Oh cool, I (indirectly) have code in this, since the Volatility memory analysis framework is used to scan memory for the malware signatures.
As others have noted, this is unlikely to protect against new infections, since governments will surely just check to make sure their malware isn't detected by the scanner. On the other hand, since we don't really trust corporate AV to detect state-sponsored malware, it seems like this fills a need right now, and will likely result in some organizations discovering they've been compromised by this kind of surveillance malware. So this still seems very useful right now.
I love the EFF (and have donated money) but I am going to disagree with them on this one.
As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this. In the same way that malware authors now check against Microsoft AV because it is the most popular.
So my point is that traditional AV in this scenario is a loser and will remain a loser because it is a race AV just cannot win. It will only alert you to an attacker well after the fact.
A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.
That won't address the "baseband issue" (e.g. firmware infections, uEFI, etc), but neither does this. Only physical security really addresses the baseband.
Hey, Danny O'Brien from EFF here. You're absolutely right: the best defense against malware attacks of any kind is to increase the level of protection that systems have, whether that's read-only distributions, compartmentalization approaches like <a href="https://qubes-os.org/">Qubes</a>, or just generally fixing the vulnerabilities that malware must exploit to take control.
Detekt is mostly about a different and earlier part of the problem: allowing groups that may be currently targets of illegitimate state surveillance to confirm that they have been infected by specific tools that we know to be used by state attackers, and therefore confirm that they are indeed under this specific sort of surveillance.
Up until now getting to the point of confirming that fact, has mostly relied on manual examination by experts. If an activist or journalist suspects they may be under surveillance or infected with malware, they need to navigate the usual challenges to fixing a malware infection, plus they need to eliminate the (often far more probable) case that they are infected with the usual petty criminal spyware.
This is about being able to positively identify a relatively small number of cases of targeted illegitimate surveillance, out of a ecosystem of hundreds of thousands of potential targets, and a huge array of potential exploiters of vulnerabilities. Right now all the organizations supporting Detekt (EFF, Amnesty International, Privacy International and Digitale Gesellschaft) receive queries about potential infection cases from all around the world: now we can scale up a little the first step of that triage we conduct. The positive identifications that come out of Detekt we can take further, and base, for instance, the <a href="http://www.washingtonpost.com/business/technology/us-citizen... cases against the Ethiopian government</a> in the UK and US that PI and EFF are conducting.
> As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this ... it is a race AV just cannot win.
This can be said of every security solution. The value of security is to increase the attackers' cost, which will deter attackers who don't want to pay the higher price. There is no absolute security.
Also, the prospect of updates will increase attacker costs more, as some attackers will feel the need to proactively avoid detection by future versions too.
Grab a live DVD, but how do you make sure that the hash used to verify the ISO is what it should be? transfer it offline? because if you are trying to avoid being spied on by the government, I don't think CAs/TLS can be used
> A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.
It's called TAILS. It also triggers scrutiny by "the big g".
All of these memory signature scanning tools have a limited window of opportunity before the malware adapts. The involved organizations probably determined that the value of the current set of signatures was near the end and there was value to getting some parties outside of direct collaborators using the tool during a brief window.
I think AV software, despite all the benefits that it provides, also has a very dangerous dark side - it encourages more-or-less blind trust by its users, and thus can be used as a very powerful means of control to further an agenda. The most common example of this is the detection of keygens/cracks/patches as being malicious, many of which are clearly not (at least back when I was still into that stuff around a decade ago - not sure about now); I'm a reverse-engineer so I can inspect the files manually and see the truth, but the average user will be far more likely to believe their AV and assume it's malicious --- helping to spread the FUD. Seeing how things as simple as completely innocent "Hello World" programs can get detected as false positives[1][2][3][4][5][6][7] while state-sponsored spyware gets let through is very deeply disturbing.
IMHO signature/heuristic-based detection techniques are always prone to error, and should be replaced with behaviour-based detection (and blocking). At the moment, I think a good firewall (on another known-clean machine - ideally running 100% open-source software) should be enough to detect any suspicious network traffic.
It depends on the AV. I have recent experience with 3 of them : Sophos and Avira tends to classify every keygen as a malware (Sophos is the worst) but Kaspersky is OK with them (or don't detect any malware at all for what I know ;-)
And yes I do use cracks : I wish I was able to reward my fellow devs but I don't have a start-up salary (even for my country my salary is pretty low) and open source softwares are usually (and I insist on usually, not always) not up to par.
