9

In reference to this Network Computing Report article titled "'Operation Shady Rat' Perpetrated Five Years Of Long-Term Attacks On Government, Enterprises"

The Cliff's Notes to the article is thus: it has been discovered that many countries and large corporations have been the target of long-term, concerted attacks. This information has been discovered through a long term research effort done by McAfee.

A quote from the article intrigued me (emphasis mine):

In a probe dubbed Operation Shady RAT (for Remote Access Tool), researchers gained access to one of the attackers’ command and control (C & C) servers and obtained detailed insight into the victims, the information stolen, and the methods used.

In one of McAfee's statements about the operation, they merely state:

McAfee has gained access to one specific Command & Control server used by the intruders.

But the don't say how they gained access. Maybe it was after a legal seizure of hardware.

How would researchers gain control of an attacker's systems and not themselves have broken the law? Must they attain some kind of "warrant" or legal blessings on this kind of thing? Is it ever acceptable to penetrate an attacker's systems in the course of researching their behavior?

AviD
  • 72,138
  • 22
  • 136
  • 218
Wesley
  • 305
  • 4
  • 13
  • 4
    Unless there is a site user here with strong ties to McAfee, I suspect we can only speculate. – this.josh Aug 03 '11 at 18:49
  • From one of the comments in [Dmitri's blog](http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat) I speculate that they did a 'white hat' hacking, in which a Judge/Police/FBI/whatever gave them permission to hack the server. This would be pretty much the same as a warrant to search someone's home. – Augusto Aug 08 '11 at 11:00
  • @AviD: That's BS that you took answers from my question and closed my question. This is the question that should have been closed... Care to comment on your logic? Link to my question which resulted in 2 of the three answers below: http://security.stackexchange.com/questions/5905/how-did-mcafee-access-the-shady-rat-command-and-control-server – blunders Aug 08 '11 at 17:39
  • @Augusto My questions aren't specific to McAfee. They're generic. I just used the McAfee scenario as a real life example to kick the generic questions off. – Wesley Aug 08 '11 at 18:02
  • Also, as a result of the merge, there was a bit of comment confusion. I thought gowenfawr and zedman9091's answers were directly made to mine - which they're not. My question is generic in nature and not specific to the McAfee incident. I was interested in a general sense how security professionals can gain access to an attacking machine. – Wesley Aug 08 '11 at 18:09
  • @blunders, there was some discussion on this in [chat]... the consensus was that since both questions were asked within a couple days of each other, the merge would be to this one, since this question was phrased much better. Particularly, as Wesley said, this is a generic question - the McAfee question was in danger of being closed as Too Localized, anyway... – AviD Aug 09 '11 at 12:21
  • @AviD: My feedback is it would have been nice to have been provided the context when that choice was made, since my reply would been the following: Please close the question as "too localized" since my interest was purely related McAfee, not a generalization of what a research group would be able to do based on what McAfee might or might not have done; and in my opinion, it would be very dangerous to make generalizations on what one was able to do based on McAfee. Also, I'm pretty sure McAfee was operating on a different level than the average research group; meaning FBI, DoD, etc. – blunders Aug 09 '11 at 12:47
  • I agree with AviD, in that the question asked here is more general, and more likely to be of continued interest to the community. Merging @blunders's question as a near-duplicate of this question (indeed as the example used by WesleyDavid above) makes sense. –  Aug 09 '11 at 12:53
  • @blunders - we had a thorough discussion, and while both questions were valid, yours was very localised and Wesley's was more likely to remain useful to visitors to the site over a longer term. Answers on both were good, so a merge was considered the best option. – Rory Alsop Aug 09 '11 at 12:57
  • @Graham Lee: My reading of WesleyDavid's question is that it's asking for a green light based on what might have happened in the in the McAfee case, my question has to do with what happened in the McAfee case. Meaning they're not the same question. – blunders Aug 09 '11 at 13:02
  • @Rory Alsop: If it was too localized it should have been closed as such, and gowenfawr and zedman9991 should have been invited to edit and repost their answers to this question; since neither were written to directly address this question in my opinion. – blunders Aug 09 '11 at 13:04
  • @blunders I would indicate that if you want to know whether what someone did was legal, you need to know what they did, making the latter question a part of the former. –  Aug 09 '11 at 13:15
  • @Graham Lee: That sentence is confusing... what are you replying to, and what is your response. – blunders Aug 09 '11 at 13:27
  • @blunders - why? Their answers work just fine here. – Rory Alsop Aug 09 '11 at 13:34
  • @Rory Alsop: They "work" but were not written to address this question directly, which in my opinion is gaming the system, especially if the top answer on this question was already ahead when the were merged. In fact, I can't recall having seen a question get merged ever on SE, and think it's a bad idea in general. Anyway, I got the feedback I need and do agree that it is the admin's choice about what to do. I have no further comments on the matter. – blunders Aug 09 '11 at 13:45

