Shady Rat

   On Tuesday (Aug 2 2011) the security firm McAfee released a report on "Operation Shady Rat".  McAfee describes an operation that has been ongoing since 2006, which has infected 72 U.S. and foreign government agencies, defense contractors and international organizations (such as the U.N., the U.S. International Trade Organization and the World Anti-Doping Agency, but most organizations were not named by McAfee).  McAfee says that it was "surprised by the enormous diversity of the victim organizations".  The general news media has seized on the event and claimed that it is an "unprecedented" attack of epic proportions.  Yet as more information is gleaned it may be that Shady Rat was not all that uncommon.

   What's missing in the McAfee report is any hard data on what may have been stolen, which organizations were the victims of attacks, and how many computers were involved.  Without that data the claims that it is one of the "most sophisticated attacks in history" may be overblown.

   What is known is how the attacks occurred, and they follow a very familiar pattern.  Using targeted phishing attacks {Chapter 14 Security+ 3ed} the victims received an e-mail that claimed to contain a contact list, important budget data, or similar information in an attachment that accompanied the e-mail (a Microsoft Word, Excel, PowerPoint, or PDF document).  When the user opens the document on a computer that is missing important patches a Trojan {Chapter 2 Security+ 3ed} is launched that then communicates back to the bot herder.  What's interesting is that some of the links to the bot herder are to images (GIF, JPG) that contain hidden commands using steganography {Chapter 11 Security+ 3ed}.  The commands sent back to the now-infected zombie computer contains an IP address and port that the zombie uses to connect to a command-and-control center.  The zombie then regularly checks back with the bot herder for its instructions.  The attackers also installed Web traffic analysis tools on its command-and-control center to monitor its zombies, yet they failed to secure this data so it can be viewed by others.  

   Because common and unsophisticated malware was used in the attack, the command-and-control server was left unprotected, and there appears to be no clear pattern of the victims, the security firm Symantec concludes that "While this attack is indeed significant, it is one of many similar attacks taking place daily."  Other security researchers are echoing similar sentiments.

   Although there are a variety of defenses that can be used to mitigate these attacks--make sure your antivirus software is up to date, use an intrusion prevention system (IPS) {Chapter 5 Security+ 3ed}, install the latest patches on your system--the most obvious defense again falls squarely on the lap of the user: don't fall for social engineering tricks by opening e-mail attachments.

   Stay secure!