab CEO Eugene Kaspersky.

McAfee's Shady RAT report has been dismissed by Kaspersky Lab CEO Eugene Kaspersky.

The McAfee report claimed that a number of sensitive businesses had been under sustained attack for up to five years, however Kaspersky called it 'Shoddy RAT' and said that its own research about the botnet differs greatly from other conclusions.

He said that Kaspersky Lab research found the report to 'be largely unfounded and not a good measure of the real threat level' and accused Shady RAT of being 'alarmist due to its deliberately spreading misrepresented information'.

He said: “The report suggests the high-profile intrusions of recent months are neither sophisticated nor novel. How do these unsophisticated intrusions differ from the intrusions that were the focus of your report? Many of the so-called 'unsophisticated' intrusions that the IT security industry has discovered recently, and which have been so prominent in the news, should in fact be labelled just the opposite: 'sophisticated'.

“These sophisticated threats, such as TDSS, Zeus, Conficker, Bredolab, Stuxnet, Sinowal and Rustock, pose a much greater risk to governments, corporations and non-profit organisations than Shady RAT.

"For example, TDSS controls one of the world's largest zombie networks, made up of more than 4.5 million computers worldwide. Most security vendors did not even bother assigning a name to Shady RAT's malware family, due to it being rather primitive.”

Kaspersky also claimed that most anti-virus was capable of preventing infection by the malware involved in Shady RAT and no novel techniques or patterns were used in the malware.

“What we did find were striking shortcomings that reveal the authors' low level of programming skill and lack of basic web security knowledge,” he said.

“In addition, the way the malware spread, via masses of spam messages with infected files attached, is now considered to be old hat. Most modern malware uses web attacks to get to target computers. Shady RAT also never used any advanced or previously unknown technologies for hiding itself in the system, any countermeasures against anti-viruses, or any encryption to protect the traffic between the servers and infected computers. Needless to say, these are features inherent only in sophisticated malware.”

Kaspersky likened Shady RAT as 'a lame piece of homebrew code that could have been written by a beginner' in comparison to the strength of Stuxnet, when comparing the number of vulnerabilities used, special techniques and various assessments of the development cost.

He said: “On the black market the Shady RAT malware would be valued at not much more than a couple hundred dollars. Even if an 'evil' state were to decide to launch a targeted attack, it could buy much more sophisticated malware for just £1,000-£2,000. Most certainly the evil state wouldn't use the same command and control server for five years and then keep it operating after it was revealed in the world media that it had been exposed – allowing security researchers to conduct in-depth analysis of the botnet.

“We believe that this act was performed by rather novice criminals who were testing the ground, but who didn't improve their skills much at all since the date they started the botnet.”

Kaspersky concluded by dismissing claims that this is the most sophisticated attack ever, the longest attack ever, or a historically unprecedented transfer of wealth or backed by a state.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews