Kaspersky Lab's Alex Gostev Comments on McAfee's Shady RAT Report
Submitted by Alyssa.ames on Thu, 08/04/2011 - 15:46
By: Kaspersky Américas on 04/08/2011
With the lack of evidence and specific data, Alex Gostev, Chief Security Expert, Kaspersky Lab, calls McAfee’s report about this being the biggest cyber attack in history premature and based only on assumptions.
Alex’s commentary below summarizes these points and specifically explains what he sees as faulty and missing from the report.
LAB STATEMENT (attributable to Alex Gostev, Chief Security Expert, Kaspersky
The information presented by McAfee’s specialists would
be more convincing if it answered a number of vital questions. The report only
tells us that the company’s experts discovered access logs of connections with
a certain web server, which at some point had been used by hackers. In their
turn these logs indicate that interaction between this server and computers of
large organizations were snooped on.
Based only on this information, McAfee makes two
interesting assumptions: first – that a series of attacks has taken place;
second – that valuable data has been stolen. However, the report contains
nothing on what particular data has been stolen or how many computers in each
organization were hit by the attacks. The names of the malicious programs
listed in the document that are in some way related to the server in question
are too general: particularly which Trojans have been used cannot be
established. And as far as we are aware McAfee has not provided samples of the
Trojans to other antivirus companies, as normally occurs in the industry in
situations like these.
The document contains no information about who is
responsible for the attack. Talk in the media about China probably being behind
the attacks is all based on the opinion of a third-party expert who was briefed
by McAfee. For our part we would point out that the Internet is connected to a
great many servers of this type, they are used by cybercriminals, and several
of them have indeed been functioning for years. However, a situation in which a
complicated and large-scale corporate espionage operation has alleged to have
been undertaken for years but whose sophisticated organizers do not clean up
their server access logs after them - this is something that can certainly be
described as unusual.
Over the last several years cyberspace has changed
remarkably - and only for the worse. The number of attacks, including those
using malware, has risen almost ten-fold. Cybercrime these days is not only
made up of traditional attacks on users; increasingly frequently it is taking
the form of attacks on large corporations and financial and governmental
institutions. And just how vulnerable large corporations are has recently been
demonstrated by the Anonymous and LulzSec groups. Incidents involving infected
corporations and state institutions now occur all the time. And with every such
infection, affected computers of course connect with this or that Internet
resource. To deem every such connection part of a planned attack and resultant
data loss represents too superficial and unrealistic a standpoint on the issue.
Until the information in the McAfee report is backed up
by evidence, to talk about the biggest cyberattack in history is premature.
Until then, we will consider it an original way of approaching the start of the
annual Black Hat conference in Las Vegas (news of the report appeared hours
before the opening), which is one of the most important events of the year in
the world of IT security.