Kaspersky’s War On Crowdstrike Evangelist Dmitri Alperovitch

[I have discovered the following 2011 analysis by Eugene Kaspersky on the quality of the analysis work by Dmitri Alperovitch, the genius behind CROWDSTRIKE (former analyst for McAfee).  (SEE BELOW) It is totally negative.  Following that report is another Western media song of praise for the work of Crowdstrike…, for some reason, it can only be found in cache.  Between the two points of view, can we begin to understand what just happened w/Kaspersky’s man Ruslan Stoyanov?–(SEE: Head Of Investigations At Russia’s Biggest Cybersecurity Firm Arrested For Treason).]

kasperskys-blog

 

August 18, 2011

Shady RAT: Shoddy RAT.

Last week, Congresswoman Mary Bono Mack (CA-45), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, sent a letter to Dmitri Alperovitch, Vice President of Threat Research at McAfee, requesting further information on his recently published report “Revealed: Operation Shady RAT.”

First of all I’d like to say straight out that we do not share the concerns surrounding the intrusion described in the report, which intrusion the report claims has resulted in the theft of sensitive information of multiple governments, corporations and non-profit organizations.

We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch.

We consider those conclusions to be largely unfounded and not a good measure of the real threat level. Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information.

I’d like to give my own answers to the key questions posed in the letter, to firmly establish the assessment of the situation by Kaspersky Lab as global security researchers – not only for the US, but for all nations concerned with cybercrime and advanced threats.

The report suggests the high-profile intrusions of recent months are neither sophisticated nor novel. How do these unsophisticated intrusions differ from the intrusions that were the focus of your report?

Many of the so-called “unsophisticated” intrusions that the IT security industry has discovered recently and which have been so prominent in the news should in fact be labeled just the opposite: “sophisticated”.

These sophisticated threats – such as TDSS, Zeus, Conficker, Bredolab, Stuxnet, Sinowal and Rustock – pose a much greater risk to governments, corporations and non-profit organizations than Shady RAT.

For example, TDSS controls one of the world’s largest zombie networks, made up of more than 4.5 million computers worldwide. It contains extremely sophisticated techniques and implements a whole range of risky payloads that can lead to the theft of sensitive information and even funds in bank accounts, to spam distribution, DDoS attacks and much more.

On the other hand, most security vendors did not even bother assigning a name to Shady RAT’s malware family, due to its being rather primitive.

Are such intrusions something the government and private sector can effectively prevent or mitigate on a continuing basis?

Most commercially-available anti-virus software is capable of preventing infection by the malware involved in Operation Shady RAT; most doesn’t require a special update to do so either, capable of detecting the malware generically.

Did the logs analyzed by McAfee reveal novel techniques or patterns that would be helpful in our efforts to combat cybercrime?

We are fairly sure that the logs that McAfee analyzed did not differ from the logs all the other security vendors analyzed.

Here are our findings: unlike malware from the abovementioned sophisticated samples, we found no novel techniques or patterns used in this malware. What we did find were striking shortcomings that reveal the authors’ low level of programming skill and lack of basic web security knowledge.

In addition, the way the malware spread – via masses of spam messages with infected files attached – is now considered to be old hat; most modern malware uses web attacks to get to target computers. Shady RAT also never used any advanced or previously unknown technologies for hiding itself in the system, any countermeasures against anti-viruses, or any encryption to protect the traffic between the servers and infected computers. Needless to say, these are features inherent only in sophisticated malware.

What is the greater target: intellectual property and national security information, or consumer information that can be used to perpetrate identity theft?

There is no evidence showing what sort of data has been acquired from infected computers, or if any data has been acquired at all.

We can only understand what data (if any) has been stolen by conducting an in-depth investigation within an affected organization to examine the actual access rights of the infected computers.

The report suggests that the more insidious intrusions are more likely to occur without public disclosure. Would more public disclosure help or harm industry efforts to fight this type of cybercrime?

Some of the more insidious intrusions take place without the general public becoming aware of them. What’s more, they can go undetected for some time before being discovered by the IT security industry, and this is likely to continue due to the nature of the architecture of modern software and the Internet.

However, regarding Shady RAT, the IT security industry did know about this botnet, but decided not to ring any alarm bells due to its very low proliferation – as confirmed by our cloud-based cyber-threat monitoring system and by other security vendors. It has never been on the list of the most widespread threats.

For years now the industry has adopted the simple and helpful rule of not crying wolf.

A very important question that has slipped off the radar is what state is behind this intrusion?