Looking at the code (https://github.com/botherder/detekt), it's just looking for patterns of known malware. Isn't this just a subset of what anti-virus software does?
> Isn't this just a subset of what anti-virus software does?
Yes. The signatures are written more generically to detect the samples though. AV software can (or at least shouldn't) write signatures so generically because the potential for false positives. Since the scanner is scanning a non-enterprise environment the signatures can be a little more generic.
What I really would like to see in this area is something like an open source LittleSnitch that gets rules from a DHT, where you choose who to trust and everyone using such software publishes their trust list with the certificates they know to be good. For example, I would trust rules published by orgs like OpenBSD, Mozilla and the EFF.
Is there any FOSS equivalent to Little Snitch?
Obviously there are issues that need to be addressed further, but some system where people collectively share who is trustworthy and who is not would be valuable.
detekt.exe imports from WS2_32.DLL "ntohl" function, which shouldn't be a cause for concern, but then shortly after startup it does spawn another instance of itself, which listens... debugging into the child process, I set a breakpoint on all of ws2_32.dll's functions and resume, leading to this:
This leads back to _socket.pyd , sip.pyd, and eventually QtCore4.dll. Tracing a bit further, I see what's happening:
It starts a local Python web server in order to serve the main dialog of the application, the one with the language selector, which is an HTML page embedded in a browser control. No wonder it hung when you denied the connection and showed a blank frame. If you let it continue and figure out where it's listening, you can actually visit the page in your web browser and see the program's dialog. One of the most convoluted ways to display a dialog I've ever seen, and probably worth a "WTF?", but I don't think it's intended to be malicious. The developer could've handled this a bit better, that's for sure.
[+] [-] moyix|11 years ago|reply
As others have noted, this is unlikely to protect against new infections, since governments will surely just check to make sure their malware isn't detected by the scanner. On the other hand, since we don't really trust corporate AV to detect state-sponsored malware, it seems like this fills a need right now, and will likely result in some organizations discovering they've been compromised by this kind of surveillance malware. So this still seems very useful right now.
[+] [-] Someone1234|11 years ago|reply
As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this. In the same way that malware authors now check against Microsoft AV because it is the most popular.
So my point is that traditional AV in this scenario is a loser and will remain a loser because it is a race AV just cannot win. It will only alert you to an attacker well after the fact.
A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.
That won't address the "baseband issue" (e.g. firmware infections, uEFI, etc), but neither does this. Only physical security really addresses the baseband.
[+] [-] dannyobrien|11 years ago|reply
Detekt is mostly about a different and earlier part of the problem: allowing groups that may be currently targets of illegitimate state surveillance to confirm that they have been infected by specific tools that we know to be used by state attackers, and therefore confirm that they are indeed under this specific sort of surveillance.
Up until now getting to the point of confirming that fact, has mostly relied on manual examination by experts. If an activist or journalist suspects they may be under surveillance or infected with malware, they need to navigate the usual challenges to fixing a malware infection, plus they need to eliminate the (often far more probable) case that they are infected with the usual petty criminal spyware.
This is about being able to positively identify a relatively small number of cases of targeted illegitimate surveillance, out of a ecosystem of hundreds of thousands of potential targets, and a huge array of potential exploiters of vulnerabilities. Right now all the organizations supporting Detekt (EFF, Amnesty International, Privacy International and Digitale Gesellschaft) receive queries about potential infection cases from all around the world: now we can scale up a little the first step of that triage we conduct. The positive identifications that come out of Detekt we can take further, and base, for instance, the <a href="http://www.washingtonpost.com/business/technology/us-citizen... cases against the Ethiopian government</a> in the UK and US that PI and EFF are conducting.
[+] [-] hackuser|11 years ago|reply
This can be said of every security solution. The value of security is to increase the attackers' cost, which will deter attackers who don't want to pay the higher price. There is no absolute security.
Also, the prospect of updates will increase attacker costs more, as some attackers will feel the need to proactively avoid detection by future versions too.
