
A New Malware Detection Tool That Can Expose Illegitimate State Surveillance - silenteh
https://www.eff.org/deeplinks/2014/11/detekt-new-malware-detection-tool-can-expose-illegitimate-state-surveillance
======
moyix
Oh cool, I (indirectly) have code in this, since the Volatility memory
analysis framework is used to scan memory for the malware signatures.

As others have noted, this is unlikely to protect against new infections,
since governments will surely just check to make sure their malware isn't
detected by the scanner. On the other hand, since we don't really trust
corporate AV to detect state-sponsored malware, it seems like this fills a
need right now, and will likely result in some organizations discovering
they've been compromised by this kind of surveillance malware. So this still
seems very useful _right now_.

------
Someone1234
I love the EFF (and have donated money) but I am going to disagree with them
on this one.

As they themselves fully admit, the first thing the big g is going to do is
test that their malware v2 isn't detected by this. In the same way that
malware authors now check against Microsoft AV because it is the most popular.

So my point is that traditional AV in this scenario is a loser and will remain
a loser because it is a race AV just cannot win. It will only alert you to an
attacker well after the fact.

A far better EFF suggestion to "at risk" individuals (e.g. journalists,
activists, etc) is read only systems. For example grab a Live DVD of a Linux
distribution, boot it, use it, and then as soon as you turn it off everything
is reset to 0.

That won't address the "baseband issue" (e.g. firmware infections, uEFI, etc),
but neither does this. Only physical security really addresses the baseband.

~~~
dannyobrien
Hey, Danny O'Brien from EFF here. You're absolutely right: the best defense
against malware attacks of any kind is to increase the level of protection
that systems have, whether that's read-only distributions,
compartmentalization approaches like <a href="[https://qubes-
os.org/">Qubes</a>](https://qubes-os.org/">Qubes</a>), or just generally
fixing the vulnerabilities that malware must exploit to take control.

Detekt is mostly about a different and earlier part of the problem: allowing
groups that may be currently targets of illegitimate state surveillance to
confirm that they have been infected by specific tools that we know to be used
by state attackers, and therefore confirm that they are indeed under this
specific sort of surveillance.

Up until now getting to the point of confirming that fact, has mostly relied
on manual examination by experts. If an activist or journalist suspects they
may be under surveillance or infected with malware, they need to navigate the
usual challenges to fixing a malware infection, plus they need to eliminate
the (often far more probable) case that they are infected with the usual petty
criminal spyware.

This is about being able to positively identify a relatively small number of
cases of targeted illegitimate surveillance, out of a ecosystem of hundreds of
thousands of potential targets, and a huge array of potential exploiters of
vulnerabilities. Right now all the organizations supporting Detekt (EFF,
Amnesty International, Privacy International and Digitale Gesellschaft)
receive queries about potential infection cases from all around the world: now
we can scale up a little the first step of that triage we conduct. The
positive identifications that come out of Detekt we can take further, and
base, for instance, the <a
href="[http://www.washingtonpost.com/business/technology/us-
citizen...](http://www.washingtonpost.com/business/technology/us-citizen-sues-
ethiopia-for-allegedly-using-computer-spyware-against-
him/2014/02/18/b17409c6-98aa-11e3-80ac-63a8ba7f7942_story.html">court) cases
against the Ethiopian government</a> in the UK and US that PI and EFF are
conducting.

~~~
secfirstmd
Just to back up what Danny is saying here.

As part of a number of groups that do digital and physical security training
for journalists and human rights defenders, most of us have/do recommend the
use of live CDs like TAILS etc. Unfortunately my experience has shown that it
is very very difficult to get anything other than a small percentage of
journalists or HRDs using them for any period of time - especially in
countries where IT literacy levels are low. Linux (and also PGP) is just too
much of a cultural shift for most people. I mean even a security conscious guy
like Glen Greenwald didn't even bother to learn PGP or Live CD usage in the
first few months of Snowden reaching out to him.

It is a gap in capability that many of us (including Danny at EFF) are working
on day and night to try and bridge though!