3 Answers3

11

C6C server are often servers that got hacked, not servers rented by the attacker.

Security support contracts

For public organisations there are often CERTs (computer emergency response team) responsible for them. For example there is the DFN Cert for all Germany universities. Large companies tend to have support contracts with companies specialized in security.

So after the security breach is noticed, the server may be turned over to the security organisation in order to do forensics: Learn how the attacker got in, try to estimate what damage they caused, to what data they had access, etc. Knowing the damage as good as possible, may be especially important in order to defend against being sued by customers.

This is the most common case. The wording is very similar to what our CERT said when they got handed a C&C server by an university some time ago: "The CERT gained access to a command and control server which collected a list of web addresses, usernames and passwords. As the domain of the following entries is within your responsibility please inform your users with the following account names that their computer is infected".

The security organisations obviously need to prevent drawing attention to their customers because it implies that the customer got successfully attacked.

Other means

The C&C might have been a honeypot, a server dedicated to being attacked. I think this is unlikely because it is said that the c&c server was active for years.

There might have been a court order to seizure the server. But if that was the case and the security company was called as expert witness, they would probably not be allowed to got the public.

The security company might have gotten unauthorized access. I consider this extremely unlikely because of the huge legal risk involved.

tl;dr

The company. which unwillingly hosted the C&C. most likely handed it over to their security consultants for damage assessment.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
5

Now that we've all agreed we're all speculating...

There has been a small but significant trend in which whitehat intrusion into or onto clearly malicious infrastructure has been treated as permissible, necessarily expedient, or - uh - "look-the-other-way-able".

We saw it several months ago when the US government took control of various domain names. I am aware of a couple incidents where respectable security professionals started playing who-controls-the-botnet-now with active malicious botnets. So I am comfortable speculating that McAfee made unauthorized access to a C&C node as a part of their investigation into a botnet. I've no hard data or proof; this is pure speculation.

You could have a really fascinating ethical discussion about it:

  • The attackers have no compunctions; a defender who ties their own hands is at a distinct disadvantage.
  • The contested servers are often owned by a 3rd party who is arguably criminally negligent; does that negligence erode their rights?
  • The contested servers are the Internet equivalent of a rabid dog, and IRL, the law sanctions killing of a dangerous animal, doesn't it?

I speculate that in the case of Shady RAT, someone decided to go for it, and the payoff was beyond what anyone could have hoped. (Logs back to 2006? Really?)

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • And what if the rabid dog is only dangerous to a **specific** organization Y, whereas killing it would amount to huge costs (bankruptcy) to its owner organization X? – Pacerier Mar 28 '15 at 17:49
4

The official statement says, "McAfee has gained access to one specific Command & Control server used by the intruders." It would seem extremely likely that they were brought into the picture for analysis by someone with access to the C&C server considering the implications the alternative (McAfee turning black hat) would have to their company. If you take that as a working theory then you need to question why that relationship was not mentioned, just as you have.

A likely answer there is those folks asked McAfee for assistance as part of an official investigation. If that were the case then we have McAfee accusing China of state sponsored APT attacks based on another state providing them the data. The 'advanced' part of this APT includes a single server running for five years without clearing the incriminating logs.

Your question is an outstanding one. Sorry to only provide speculation but my guess is that all that will be available for the near term.

zedman9991
  • 3,377
  • 15
  • 22
  • McAfee obviously didn't turned black hat. The question is questioning the lines of black hat and white hat. – Pacerier Mar 28 '15 at 17:51