[+] [-] Istof|11 years ago|reply
[+] [-] sneak|11 years ago|reply
It's called TAILS. It also triggers scrutiny by "the big g".
http://www.theregister.co.uk/2014/07/03/nsa_xkeyscore_stasi_...
[+] [-] zmanian|11 years ago|reply
[+] [-] userbinator|11 years ago|reply
IMHO signature/heuristic-based detection techniques are always prone to error, and should be replaced with behaviour-based detection (and blocking). At the moment, I think a good firewall (on another known-clean machine - ideally running 100% open-source software) should be enough to detect any suspicious network traffic.
[1] http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&i...
[2] http://stackoverflow.com/questions/22926360/malwarebytes-giv...
[3] http://forum.bitdefender.com/index.php?showtopic=45169
[4] http://board.flatassembler.net/topic.php?t=8154
[5] https://forum.avast.com/index.php?topic=152926.0
[6] https://forum.avast.com/index.php?topic=120578.0
[7] http://itsacleanmachine.blogspot.ca/2012/01/antivirus-anger....
[+] [-] jmnicolas|11 years ago|reply
And yes I do use cracks : I wish I was able to reward my fellow devs but I don't have a start-up salary (even for my country my salary is pretty low) and open source softwares are usually (and I insist on usually, not always) not up to par.
So sue me.
[+] [-] unclesaamm|11 years ago|reply
[+] [-] ChuckMcM|11 years ago|reply
[+] [-] _nullandnull_|11 years ago|reply
Yes. The signatures are written more generically to detect the samples though. AV software can (or at least shouldn't) write signatures so generically because the potential for false positives. Since the scanner is scanning a non-enterprise environment the signatures can be a little more generic.
[+] [-] pencilo|11 years ago|reply
[+] [-] malandrew|11 years ago|reply
Is there any FOSS equivalent to Little Snitch?
Obviously there are issues that need to be addressed further, but some system where people collectively share who is trustworthy and who is not would be valuable.
It would be something like http://winhelp2002.mvps.org/hosts.htm but for more than just ads.
[+] [-] atmosx|11 years ago|reply
[1] http://www.clamav.net/doc/install.html
[2] http://www.clamxav.com for OSX
[+] [-] niels_olson|11 years ago|reply
[+] [-] gadfly|11 years ago|reply
https://github.com/botherder/detekt/issues/20
The developer immediately closed my report, without discussion and all he could say is: "Trust me. Detekt definitely isn't spyware."
Somehow, this does not make me feel secure.
[+] [-] userbinator|11 years ago|reply
It starts a local Python web server in order to serve the main dialog of the application, the one with the language selector, which is an HTML page embedded in a browser control. No wonder it hung when you denied the connection and showed a blank frame. If you let it continue and figure out where it's listening, you can actually visit the page in your web browser and see the program's dialog. One of the most convoluted ways to display a dialog I've ever seen, and probably worth a "WTF?", but I don't think it's intended to be malicious. The developer could've handled this a bit better, that's for sure.
[+] [-] Varcht|11 years ago|reply
[+] [-] snowmizuh|11 years ago|reply
[+] [-] lucb1e|11 years ago|reply
[+] [-] bdunbar|11 years ago|reply
[+] [-] daveloyall|11 years ago|reply
NB: I haven't read about the technical features of the tool.
It probably uses some kind of signature mechanism to identify malware.
...Surely the authors realize that they've just drawn a line in the sand against an APT. The biggest one ever.
Their tool and signature updates are presumably freely available online.
Have fun keeping those sigs up to date, tool authors!
You'd have been better off passing it around to journalists only via sneakernet and simply not talking about it.
[+] [-] wernercd|11 years ago|reply
[+] [-] na85|11 years ago|reply
[+] [-] click170|11 years ago|reply
This is awesome, just not for me as a non-Windows user. I don't want this to perpetuate the myth that using Mac or Linux makes you impervious though.
I still think the best solution to this, and other problems, is outbound filtering at the gateway.
[+] [-] jameshart|11 years ago|reply
[+] [-] letstryagain|11 years ago|reply
lol
[+] [-] Animats|11 years ago|reply
[+] [-] Max_Mustermann|11 years ago|reply
[+] [-] eru|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] willvarfar|11 years ago|reply
[+] [-] cjbenedikt|11 years ago|reply
[+] [-] bdunbar|11 years ago|reply