Detekt - detects spyware

[Callender]

A new tool to enable journalists and human rights defenders to scan their computers for known surveillance spyware has been released today by Amnesty International and a coalition of human rights and technology organizations.

Detekt is the first tool to be made available to the public that detects major known surveillance spyware, some of which is used by governments, in computers.

Note: requires additional software to be installed.

 

[lehnerus2000]

Handy

This could be useful.

I was just reading an article about how the police in the US are" jumping up and down" about new phones (iPhone and Google) having built-in encryption.
If they hadn't been abusing their powers it wouldn't have happened.

Lets face it.
Dodgy individuals (e.g. criminals, corporate types, politicians and spies) already have access to this stuff.

Now we need all of the ISPs to do something similar for us "little people".

 

[Anak]

Callender, can you be more specific about your note?

Note: requires additional software to be installed.

I looked the site over and didn't find anything about additional software.

 

[Layback Bear]

I can see the bad guys using such a program.

Under the flag of a Charitable Organization transmitting their dirty deeds and use the protection that such a Organization offers.

I try to keep in mind that such a program can be use for good and bad and sometimes ugly things.

 

[Stephanie]

Is this a standalone application ?

 

[Tookeri]

Is this a standalone application ?

According to this article it is. And no requirements mentioned other than Windows itself. Just elevated rights.
Detekt, a free tool for Windows to detect surveillance spyware - gHacks Tech News

 

[Tookeri]

And here's the Virustotal report, no detections ATM: https://www.virustotal.com/en/file/...e5e16be769b95d713e8b69338d4bd2cde32/analysis/

 

[Stephanie]

Thank you Tookeri

 

[Callender]

Additional Software

Callender, can you be more specific about your note?

Note: requires additional software to be installed.

I looked the site over and didn't find anything about additional software.

Some answers:

Yes it's a standalone application.

Additional software required is listed here under "Requirements"

https://github.com/botherder/detekt

I already have Python 2.7 installed. Volatility is mentioned but I have the standalone version installed for use with OSForensics. It's not clear to me if Volatility is required to be installed separately.

Requirements

When compiling the tool on Windows systems, you'll have to install some requirements first, including:
Python 2.7
Yara 3.x
PyQt4
PyWin32

EDIT: As Tookeri says in the next post nothing extra is required unless compiling! I must admit that I hadn't personally run Detekt or properly read through the available information when creating the original post.

 

[Tookeri]

To clarify: those requirements are only needed if you want to build/compile it yourself. They're not needed if you download the 26 MB exe file.

 

[Anak]

Thanks Callender, and Tookeri!

I've seen that before on other github pages, but I went to github through the Amnesty International link and it sent me to here: https://resistsurveillance.org/ and the D/L link there sent me to: https://github.com/botherder/detekt/releases/tag/v1.1 and I didn't click on any of the right side links to check code, issues, pull requests, etc. It's my turn to be

So I ran it and it looks good, I guess I'm not that interesting


I'm hard wired to my ISP router and when I started Detekt it threw the internet warning:


So I pulled the cat6 and started the scan.

On the resistsurveillance page it says it could take up to a half hour which isn't too bad, Mbam takes 58" and SAS 28" on my machine. So I went off to do other things.


That's a blue striped progress bar and a blue refresh link below it and below that it says it will automatically refresh every 5seconds.

I came back in 60" and the progress bar was still running so I clicked on the refresh link, it stopped and opened up the log:

detekt.log - Notepad
2014-11-20 05:26:15,026 - detector - INFO - Starting with process ID 4240
2014-11-20 05:26:15,026 - detector - INFO - Selected Profile Name: Win7SP1x64
2014-11-20 05:26:15,026 - detector - INFO - Selected Driver: C:\Users\Anak\AppData\Local\Temp\_MEI53362\drivers\winpmem64.sys
2014-11-20 05:26:15,026 - detector.service - INFO - Launching service destroyer...
2014-11-20 05:26:15,026 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'The specified service does not exist as an installed service.')
2014-11-20 05:26:15,026 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-20 05:26:15,026 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-20 05:26:15,026 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'The handle is invalid.')
2014-11-20 05:26:15,042 - detector.service - INFO - Trying to start the winpmem service...
2014-11-20 05:26:15,073 - detector - INFO - Service started
2014-11-20 05:26:15,073 - detector - INFO - Selected Yara signature file at C:\Users\Anak\AppData\Local\Temp\_MEI53362\rules\signatures.yar
2014-11-20 05:26:15,073 - detector - INFO - Obtaining address space and generating config for volatility
2014-11-20 05:26:16,805 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x08013650>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x03138AD0>
2014-11-20 05:26:16,805 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x0649C270>, DTB: 0x187000
2014-11-20 05:26:16,805 - detector - INFO - Starting yara scanner...
2014-11-20 06:17:40,697 - detector - INFO - Scanning finished
2014-11-20 06:17:40,697 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-20 06:17:40,697 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-20 06:17:40,697 - detector - INFO - Service stopped
2014-11-20 06:17:40,697 - detector - INFO - Analysis finished

