Joe Stewart, director of malware research at the Dell SecureWorks Counter Threat Unit, said that using a popular RAT may be a form of camouflage for some nation-state attackers. "It gives them some plausible denialability," he said.
"If someone discovers it on the network, it's just a common tool used by a lot of different hackers so it's hard to attribute it to a particular region," Stewart said.
What's more, a common RAT isn't as likely to create the kind of panic caused by something like a Stuxnet, Hypponen said. "If you get caught, if your target realizes they have an in-house infection, they wouldn't be as worried about finding a Poison Ivy infection as they would be if they found a completely tailor-made, Zero Day RAT attack," he said.
For some attackers, using an off-the-shelf RAT is a matter of balancing risk with the cost of developing software. "They're really not taking a lot of risk themselves in leaving a copy of Poison Ivy running on someone's computer," said Tom Cross, a security research director at Lancope. "If it gets compromised, it's just another copy of Poison Ivy. It doesn't reveal anything about the attacker's intent or their capabilities or what they intended to do."
Along with its report on Poison Ivy, FireEye released a set of free tools that can be used to detect Poison Ivy infections. The Calamine suite can reveal the RAT's process mutex and password, decoded command and control traffic to identify exfiltration/lateral movement and a timeline of its malware activity.
Tools may be useful, but the only way to really protect a network is to prevent the RAT from insinuating itself into a system in the first place, said Anup Ghosh, CEO of Invincea. "This is a band-aid approach to the problem," Ghosh said in an interview. "Are we going to put out band-aids for every RAT that's out there?"
"It's not solving the problem," he said "It's sticking a finger in the dam as leaks develop left and right."
Sign up for Computerworld eNewsletters.