It’s not possible to give a straight and clear answer to this question; however, it looks overwhelmingly likely that no state is behind the Shady RAT botnet. How the botnet operates and the way the related malware is designed reveals startling fundamental defects hardly indicative of a well-funded cyber-attack backed up by a nation state.

A good example of a cyber-attack most likely backed by a nation state is Stuxnet. Just compare the number of vulnerabilities used, special techniques, and the various assessments of the development cost. With Shady RAT we are dealing with a lame piece of homebrew code that could have been written by a beginner.

On the black market the Shady RAT malware would be valued at not much more than a couple hundred dollars. Even if an “evil” state were to decide to launch a targeted attack, it could buy much more sophisticated malware for just $2,000 – $3,000. And most certainly the evil state wouldn’t use the same command and control server for five years, and then keep it operating after it was revealed in the world media that it had been exposed – allowing security researchers to conduct in-depth analysis of the botnet.

We believe that this act was performed by rather novice criminals who were testing the ground, but who didn’t improve their skills much at all since the date they started the botnet.

To summarize the Shady RAT report:

Was it the most sophisticated attack ever?

No.

Was it the longest-lasting attack ever?

No.

Was it a historically unprecedented transfer of wealth?

No.

Is there proof that 71 organizations were compromised and had data leaked?

No.

Was it backed up by a state?

No.

Does Shady RAT deserve much attention?

No.

Useful link: Comment from Alex Gostev, Kaspersky Lab’s Chief Security Expert

Moscow’s cyber warriors in Ukraine linked to US election

Financial Times

 

 

 

Security firm accuses Russian intelligence’s ‘Fancy Bear’ hackers

crowdstrikeCrowdstrike
by: Demetri Sevastopulo and Courtney Weaver in Washington

The discovery of an alleged Russian government hack of a Ukrainian mobile phone app has boosted investigators’ confidence that Moscow was behind the hacking of Democratic National Committee servers in the US before the presidential election, cyber security firm CrowdStrike said.

The firm, which was hired by the DNC to rebuild its cyber defences after the attack, said Fancy Bear — a code name it assigned to hackers that it believes are associated with Russian military intelligence, the GRU — had implanted malware in an Android mobile phone application used by anti-Russian forces operating in eastern Ukraine. Identifying the perpetrators of cyber intrusions is notoriously hard as attackers can conceal their identity. But Dmitri
Alperovitch, the co-founder of CrowdStrike, said his confidence level that the DNC hack was the work of GRU hackers had risen from “medium” to “high” because of the alleged Ukrainian hack between 2014 and 2016. Mr Alperovitch said the same malware was used for both the Ukraine attacks and the DNC hack. He said Fancy Bear was the only group of hackers that had previously used the malware, and that the source code was not publicly available, leading to the conclusion that the GRU-affiliated hackers were behind both of the cyber attacks. The emergence of more evidence of Russian hacking comes as Donald Trump, the president-elect, continues to dismiss as “ridiculous” suggestions from the CIA and other US intelligence agencies that the Kremlin orchestrated cyber attacks in the US to interfere with the presidential election. Several US congressional committees are probing the attacks, which President Barack Obama has blamed on the Russians. “My hope is that the president-elect is going to similarly be concerned with making sure that we don’t have potential foreign influence in our election process,” Mr Obama said last week at a press conference. Mr Obama has also ordered an investigation, which will be finished before he leaves office, into the hacks. Asked whether he believed Russian president Vladimir Putin had personally authorised the hacking, Mr Obama responded: “I’d make a larger point, which is, not much happens in Russia without Vladimir Putin. This is a pretty hierarchical operation.”
According to CrowdStrike, the hackers installed malware in an Android-based mobile phone application developed by the Ukrainians to improve the targeting of Soviet-era D-30 Howitzer artillery guns. The firm said the deployment of the Fancy Bear malware may have helped reconnaissance against Ukrainian forces. “The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them,” CrowdStrike said.