It took 51" to run on my machine; Best I can tell winpmem is a Windows Live Memory Acquisition Tool

Malware scan of winpmem.exe ad2fb95f00f1b0128569518ca81633d7631ab1c7 - herdProtect the 1/68 is probably from the winpmem file.

Mine sure doesn't look like some of the others I've seen, notice the names in the hex code block near the bottoms:
detektfinding - Pastebin.com
[GITHUB] Detekt v1.0 - a spyware prog of a difference
2014-11-20 14:59:01,835 - detector - INFO - Starting with process ID 3244 2014- - Pastebin.com

 

[Tookeri]

Mine sure doesn't look like some of the others I've seen, notice the names in the hex code block near the bottoms

You should be lucky for that because the others indicate they have a full-blown malicious Remote Access Tool - Xtreme Rat, on their system. Example:

1. 2014-11-20 12:49:05,115 - detector - WARNING - Process firefox.exe (pid: 4324) matched: Xtreme at address: 0x10E3BC10, Value:
2. 58 74 72 65 6d 65 52 41 54 5a 5a 5a 5a 5a 5a 5a XtremeRATZZZZZZZ
3. 01 00 00 00 06 00 00 00 42 00 52 00 00 00 5a 5a ........B.R...ZZ
4. 00 00 00 00 20 01 87 7d 48 47 46 0c 40 47 46 0c .......}HGF.@GF.
5. d0 d2 33 6a 02 00 00 00 00 9c ac 11 5a 5a 5a 5a ..3j........ZZZZ
6. 01 00 00 00 04 00 00 00 23 00 00 00 5a 5a 5a 5a ........#...ZZZZ

Detekt says it's trying to detect these:

• DarkComet RAT
• XtremeRAT
• BlackShades RAT
• njRAT
• FinFisher FinSpy
• HackingTeam RCS
• ShadowTech RAT
• Gh0st RAT

 

[andrew129260]

I will look into it thank you.

 

[Callender]

Results

My results: Nothing found!

File changes that I could detect:

View attachment V drive log saved at 011243.log

 

[Anak]

Mine sure doesn't look like some of the others I've seen, notice the names in the hex code block near the bottoms

You should be lucky for that because the others indicate they have a full-blown malicious Remote Access Tool - Xtreme Rat, on their system. Example:

From their results all three of those systems are hosed.

 

[Tookeri]

I thought a good and honest anti-virus product also can detect these but I'm having trouble verifying it. This BBC article says:
- The Detekt software was needed as standard anti-virus programs often missed spying software, it said.
- These spying tools are marketed on their ability to get round your bog-standard anti-virus.
- There had also been cases in the past, he said, when computer security companies collaborated with governments to ignore spyware they found planted on machines.

Here's a 2 year old Virustotal report that shows the various detection names of Xtreme RAT. It shows it's not easy these days to determine the malware by the detection name:
https://www.virustotal.com/en/file/...e93245d853a78f8cb79952ed/analysis/1356899566/
Another: https://www.virustotal.com/en/file/...6be1d19d13643afecc29bcd0d7999e3d6ea/analysis/

It's also interesting to note which AV's didn't detect anything, even if the VT reports are old.

 

[Anak]

Hopefully Detekt will stay the course and not succumb to external pressures.

 

[Tookeri]

This is interesting, the latest version of Detekt has dropped 6 detections and now only targets these:
DarkComet RAT
XtremeRAT
BlackShades RAT
njRAT
FinFisher FinSpy
HackingTeam RCS
ShadowTech RAT
Gh0st RAT
https://github.com/botherder/detekt/commit/c83cae225bbca08721278c0b6ba6e41b87474093

So what does previous detections of these dropped ones mean now? Detekt recommended them to stop using their computers and even considering disposing the computer

 

[A Guy]

Oi, that's not good. That would scare me off the program. I ran it and it alerted on Superantispyware.exe. It scans as clean of course. Also alerted on Genie Timeline Search Indexer, again clean. That's it for me with this new product.

A Guy

 

[Tookeri]

Same here. I waited like some wait a week before installing new Windows updates, but now I don't think I'll ever try it. It seems to be a very confusing program.