------
userbinator
I think AV software, despite all the benefits that it provides, also has a
very dangerous dark side - it encourages more-or-less blind trust by its
users, and thus can be used as a very powerful means of control to further an
agenda. The most common example of this is the detection of
keygens/cracks/patches as being malicious, many of which are clearly not (at
least back when I was still into that stuff around a decade ago - not sure
about now); I'm a reverse-engineer so I can inspect the files manually and see
the truth, but the average user will be far more likely to believe their AV
and assume it's malicious --- helping to spread the FUD. Seeing how things as
simple as completely innocent "Hello World" programs can get detected as false
positives[1][2][3][4][5][6][7] while state-sponsored spyware gets let through
is _very_ deeply disturbing.

IMHO signature/heuristic-based detection techniques are always prone to error,
and should be replaced with behaviour-based detection (and blocking). At the
moment, I think a good firewall (on another known-clean machine - ideally
running 100% open-source software) should be enough to detect any suspicious
network traffic.

[1] [http://forums.avg.com/us-en/avg-
forums?sec=thread&act=show&i...](http://forums.avg.com/us-en/avg-
forums?sec=thread&act=show&id=217712)

[2] [http://stackoverflow.com/questions/22926360/malwarebytes-
giv...](http://stackoverflow.com/questions/22926360/malwarebytes-gives-trojan-
warning-for-basic-c-sharp-hello-world-program)

[3]
[http://forum.bitdefender.com/index.php?showtopic=45169](http://forum.bitdefender.com/index.php?showtopic=45169)

[4]
[http://board.flatassembler.net/topic.php?t=8154](http://board.flatassembler.net/topic.php?t=8154)

[5]
[https://forum.avast.com/index.php?topic=152926.0](https://forum.avast.com/index.php?topic=152926.0)

[6]
[https://forum.avast.com/index.php?topic=120578.0](https://forum.avast.com/index.php?topic=120578.0)

[7] [http://itsacleanmachine.blogspot.ca/2012/01/antivirus-
anger....](http://itsacleanmachine.blogspot.ca/2012/01/antivirus-anger.html)

~~~
jmnicolas
It depends on the AV. I have recent experience with 3 of them : Sophos and
Avira tends to classify every keygen as a malware (Sophos is the worst) but
Kaspersky is OK with them (or don't detect any malware at all for what I know
;-)

And yes I do use cracks : I wish I was able to reward my fellow devs but I
don't have a start-up salary (even for my country my salary is pretty low) and
open source softwares are usually (and I insist on usually, not always) not up
to par.

So sue me.

------
unclesaamm
Looking at the code
([https://github.com/botherder/detekt](https://github.com/botherder/detekt)),
it's just looking for patterns of known malware. Isn't this just a subset of
what anti-virus software does?

~~~
ChuckMcM
Probably, but the suspicion is that some antivirus software "looks the other
way" for some signatures. Hard to say if that it true or not.

~~~
_nullandnull_
Name one AV company that "looks the other way"?

~~~
Someone1234
Microsoft AV, Norton, McAfee, etc. We know this, how? Because we can look at
Google's virustotal and see when a sample was first submitted and when it was
"detected." With typical malware there is a fairly short window between A and
B, with US G malware there is a HUGE window (months, sometimes years).

Either the US G just gets very lucky that their samples aren't ever looked at
deeper or more likely they have national security agreements with most of the
large US based anti-virus firms to hush hush.

~~~
im3w1l
This is a very interesting claim, and I want to check for myself. Could you
give more details? Name of usg malware? How to check time of submission and
detection?

------
malandrew
What I really would like to see in this area is something like an open source
LittleSnitch that gets rules from a DHT, where you choose who to trust and
everyone using such software publishes their trust list with the certificates
they know to be good. For example, I would trust rules published by orgs like
OpenBSD, Mozilla and the EFF.

Is there any FOSS equivalent to Little Snitch?

Obviously there are issues that need to be addressed further, but some system
where people collectively share who is trustworthy and who is not would be
valuable.

It would be something like
[http://winhelp2002.mvps.org/hosts.htm](http://winhelp2002.mvps.org/hosts.htm)
but for more than just ads.

------
atmosx
Isn't clamAV[1] very good at this already and free of charge AND not keen to
_close an eye_ on _specific signatures_.

[1]
[http://www.clamav.net/doc/install.html](http://www.clamav.net/doc/install.html)

[2] [http://www.clamxav.com](http://www.clamxav.com) for OSX

~~~
niels_olson
I believe Cisco now owns clamAV.

~~~
edwintorok
You don't have to use/trust the official database (or its whitelist). You
could create a custom database with just the signatures you are interested in
and run a scan with just that.

------
gadfly
I observed some suspicious spy-like activity by Detekt v.1.1 and added an
issue to the Detekt github site:

[https://github.com/botherder/detekt/issues/20](https://github.com/botherder/detekt/issues/20)

The developer immediately closed my report, without discussion and all he
could say is: "Trust me. Detekt definitely isn't spyware."

Somehow, this does not make me feel secure.

