Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
China Government Security IT Politics Your Rights Online

McAfee Disclaims Claims of Chinese Involvement in 'Shady RAT' 56

hackingbear writes "In an interview with Chinese official Xinhua news agency, McAfee said no direct evidence suggests a particular nation such as China is behind Operation Shady RAT, a five-year cyber campaign discovered by McAfee. Alperovitch told Xinhua that they 'don't have direct evidence that conclusively points to a particular nation state' behind the scheme. So the same online security industry that has propagated Chinese cyber threats in front of Western media denies they made such suggestion of China, another of their major markets." Also on the Shady RAT front, reader kermidge writes with a post from Hon Lau at Symantec containing details lacking in McAfee's Wednesday report; included are examples of the vectors and commands used, along with cogent commentary.
This discussion has been archived. No new comments can be posted.

McAfee Disclaims Claims of Chinese Involvement in 'Shady RAT'

Comments Filter:
  • "don't have direct evidence that conclusively points to a particular nation state" behind the scheme

    If all IP's point back to one country that country either is the victim of being a patsy "They must have routed all their traffic trough our unsuspecting country. We were set up! Those bastards!!" or they they did it. Do we think any country is going to admit it even if they are caught red handed? Of course not.

    • It's one of the basic problems with these attacks. There's always plausible deniability.
      • You're right, plausible deniability and all.

        As an aside, anytime I set a box in the DMZ and review access logs, the majority of IPs attempting access are from CN. Which tells me there are LOTS of pwned boxes in CN...or...they're up to something.

        I vote for the latter. Just sayin'...
      • Except that there is another report which has just been released which gives a direct link to China for [secureworks.com]. If McAfee don't have direct evidence, that means that they have released the report before they completed the work; they should have done something to identify the end point. Someone should discuss with one of the security services to put a poisoned document with an MSWord zero day which phones home when given a chance into one of their document caches and then see where it turns up.
    • by cygtoad ( 619016 )
      Red Chinese, Red Handed. Coincidence? I think not!
    • by gl4ss ( 559668 )

      well, if you were doing shit like that on a payroll and had five years for it.. you could just setup some patsy proxies back and forth and preferably with countries which don't get along with each other.. kinda hard for them then to co-operate simultaneously to expose the whole chain, even if they wanted, and the police officials in each of those countries don't know if they want to co-operate or not as they don't know if it's approved or not operation.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Saturday August 06, 2011 @11:40AM (#37008124)
      Comment removed based on user account deletion
      • The problem with your theory is this: You don't blame the US government when old Spam King pounds the living shit out of FB do you?

        The key difference here is that you know that it was the spam king because there was a public prosecution for the spamming. Show clear evidence of even an investigation by the Chinese authorities in cooperation with the companies making the reports and you would have a very clear point. China is not a country like Sudan where there is no effective government. They are fully capable of launching detailed police investigations into hacking if they wish to.

    • by slick7 ( 1703596 )

      "don't have direct evidence that conclusively points to a particular nation state" behind the scheme

      If all IP's point back to one country that country either is the victim of being a patsy "They must have routed all their traffic trough our unsuspecting country. We were set up! Those bastards!!" or they they did it. Do we think any country is going to admit it even if they are caught red handed? Of course not.

      Ooooh we might piss off our creditor.

  • Fear (Score:2, Insightful)

    by Nerdfest ( 867930 )
    Once again confirming our suspicions about why there hasn't been an uproar from companies that matches the scale of the attack.
    • Re: (Score:2, Interesting)

      by Virtucon ( 127420 )

      Some of the companies and agencies are well aware of the damage that can be done by disclosure of this. Never mind that the F35 plans have been stolen and that other intellectual property has been taken. The theft reported here and others are condoned, possibly sponsored and maybe directly involved by China. That's not a scare tactic, it's a fact. China doesn't have to have direct involvement in this matter. They can provide technology, access and foster the culture that allows this to continue. There

      • Fair trade should be fostered but not at the expense of your own country both in terms of it's economic viability but its social structure as well.

        I think that's the wrong attitude. If fair trade is fostered then that's fine. If the other country does better out of it then that's just spreading the wealth about fairly. The problem is that currently the trade is not fair. There must be equivalent or better situations in terms of environmental conditions, working conditions, and freedom. Those are reasonable things to insist on for fair trade. In the meantime, you can't insist on a set of IP laws which let the US use all of China's inventions fo

        • There must be equivalent or better situations in terms of environmental conditions, working conditions, and freedom.

          I could not agree more. I am against tariffs as a protectionist measure; however, I think that a $$$ tariff on worker's rights, environmental conditions and other such things would do a lot to stabalise the current race-to-the-bottom that has gutted the US manufacturing industry.

          So... you want to pay your workers 10c per day? Fine, we will slap a tariff on that assume they got $8 per hour.

          The only problem with such a measure, is that it would become highly political, and thus butchered so that it doe

  • by aaaaaaargh! ( 1150173 ) on Saturday August 06, 2011 @08:56AM (#37006896)

    Reading the details I really wonder why this is supposed to be a government-backed up attack. Neither the trojan nor the attack vector described by the guy from Symantec look very sophisticated to me. From a government-sponsored attack I'd at least expect some previously unknown exploits, rootkit, traffic tunneling, anti-virus product circumvention and generally more efforts to hide that there is a trojan or an outgoing connection.

    There must be something missing. So, what's so special about this particular persistent attack?

