Researchers at McAfee (a Solutionary partner) Labs have released a report detailing findings of an investigation of a single botnet and found evidence of what appears to be sustained compromises spanning five years or more. Dubbed ‘Operation Shady RAT’ by McAfee Labs, researchers gained access to this botnet through one of its command and control (CC) servers and found that the majority of malware variants involved were remarkably inconspicuous.
McAfee and other antivirus vendors have measures in place to detect such threats as these malware variants and it appears that they would be detected by heuristic signatures simply as a ‘generic’ downloader or backdoor. What’s more, these seemingly insignificant threats appear to have been engineered so as to not grab attention. The purpose of this botnet appears to be continuous and sustained theft of proprietary, confidential, and sensitive information.
The targeted victims were in Western organizations yet this botnet had affected organizations in multiple countries around the globe, across all economic verticals. Examples of affected sectors range from non-profits, energy, government, government contractors, to finance and technology. With more details made available in the McAfee report, Solutionary recognizes that the subtlety of such malware represents significant potential threat to our customers. Solutionary also recommends that continuous user education combined with a strong security policy, inclusive of patch/antivirus definition management measures, is one of the best methods to mitigate such threats.
August saw increased activity observed over port 3389/TCP, the port most commonly associated with the Remote Desktop Protocol (RDP), also known as Terminal Services. It was later discovered that this increased activity was the result of malware named Morto.
Designed to identify Internet-facing RDP services, the worm attempts to login to systems it discovers using generic usernames and passwords. All current indications suggest that this threat can be mitigated simply by blocking all external access to port 3389/TCP and protecting such services with such technologies as an SSL VPN, for example. Solutionary also advises that this threat can be further mitigated through the implementation of strong password policies, the use of non-generic account names, and the installation and proper maintenance of antivirus software.