A lot of chatter and breathless reporting about Shady RAT. All the makings of an epically awesome story — the US is being taken down by Chinese interlopers to the nastiest degree, installing keyloggers and other badness on US government computers.
Whatever. Who the heck knows how bad this thing really is (and I am not the only skeptic).
But here’s what’s of concern to a lot of security researchers I deal with: It was known by McAfee (and certainly others) but no one apparently ever did anything to take the C&C down, even after knowing about it for months.
Let’s take a look at this paragraph from the hyperbolic Vanity Fair article (italics are mine):
“Alperovitch first picked up the trail of Shady rat in early 2009, when a McAfee client, a U.S. defense contractor, identified suspicious programs running on its network. Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer. The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data. After identifying the command-and-control server, located in a Western country, that operated this piece of malware, McAfee blocked its own clients from connecting to that server. Only this March, however, did Alperovitch finally discover the logs stored on the attackers’ servers. This allowed McAfee to identify the victims by name (using their Internet Protocol [I.P.] addresses) and to track the pattern of infections in detail.”
So McAfee blocked the IPs for its own customers. In March the C&C was discovered. It’s not clear if it’s still up or finally down (or if it was down by June).
I never saw one mention of this C&C on any of the closed and vetted security lists I’m on. A simple “takedown please” would have generated all the help necessary. This is how a lot of bad stuff gets handled, and the vast majority of internet users are none-the-wiser that there is a large group of very dedicated researchers who are making their lives safer every day. All of the data on the C&C can be put away nicely for post-takedown analysis.
I’m quite certain that McAfee wasn’t the only organization that knew about this, so it’s not only McAfee who shares the blame here. Furthermore, I am not singling out McAfee (we work with them on other areas and there are many very decent people there). Furthermore, McAfee is being clear that this issue is “old news”, and McAfee’s Dmitri Alperovitch is not acting the role of the self-aggrandizer, but rather as a researcher sharing some pretty interesting and educational insights. Furthermore, McAfee did reach out to infected victims.
However, there are many groups or organizations, upon having proof of this C&C, that would have been all over shutting the thing down as fast as possible in coordination with other security organizations.
The bigger point is this: If you, as a security researcher, discover Really Bad Stuff, you should do everything in your power to get that Really Bad Stuff shut down. The next time you see a killer presentation at Blackhat or RSA, ask “what have you done to solve the problem?”.
Perhaps we need a volutnary code of ethics for the security industry. It can start with some pretty simple things, like “If I see really bad stuff happening, I will work with others to fix it”. Enlightened self interest and all that.
Screw NDAs, the fear of competition getting a heads-up on your research, losing a scoopable news story, etc.
This is not about McAfee. This is about the industry. There are researchers out there who aren’t in a position to share data with competitors due to corporate reasons. They shouldn’t be in that position.
Alex Eckelberry