    • If they can be effective using mundane attacks and get away with it why shouldn't they? Not all attacks need to be Stuxnet-level sophisticated.
      • The more sophisticated the attack, the smaller the pool of suspects. An attack only needs to be sophisticated enough to succeed and additional complexity may cause additional problems. If an attacker achieves their goals with a unsophisticated attack, then they leave a larger pool of suspects for investigators to focus on.
    • by httptech ( 5553 )

      Hardly any of the trojans used by Chinese APT actors are sophisticated at all. All these sophisticated features you listed are fine if you're only looking to launch a single-purpose attack, like a Stuxnet. The Chinese APT actors want to maintain a long-term presence even after they are discovered on the network.

      As the sophistication of the malware rises, so does the cost/time involved, so it limits how many trojans you can deploy at once. Once your super-sophisticated trojan with rootkit, traffic tunneling,

    • by gl4ss ( 559668 )

      Reading the details I really wonder why this is supposed to be a government-backed up attack. Neither the trojan nor the attack vector described by the guy from Symantec look very sophisticated to me. From a government-sponsored attack I'd at least expect some previously unknown exploits, rootkit, traffic tunneling, anti-virus product circumvention and generally more efforts to hide that there is a trojan or an outgoing connection.

      There must be something missing. So, what's so special about this particular persistent attack?

      Obviously, you've been missing the point of government deals. case in point: security of several us governmental organizations websites, emails etc(proven last time by todays release from anon), quality of governmental contractors in general. you really think China has it any better?

  • by DaveGod ( 703167 ) on Saturday August 06, 2011 @09:05AM (#37006984)

    Alperovitch told Xinhua that they "don't have direct evidence that conclusively points to a particular nation state" behind the scheme.

    The McAfee report on Tuesday had said that the campaign was likely sponsored by a nation state because of the breadth and tenacity of the attacks and the information that was accessed.

    Not having read the original report nor the full interview transcript (neither of which seem like reliable sources), I don't see anything contradictory. Combine the quotes and it's still perfectly reasonable:

    The McAfee report says that the campaign was likely sponsored by a nation state because of the breadth and tenacity of the attacks and the information that was accessed. However, they don't have direct evidence that conclusively points to a particular nation state.

  • This is why... (Score:5, Insightful)

    by Anonymous Coward on Saturday August 06, 2011 @09:05AM (#37006988)

    You should never get your security analyses from the same people who sell security products.

    It's like asking a car dealer how expensive a car you need.

  • Since it's the "Chinese official Xinhua news agency", the readers will understand that whatever they read, the truth is actually the opposite.
    • That's exactly what I was thinking. Who says that they actually even talked with someone from McAfee, or if they did, that this is what McAfee said? If China's running a massive cyberwar and a security company calls you out for it, what else would they do but claim to have spoken with the security company and gotten a denial? This reeks of Chinese propaganda.
  • by Anonymous Coward

    Am I Under a Shady RAT attack? http://www.shadyratchecker.com/ [shadyratchecker.com]

  • Comment removed based on user account deletion
  • Anyone know what this is purported to be about?
  • Manning’s alleged chat logs diff [cablegatesearch.net]:

    (05:13:21 PM) bradass87: oh, btw... china has a massive botnet
    (05:13:31 PM) bradass87: 45+ million, grows 100,000 every two weeks
    (05:14:44 PM) bradass87: it pings eucom and pacom servers every two weeks at the same time... spread out slightly to prevent the bandwidth from being detected (it was identified at 20 million in late 2008)
    (05:15:53 PM) bradass87: 45+ million ip addresses... i figure they must have a pre-installed system on consumer electronics
    (05:20:00 PM) bradass87: are you familiar with the Byzantine problem sets?
    (05:22:15 PM) info@adrianlamo.com: nope
    (05:23:10 PM) bradass87: Byzantine is the code word for all the chinese infiltration problem sets... the ones that get .mil info... as well as penetrate google (like what became public earlier this year)
    (05:23:16 PM) bradass87: yahoo, etc
    (05:23:23 PM) bradass87: mostly .gov and .mil
    (05:23:46 PM) bradass87: there are several sub-problem sets...
    (05:24:15 PM) bradass87: Byzantine Candor, for instance
    (05:24:51 PM) bradass87: its what 95% of information warfare people work on in DoD
    (05:25:15 PM) bradass87: china can knock out any network in the world with a DDos
    (05:36:07 PM) bradass87: their gateways throughout the world are clearly identified, and are being tracked carefully

  • There was no direct evidence that Google was functioning as a pawn in US foreign policy regarding China, but that didn't stop Xinhua from alluding to the allegations (that came from their political superiors).
    http://news.xinhuanet.com/english2010/sci/2010-01/24/c_13148771.htm [xinhuanet.com]
    Maybe Xinhua isn't the best source for a neutral perspective.

  • So, what the article is really saying is that McAfee in an interview with Xinhua (a subsidiary of State-owned Assets Supervision and Administration Commission of the State Council "SASAC") denied that they thought the "Gubm't did it". Awesome.

    No news here.
  • Big Business continues to kiss the Chinese Governments butt out of fear of loosing there cheep sweatshop labor. Nothing to see here wake me up when McAfee makes a Free Tibet version of there product. or GM Signs the Dali lama as a spokes person.
  • Wow, i am sure the share holders are happy to hear that McAfee's credibility went out the window when they contradicted themselves from a previous report. Now, I can never fully trust what they say, as I see, they are either wrong...and dont know what they are doing, or are quick to contradict themselves, when the payday is big enough.

Every program is a part of some other program, and rarely fits.

Working...