Kaspersky accuses McAfee of crying wolf over Shady RAT

Kaspersky Lab founder Eugene Kaspersky has taken to the web to have a pop at rival McAfee's recent Operation Shady RAT revelations, claiming that many of the report's conclusions are unfounded and that the firm is being deliberately alarmist.

The report detailed a large-scale and long-term hacking attack spanning 14 countries and compromising 72 organisations, including the United Nations, defence contractors and even Olympic committees, over a five-year period.

The attackers, who many believe to have links with the Chinese authorities, are said to have begun with a standard spear phishing email sent to someone with appropriate access rights in a company.

The malware is then said to have initiated a backdoor communication channel to the command-and-control web server.

"This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organisation to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for," said McAfee vice president of threat research Dmitri Alperovitch.

However, in a strongly worded blog post, Kaspersky argued that most commercially available anti-virus software can block the malware involved in the Shady RAT attacks.

He added that the hackers did not reveal any advanced or previously unknown technologies for hiding in systems undetected, nor any encryption to protect traffic between servers and infected machines or anti-virus disabling functionality, thus emphasising the low level of sophistication involved.

This also indicates that the attack was probably not state sponsored, according to Kaspersky.

"On the black market the Shady RAT malware would be valued at not much more than $200. Even if an 'evil' state were to decide to launch a targeted attack, it could buy much more sophisticated malware for just $2,000 to $3,000," he added.

"And most certainly the 'evil' state wouldn't use the same command-and-control server for five years, and then keep it operating after it was revealed in the world media that it had been exposed, allowing security researchers to conduct in-depth analysis of the botnet."

Kaspersky argued that threats such as Zeus, Conficker, Bredolab and Stuxnet all pose far greater risks to organisations than Shady RAT and, most damning of all, accused McAfee of "crying wolf".

"Regarding Shady RAT, the IT security industry did know about this botnet, but decided not to ring any alarm bells due to its very low proliferation, as confirmed by our cloud-based cyber threat monitoring system and by other security vendors. It has never been on the list of the most widespread threats," said Kaspersky.

"For years now the industry has adopted the simple and helpful rule of not crying wolf."

Kaspersky's attack is all the more astonishing given that security vendors are usually pulling in the same direction, if not necessarily always on friendly terms then certainly mindful that they're all fighting the same enemy.

Will this be the start of similar outspoken missives from the big guns in the security space? It will certainly make things a bit more interesting.