Oh cool, I (indirectly) have code in this, since the Volatility memory analysis framework is used to scan memory for the malware signatures.
As others have noted, this is unlikely to protect against new infections, since governments will surely just check to make sure their malware isn't detected by the scanner. On the other hand, since we don't really trust corporate AV to detect state-sponsored malware, it seems like this fills a need right now, and will likely result in some organizations discovering they've been compromised by this kind of surveillance malware. So this still seems very useful right now.
I love the EFF (and have donated money) but I am going to disagree with them on this one.
As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this. In the same way that malware authors now check against Microsoft AV because it is the most popular.
So my point is that traditional AV in this scenario is a loser and will remain a loser because it is a race AV just cannot win. It will only alert you to an attacker well after the fact.
A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.
That won't address the "baseband issue" (e.g. firmware infections, uEFI, etc), but neither does this. Only physical security really addresses the baseband.
Hey, Danny O'Brien from EFF here. You're absolutely right: the best defense against malware attacks of any kind is to increase the level of protection that systems have, whether that's read-only distributions, compartmentalization approaches like <a href="https://qubes-os.org/">Qubes</a>, or just generally fixing the vulnerabilities that malware must exploit to take control.
Detekt is mostly about a different and earlier part of the problem: allowing groups that may be currently targets of illegitimate state surveillance to confirm that they have been infected by specific tools that we know to be used by state attackers, and therefore confirm that they are indeed under this specific sort of surveillance.
Up until now getting to the point of confirming that fact, has mostly relied on manual examination by experts. If an activist or journalist suspects they may be under surveillance or infected with malware, they need to navigate the usual challenges to fixing a malware infection, plus they need to eliminate the (often far more probable) case that they are infected with the usual petty criminal spyware.
This is about being able to positively identify a relatively small number of cases of targeted illegitimate surveillance, out of a ecosystem of hundreds of thousands of potential targets, and a huge array of potential exploiters of vulnerabilities. Right now all the organizations supporting Detekt (EFF, Amnesty International, Privacy International and Digitale Gesellschaft) receive queries about potential infection cases from all around the world: now we can scale up a little the first step of that triage we conduct. The positive identifications that come out of Detekt we can take further, and base, for instance, the <a href="http://www.washingtonpost.com/business/technology/us-citizen... cases against the Ethiopian government</a> in the UK and US that PI and EFF are conducting.
As part of a number of groups that do digital and physical security training for journalists and human rights defenders, most of us have/do recommend the use of live CDs like TAILS etc. Unfortunately my experience has shown that it is very very difficult to get anything other than a small percentage of journalists or HRDs using them for any period of time - especially in countries where IT literacy levels are low. Linux (and also PGP) is just too much of a cultural shift for most people. I mean even a security conscious guy like Glen Greenwald didn't even bother to learn PGP or Live CD usage in the first few months of Snowden reaching out to him.
It is a gap in capability that many of us (including Danny at EFF) are working on day and night to try and bridge though!
> As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this ... it is a race AV just cannot win.
This can be said of every security solution. The value of security is to increase the attackers' cost, which will deter attackers who don't want to pay the higher price. There is no absolute security.
Also, the prospect of updates will increase attacker costs more, as some attackers will feel the need to proactively avoid detection by future versions too.
this is the entire point of defenses like ASLR and stack canaries. the attacker knows they are there, but knowing the form of the defenses doesn't inherently aid the attacker...
Knowing a defense has weaknesses doesn't make it worthless when it takes extra effort for an attacker to exploit that weakness. There is no proven secure consumer OS (I'm including common userland apps in that) so things like ASLR and stack canaries are just extra obstacles to get around.
Grab a live DVD, but how do you make sure that the hash used to verify the ISO is what it should be? transfer it offline? because if you are trying to avoid being spied on by the government, I don't think CAs/TLS can be used
> A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.
It's called TAILS. It also triggers scrutiny by "the big g".
All of these memory signature scanning tools have a limited window of opportunity before the malware adapts. The involved organizations probably determined that the value of the current set of signatures was near the end and there was value to getting some parties outside of direct collaborators using the tool during a brief window.
I think AV software, despite all the benefits that it provides, also has a very dangerous dark side - it encourages more-or-less blind trust by its users, and thus can be used as a very powerful means of control to further an agenda. The most common example of this is the detection of keygens/cracks/patches as being malicious, many of which are clearly not (at least back when I was still into that stuff around a decade ago - not sure about now); I'm a reverse-engineer so I can inspect the files manually and see the truth, but the average user will be far more likely to believe their AV and assume it's malicious --- helping to spread the FUD. Seeing how things as simple as completely innocent "Hello World" programs can get detected as false positives[1][2][3][4][5][6][7] while state-sponsored spyware gets let through is very deeply disturbing.
