I'm on vacation at the moment and it's going to take some time to
analyze Detekt, but there are a number of problems with the software
so far that need help and possibly a write-up or two. Most of it makes
me think, something doesn't smell right here. Here are some random
thoughts after a first pass through the code.
No guarantee of accuracy here, and consider these open to discussion.
1. It's a strings-based signature approach that lends itself to
serious false positives. AV software has been detected as a false
positive many times and Claudio suggests disabling AV software when
running this (this seems, um, bad.)
See things like:
https://github.com/botherder/detekt/blob/master/rules/finfisher.yar
Many of the rules / signatures appear in other software.
2. The signatures are based on older copies of the RAT tools, which
means newer copies will (probably) be able to evade detection. This is
mentioned in the readme.
3. Instead of a well tested piece of software, what we have is an
activist press gambit. I feel that this software creates a flurry of
press for activist groups and shouldn't have been released, to anyone,
until it was solidly tested. It's just a hair above beta software at
the moment.
4. It's reliant on an accurate view of the process table from the
admin's perspective to detect thigns. If the malware hides it's
process, this scanner will fail. Unsure if this sort of hiding is
possible in the RATs identified here, but it's a concern. Maybe it
should use the volatitlity psx plugin?
https://volatility.googlecode.com/svnct=rccd=1/trunk/volatility/plugins/malware/psxview.py
5. Is something better than nothing? Probably, but the shitstorm of
false positives introduced by this tool will make it just confusing
enough to not trust it. There is much too much uncertainty here.
-j
On Sat, Nov 22, 2014 at 12:03 PM, Andy Isaacson a...@hexapodia.org wrote:
On Thu, Nov 20, 2014 at 02:02:24PM -0500, AntiTree wrote:
I don't see what this would do that an AV wouldn't. Of the samples
I've reviewed, most (all?) have been detected by AV.
On the contrary, Claudio has documented several RATs and other
surveillance malwares used by repressive governments that are not
detected by AV.
https://twitter.com/botherder/status/535944272047267840
This makes sense; HackingTeam (or whatever other shady malware vendor)
is going to test against the tools that are currently used.
As Claudio explains elsewhere in recent tweets, the point of Detekt is
not to build a long-lasting tool that will detect government malware
going forward; the point is to provide a tool *today* that people who
are compromised *today* can use to learn that fact.
-andy
--
Liberationtech is public archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
--
Liberationtech is public archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
