I'm on vacation at the moment and it's going to take some time to analyze Detekt, but there are a number of problems with the software so far that need help and possibly a write-up or two. Most of it makes me think, "something doesn't smell right here." Here are some random thoughts after a first pass through the code.
No guarantee of accuracy here, and consider these open to discussion. 1. It's a strings-based signature approach that lends itself to serious false positives. AV software has been detected as a false positive many times and Claudio suggests disabling AV software when running this (this seems, um, bad.) See things like: https://github.com/botherder/detekt/blob/master/rules/finfisher.yar Many of the rules / signatures appear in other software. 2. The signatures are based on older copies of the RAT tools, which means newer copies will (probably) be able to evade detection. This is mentioned in the readme. 3. Instead of a well tested piece of software, what we have is an activist press gambit. I feel that this software creates a flurry of press for activist groups and shouldn't have been released, to anyone, until it was solidly tested. It's just a hair above beta software at the moment. 4. It's reliant on an accurate view of the process table from the admin's perspective to detect thigns. If the malware hides it's process, this scanner will fail. Unsure if this sort of hiding is possible in the RATs identified here, but it's a concern. Maybe it should use the volatitlity psx plugin? https://volatility.googlecode.com/svn&ct=rc&cd=1/trunk/volatility/plugins/malware/psxview.py 5. Is something better than nothing? Probably, but the shitstorm of false positives introduced by this tool will make it just confusing enough to not trust it. There is much too much uncertainty here. -j On Sat, Nov 22, 2014 at 12:03 PM, Andy Isaacson <a...@hexapodia.org> wrote: > On Thu, Nov 20, 2014 at 02:02:24PM -0500, AntiTree wrote: >> I don't see what this would do that an AV wouldn't. Of the samples >> I've reviewed, most (all?) have been detected by AV. > > On the contrary, Claudio has documented several RATs and other > "surveillance" malwares used by repressive governments that are not > detected by AV. > > https://twitter.com/botherder/status/535944272047267840 > > This makes sense; HackingTeam (or whatever other shady malware vendor) > is going to test against the tools that are currently used. > > As Claudio explains elsewhere in recent tweets, the point of Detekt is > not to build a long-lasting tool that will detect government malware > going forward; the point is to provide a tool *today* that people who > are compromised *today* can use to learn that fact. > > -andy > -- > Liberationtech is public & archives are searchable on Google. Violations of > list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > compa...@stanford.edu. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.