Understanding the Truth Behind Operation Shady Rat

Whenever someone talks about Cyber Warfare, the first name that comes to mind is Operation Shady RAT. It is an on-going series of cyber security attacks which started in 2006 but were reported only in 2011 by Dmitri Alperovitch, Vice President of Threat Research at Internet Security company McAfee. It is not an individual attack but an ongoing series of cyber security attacks and along with Operation Aurora (the attack on the Google and other companies in 2010) it is considered as one of the largest damaging cyber security attacks that has ever taken place. No wonder why year 2011 is popularly called as “Year of the Hack” among cyber security professionals.

Modus-Operandi of Operation Shady RAT

In order to understand the modus-operandi of the attack, it can be broken down into three stages:

Stage 1

This stage is also known as Social Engineering Stage. In this stage, the target organisations and individuals working in them are identified. Then specially designed emails are sent to them. A typical email comprises of a subject, body and an attachment. The subject comprises of a topic that will be of interest to the user. Example contacts list, budget, party, farewell etc. The subject acts as “click-bait”. The body of the email contains certain details in accordance with the subject and acts as a further “click-bait” for the attachment. Technically it is an act of social engineering which means they are trying to psychologically manipulate the recipient to perform an act and in this case the act is to open the attachment. These attachments are mostly Microsoft Office files like Excel documents, Word files, PowerPoint files and PDF files but are laced with Trojans and once the reader opens the attachment this exploit code is executed which compromises the system.

Stage 2

In this stage the installed Trojan starts establishing contact with the remote site.They direct the computer to certain sites with image files or html files. On face these files look completely harmless. But therein lies the secret ploy. A user is directed to these sites because most of the security firewalls allow image files and html files to bypass the http traffic.

These URLs are designed to hide the secret code embedded within the images and html files. Once the user is directed to these image files or html files, he finds them completely harmless but there are secret commands hidden in these images and text using the method of “steganography”, a practice to conceal a file, image or video in another file, image or video. These commands are invisible to human eye but have been converted into mathematical data which forms the images.

Stage 3

Once the Trojan has connected with the remote computer, it establishes a remote shell in the computer which is hidden from the user. This remote shell helps the attacker to directly issue commands to the computer from remote location. All of this runs in the background away from the eyes of user and makes no impact on the performance of the computer thus avoiding any suspicion. Some commands which are used:

gf:{FILENAME} — Retrieves a file from the remote server.

pf:{FILENAME} — Uploads a file to the remote server.

http:{URL}.exe — Retrieves a file from a remote URL, beginning with http and ending in .exe. The remote file is downloaded and executed.

taxi: {COMMAND} — Sends a command from the remote server.

slp:{RESULT} — Sends the results of the command executed above to the remote server to report the status

A Trojan can download new commands from the remote website and run new functions, capture the data and send it back to the remote location.

Which organisations were affected?

According to McAfee and Symantec, who analysed the attack in details, the intrusions seem to suggest that attackers were motivated by “fetish” for secrets and intellectual property. Most of the cyber crime is directed towards financial gratification which was not the case with Shady RAT. Alperovitch further said that the organisations which were not affected were the ones which had nothing worth to steal. He divided Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.

Many leading organisations and institutions including Sony, Fox, the British National Health Service, and the Websites of PBS, the U.S. Senate, and the C.I.A., were affected.

Protection and safety

There are various steps one can take to prevent any compromise of data and security.

• Ensure you are using an up to date anti-virus.
• Email filtering services such as BrightMail or MessageLabs can be used to filter out potential attacks and thus avoiding falling prey to “clickbait”.
• Have the IDPS turned on. These are network security appliances in addition to the standard anti virus detections. They monitor the entire network and are able to identify, stop and report any malicious activity happening over organization network.
• Ensure your computer softwares are upto date with latest security patches. Most of these attacks are designed for unpatched computers. Once you have patched your software, it reduces the vulnerability by a large extent.
• Above all, keep yourself well informed about latest trends in cyber security domain. These attacks start with “social engineering” which is targeted towards gullible and uninformed users. If you are well-informed you can nip the SHADY RAT in the bud.