~~~
userbinator
detekt.exe imports from WS2_32.DLL "ntohl" function, which shouldn't be a
cause for concern, but then shortly after startup it _does_ spawn another
instance of itself, which listens... debugging into the child process, I set a
breakpoint on all of ws2_32.dll's functions and resume, leading to this:

    
    
        0350F024   012D4110  /CALL to socket from _socket.012D410A
        0350F028   00000002  |Family = AF_INET
        0350F02C   00000001  |Type = SOCK_STREAM
        0350F030   00000000  \Protocol = IPPROTO_IP
        0350F034   012DBAD8  _socket.012DBAD8
        0350F038   02D93610
        0350F03C   00000000
        0350F040   00000001
        0350F044   00000002
        0350F048   1E0C18A8  RETURN to python27.1E0C18A8
    

This leads back to _socket.pyd , sip.pyd, and eventually QtCore4.dll. Tracing
a bit further, I see what's happening:

It starts a local Python web server in order to serve the main dialog of the
application, the one with the language selector, which _is an HTML page
embedded in a browser control_. No wonder it hung when you denied the
connection and showed a blank frame. If you let it continue and figure out
where it's listening, you can actually visit the page in your web browser and
see the program's dialog. One of the most convoluted ways to display a dialog
I've ever seen, and probably worth a "WTF?", but I don't think it's intended
to be malicious. The developer could've handled this a bit better, that's for
sure.

~~~
libertyboy2007
I do think it's intended to be malicious!!!

consider that the majority of the people who aim to download and use this
THING are those who do something against their government's red lines. This is
quiet enough to make this THING a good Trojan horse for hiding anything than
can track/detect(detekt!?) an activist. serving the main dialog of the
application may be merely a camouflage for other uses of Python inside the
file.

any idea?

------
Varcht
Before going through the trouble, it does not run on Windows 8.1 64bit.

~~~
snowmizuh
I got it to run by setting compatibility mode to Windows 7.

~~~
higherpurpose
I couldn't.

------
daveloyall
The tool's website is being EFF'd. (hah!)

NB: I haven't read about the technical features of the tool.

It probably uses some kind of signature mechanism to identify malware.

...Surely the authors realize that they've just drawn a line in the sand
against an APT. The biggest one ever.

Their tool and signature updates are presumably freely available online.

Have fun keeping those sigs up to date, tool authors!

You'd have been better off passing it around to journalists only via
sneakernet and simply not talking about it.

~~~
wernercd
Security through obscurity? 70% of the time, it works every time...

~~~
daveloyall
Yeah! :) "better off" != "best off". I don't know what "best off" might be...

Oh, user moyix brings up an excellent point that I had not considered re:
"right now".

------
na85
Seems like just another regular anti-virus tool. Surely state-sponsored
hackers have been getting around these for years?

------
click170
"Detekt is a free tool that scans your Windows computer..."

This is awesome, just not for me as a non-Windows user. I don't want this to
perpetuate the myth that using Mac or Linux makes you impervious though.

I still think the best solution to this, and other problems, is outbound
filtering at the gateway.

------
jameshart
How does it avoid false positives and not alert on legitimate state
surveillance?

~~~
letstryagain
> legitimate state surveillance?

lol

------
Animats
This is signature-based virus detection, right? I thought everybody had given
up on that, now that only the dumb attacks have a constant signature.

------
Max_Mustermann
I find it curious that it available in amharic but not other much more
widespread languages.

~~~
eru
Perhaps an amharic speaker was involved?

------
willvarfar
Why aren't they instead recommending journalists use Tails?

------
cjbenedikt
Doesn't work with Windows 8.1 though :-(

~~~
bdunbar
It does for me.

