Tag Archives: McAfee

Taking Shady RAT to the Next Level

I know I’ve drawn attention to this before, but the timeline of McAfee’s Operation Shady RAT by Dmitri Alperovitch raises questions again about WikiLeaks’ original data.

Alperovitch points out that their data goes back to mid-2006:

We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. Note that the actual intrusion activity may have begun well before that time but that is the earliest evidence we have for the start of the compromises.

This was around the time that Julian Assange was building up the content that, he recounted in emails at the time, that his hard drives were filling up with eavesdropped documents:

We have received over 1 million documents from 13 countries, despite not having publicly launched yet! (Wikileaks Leak, Jan, 2007)

Although Assange has since denied the material came from eavesdropping, it seems clear that it was, until McAfee’s report, the earliest example of a significant trove of documents and emails stolen by China-based hackers. This may have been the same channel stumbled upon a year later by Egerstad (Dan Egerstad’s Tor exit nodes get him arrested and proves a point I made in July | ZDNet).

There were, however, reports in mid 2006 of largescale theft of documents: State Dept (May), and NIPRNet (June), US War College (Sept) and German organisations (October).

I would like to see more data from McAfee and, in the interests of transparency, at least the metadata from the still unrevealed WikiLeaks stash in order to do some note comparing and triangulation. I’d also like to see this material compared with the groundbreaking work by three young Taiwanese white hats, who have sifted through malware samples to try to group together some of these APTs: APT Secrets in Asia – InSun的日志 – 网易博客.

The work has just begun.

Push Comes To McAfee

I must be dumb here, but I don’t quite understand this.

McAfee, Inc. , the anti-spam, anti-virus people, yesterday announced (not yet seen on corporate site. Registration possibly required) they had been granted US Patent 6,725,377 entitled “Method and System for Updating Anti-Intrusion Software.” This technology, they said in a press release, would allow them to update client’s anti-intrusion software automatically by ‘pushing’ the updates to the customer’s network.

“Prior to this patented invention,” McAfee says, “the system administrator for a network would need to have the knowledge that the system or network protection against the specific attack was out-of-date, and then request updated attack pattern information, such as signature updates, from the customer’s anti-intrusion software vendor. The administrator would then have to download the updated attack pattern information and update the deployed security technology.”

I’m no expert on this, of course, but this seems like one of those no-brainer moments. First off, I thought that most anti-intrusion software was updated automatically, checking back regularly to see if new updates were available and then updating them. If so, what’s all this about system administrators needing to have the knowledge that their network protection was out of date? Second, why has it taken the online security community so long to figure out this was a prime candidate for push — where the updated software itself goes out looking for places to update, rather than the other way around?

McAfee’s Virus Report Card – Grim

It’s been a busy six months for the virus-writing folk.

McAfee says the first half of this year has seen more serious viruses than in the whole of last year (sorry, no URL available yet). A large part of this has been the war between the Bagle and Netsky authors, a war that has seen their viruses appear in 215 countries.

What’s perhaps surprising is that this bucks a trend in virus production, where McAfee saw a steady decline in the rate of viruses produced from 2000 to 2003, down to a 5% year over year growth. That seems to be all over, for now at least.

Another weak spot: McAfee noted in the first half of 2004 11 exploits targeting four Microsoft vulnerabilities against 15 exploits targeting seven Microsoft vulnerabilities in the whole of 2003. In other words: More folk making trying to make the most out of fewer holes.

McAfee Comes Late To Rev. Bayes’ Party

McAfee seems to have come somewhat late to the spam party: Network Associates, Inc. , ‘the leader in intrusion prevention solutions’, today announced that it has incorporated “powerful new Bayesian filtering into the latest McAfee SpamAssassin engine”. What, only now?

Bayesian filtering is a pretty powerful weapon in the war against spam. I use POPFile and K9 and would recommend either, not least because they’re free. But why has it taken so long for McAfee to get around to including it in their SpamAssassin product?

To be fair, the McAfee Bayesian filter is “fully automated in its learning abilities, whereas other competitive solutions require manual training by users or systems administrators”. That is an improvement, but I wonder how well it works.

SpamKiller/Assassin also includes some other features, including Integrity Analysis, which applies algorithms to determine if the email is spam, Heuristic Detection, Content Filtering, Black and White Lists and DNS-Blocklist Support.

News: Norton Chips In

 I should have known, given the whole virus thing is big business, that if one company announces a new product, its rival down the street isn’t likely to stay silent. Hot on the heels (or maybe before, who knows) of McAfee’s upgrade to its VirusScan, Symantec Corp.announced Norton AntiVirus 2004, although tellingly it’s not ‘widely available’ until early September. (Not trying to muddy McAfee’s launch, are we lads?)
Norton AntiVirus 2004 takes a slightly different approach to the growing threat of worms, rather than viruses (worms jump aboard without the user doing anything like loading a file, while viruses depend on the user actually doing something). Norton AntiVirus 2004 will include scans for programs on the user’s computer that can be used with malicious intent to compromise the security of a system, spy on the user’s private data, or track users’ online behavior. AntiVirus will identify and block these threats at the point of entry to the system, detecting the threats during scans of email and instant message attachments, or during scheduled or on-demand system scans. This seems a little different to McAfee, although on the surface this all doesn’t sound that new. I’ll take a closer look and get back to you.
Norton AntiVirus 2004 and Norton AntiVirus 2004 Professional will be available for an estimated retail price of US$49.95 and US$69.95

McAfee: The Worm Stops Here

 McAfee today have unveiled a new version of McAfee VirusScan, equipped with new features including an enhanced WormStopper, which automatically detects and alerts users when their systems are attempting to send email to an unusually large number of addresses. It also alerts users when the system attempts to send out too many single emails within a 30-second period, helping to ensure that new mass-mailing worms cannot spread without the knowledge of the user. Not a bad idea, and as far as I know, the first such product to offer this kind of feature.
McAfee VirusScan is available immediately for $34.95 on the company’s website, http://www.mcafee.com/.