IMHO signature/heuristic-based detection techniques are always prone to error, and should be replaced with behaviour-based detection (and blocking). At the moment, I think a good firewall (on another known-clean machine - ideally running 100% open-source software) should be enough to detect any suspicious network traffic.
It depends on the AV. I have recent experience with 3 of them : Sophos and Avira tends to classify every keygen as a malware (Sophos is the worst) but Kaspersky is OK with them (or don't detect any malware at all for what I know ;-)
And yes I do use cracks : I wish I was able to reward my fellow devs but I don't have a start-up salary (even for my country my salary is pretty low) and open source softwares are usually (and I insist on usually, not always) not up to par.
Looking at the code (https://github.com/botherder/detekt), it's just looking for patterns of known malware. Isn't this just a subset of what anti-virus software does?
Microsoft AV, Norton, McAfee, etc. We know this, how? Because we can look at Google's virustotal and see when a sample was first submitted and when it was "detected." With typical malware there is a fairly short window between A and B, with US G malware there is a HUGE window (months, sometimes years).
Either the US G just gets very lucky that their samples aren't ever looked at deeper or more likely they have national security agreements with most of the large US based anti-virus firms to hush hush.
This is a very interesting claim, and I want to check for myself. Could you give more details? Name of usg malware? How to check time of submission and detection?
If Microsoft AV looks the other way for one set and Kaspersky looks the other way for another set, is it possible that there is a value of using a union of the two?
I assume Microsoft AV isn't going to look the other way for Russian exploits, unless the US is also using them, and vice versa.
> Isn't this just a subset of what anti-virus software does?
Yes. The signatures are written more generically to detect the samples though. AV software can (or at least shouldn't) write signatures so generically because the potential for false positives. Since the scanner is scanning a non-enterprise environment the signatures can be a little more generic.
That makes no sense to me. Isn't it important for this to be useful in an enterprise environment too? Gov't may be spying on any number of entities, including businesses.
What I really would like to see in this area is something like an open source LittleSnitch that gets rules from a DHT, where you choose who to trust and everyone using such software publishes their trust list with the certificates they know to be good. For example, I would trust rules published by orgs like OpenBSD, Mozilla and the EFF.
Is there any FOSS equivalent to Little Snitch?
Obviously there are issues that need to be addressed further, but some system where people collectively share who is trustworthy and who is not would be valuable.
You don't have to use/trust the official database (or its whitelist).
You could create a custom database with just the signatures you are interested in and run a scan with just that.
detekt.exe imports from WS2_32.DLL "ntohl" function, which shouldn't be a cause for concern, but then shortly after startup it does spawn another instance of itself, which listens... debugging into the child process, I set a breakpoint on all of ws2_32.dll's functions and resume, leading to this:
This leads back to _socket.pyd , sip.pyd, and eventually QtCore4.dll. Tracing a bit further, I see what's happening:
It starts a local Python web server in order to serve the main dialog of the application, the one with the language selector, which is an HTML page embedded in a browser control. No wonder it hung when you denied the connection and showed a blank frame. If you let it continue and figure out where it's listening, you can actually visit the page in your web browser and see the program's dialog. One of the most convoluted ways to display a dialog I've ever seen, and probably worth a "WTF?", but I don't think it's intended to be malicious. The developer could've handled this a bit better, that's for sure.
consider that the majority of the people who aim to download and use this THING are those who do something against their government's red lines. This is quiet enough to make this THING a good Trojan horse for hiding anything than can track/detect(detekt!?) an activist. serving the main dialog of the application may be merely a camouflage for other uses of Python inside the file.
The developer has re-opened my report now, which will probably never be addressed anyway, since the UI is so convoluted.
Funny thing is that this 'anti-spyware' app creates more confusion than most of the spyware I've seen. Sadly, most people will just run this thing and think they're safe, since they believe the authorities (eff.org, amnesty) but don't even use a firewall.
As others have noted, this is unlikely to protect against new infections, since governments will surely just check to make sure their malware isn't detected by the scanner. On the other hand, since we don't really trust corporate AV to detect state-sponsored malware, it seems like this fills a need right now, and will likely result in some organizations discovering they've been compromised by this kind of surveillance malware. So this still seems very useful right now.