Mr Alperovitch said the target of the attack increased the certainty that it was affiliated with the GRU. While the evidence was not conclusive, he said Ukrainian forces lost 80 per cent of their Howitzers over a two-year period, but lost only 50 per cent of other artillery that did not rely on the app. Since 2014, Russia has been engaged in hybrid warfare in Ukraine where it has used cyber and informational campaigns to weaken the new western-backed government in Kiev and aid the pro-Russia separatists who currently control a swath of Ukraine’s east. Last year, Ukrainian authorities accused Russia of successfully shutting down several of the country’s power grids through a cyber attack. While Moscow denied the attack, several cyber security experts said the malware was likely the result of a group of Russian hackers called the Sandworm team, a group that previously had tried similar attacks in the US and Europe. Mr Alperovitch said CrowdStrike found evidence of the malware over the summer, but needed time to investigate fully. He said the conclusions had been handed to security officials in the US government. The increased focus on Russian cyber attacks comes after months of controversy in the US about the role that Mr Putin and the Kremlin may have played in the hacking of the Democratic party and its officials. Some members of the Clinton campaign have blamed the hacking, which resulted in the release of thousands of emails that had been provided to WikiLeaks, for their unexpected loss to Mr Trump. European countries, including Germany and France, are also increasingly alarmed about the potential for Russia to influence elections across Europe with everything from pure hacking to the use of botnets — networks of infected private computers — to accelerate the proliferation of fake news that can influence voters. Twitter: @dimi

Advertisements

Hafiz Saeed Allegedly Arrested In Pakistan Under Pressure From Trump

Hafiz Saeed arrested in PAK: Modi’s pressure told in the video, playing a trump friendship with India

dainik-bhaskar

Danikbaskrkcom | John thirty-one

Hafiz Muhammad Saeed, house arrest, Pakistan media, national news in hindi, national news

Monday afternoon, the Home Minister of Pakistan Chaudhry Nisar said that Saeed had been declared a terrorist by the US. Saeed Khan also said that Pakistan was to keep an eye on since 2010.

New Delhi / Islamabad. The Government of Pakistan Lashkar-e-Taiba chief Hafiz Saeed on Monday placed under house arrest. However, it released a video of himself arrested Hafiz Saeed said. He has blamed Modi for arrest. According to Pakistan’s Aarway channel, Saeed under house arrest for fear of the US’s new president is Donald Trump. The government of Sindh in Pakistan have confirmed the arrest of Saeed. It is said that Saeed in Lahore is placed on a secret location. What the Home Minister said Pakistan …

 

– Please tell the Monday afternoon the Home Minister of Pakistan Chaudhry Nisar Ali Khan told the media that the Jamaat-ud-Dawa chief Hafiz Saeed, the US has declared a terrorist. Saeed Khan also said that Pakistan was to keep an eye on since 2010.
– Khan, Jamaat is clearly banned organization. The UN Security Council has banned him. The government will have to take action against him. Chowdhury said the action is pending against Saeed long time. Nisar’s statement came hours after Saeed was arrested.
– Asked about US President Trump Trump Khan said people who are the target of the victims of terrorism. Where the US has been targeting terrorists?
Trump took action, fearing Pakistan
– Pakistan’s media trump the fear of government step are told. Please tell the US citizens of the 7th Muslim countries have been banned from coming to America. It is believed that Pakistan is the US ban.
– Trump has clear ban will be imposed on countries that export terrorism. Saeed’s detention for fear of the US is seen as a step.
– Pakistani security expert said Arif Jamal Saeed telling herself that she was arrested because of Modi and the US.
After the arrest video released
Stunningly, after the arrest Saeed issued a video message to his supporters.
– In it he said, “brothers in Islam. Especially my Kashmir brethren. Where-as far as my voice rose. I want to say that international pressure Hukumat Pakistan decided to arrest me. Which I was informed. I think that all this is happening because of international pressure.
– “In Pakistan, the Jamaat-ud-Dawa is not a question of. We have made sacrifices to protect Pakistan. We Relief and Education (Education) has worked on. We have joined with their brothers in Balochistan. We also help people in Sindh. And especially we stood for Kashmir.
– “K for the year I made the program. February 5 was supposed to work on it. So I suspect that they will not tolerate talk of India. And that of course will put pressure. Since the time Trump and new US President (President) is made. And that he wants to be a great friendship. Their mutual cases. However, Americans are not our issues. Our issue is with India. The issue of Kashmir. But he put the emphasis.
Hafiz Saeed, who is? Saeed why we brought, which he lays eggs
– Hafiz Saeed, mastermind of the 26/11 Mumbai attacks. 166 people were killed in the attack, including six Americans. India has asked Pakistan to hand him over several times.
– Not just the Mumbai attacks in India and Afghanistan clearly the hand of Hafiz Saeed but Pakistan denies it.
– The United States released a list of International Terrorist, which was also the name of Saeed. A million dollar US bounty placed on him eat. Interpol red corner notice against him was issued.