ShadyRAT - how FUD helps sell poor analysis

None of this is meant to refute the charge that the McAfee report was more about marketing than it was about releasing information. McAfee provided few details about the attack, only saying that it was large and hinting at who the targets were. There have been documented cases of state-sponsored hacking out of China for more than a decade, targeting every conceivable type of commercial and government organization. When you get down to it, McAfee seems to have collected information from a single server involved in such collection, and there are likely dozens, if not hundreds, of such servers. Far more information about this sort of thing came out in 2009, when The US-China Economic and Security Review Commission released a Northrop Grumman-prepared report called “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation”. That paper is infinitely more informative than anything that any security company has been willing to disclose.

Which brings me to one of the most shameful aspects of the back and forth over Shady RAT. Symantec, in criticizing the McAfee report, provided basic details about how the attacks were accomplished and some information about how to filter out such attacks. Symantec’s point again seems to be that all of this is old news. But the question for me is why it hasn’t provided all of this information sooner. Why pull it out only after waiting for an opportunity to try to make the competition look bad?

This is the root of the problem with how security vendors are dealing with the chronic issue of APT. They treat their customers’ misery as their own intellectual property. Companies that investigate APT-related attacks rarely share their findings. They don’t exchange information about the most recent malware obfuscation techniques, the best methods to identify compromised systems, the newest malware signatures, etc. Instead, they keep most of the information to themselves and treat it as a competitive advantage. What sharing there is falls far short of what would be required to encourage a robust response capability.