Shady RAT Follow-up

McAfee’s Dmitri Alperovitch has said that he,”divides the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” regading the Operation Shady RAT compromises.  The recent report named only a few of the 72 organizations known to have been targeted by the attackers.  McAfee has notified all 72 organizations of the intrusions, but has also said that the analyzed logs date back only to 2006, allowing the possibility that there were previous compromises with evidence unavailable to them.  There has also been evidence of intrusions into many other networks found in the logs, but in insufficient quantity to accurately identify the targets.

So, what can you do to determine if your company has been one of the mystery targets?  Security vendor Seculert has provided a simple, web-based tool to check if your computer has been in contact with the Shady Rat Command & Control server.  You can only check one IP at a time, and a negative result means that just that one particular computer hasn’t been in contact.  If it’s positive, the tool will tell you how many times it communicated with the C&C server, and when it did so for the first time.  Sufficient information to enable and begin a forensic audit and incident response cycle.

According to Computerworld, the C&C server involved in these attacks is still online, and the logs remain accessible.  It is located in the US, and since the authorities have been notified and will be taking an interest in this case, it is impossible to tell for how long it will remain available.