A New Malware Detection Tool That Can Expose Illegitimate State Surveillance
eff.orgOh cool, I (indirectly) have code in this, since the Volatility memory analysis framework is used to scan memory for the malware signatures.
As others have noted, this is unlikely to protect against new infections, since governments will surely just check to make sure their malware isn't detected by the scanner. On the other hand, since we don't really trust corporate AV to detect state-sponsored malware, it seems like this fills a need right now, and will likely result in some organizations discovering they've been compromised by this kind of surveillance malware. So this still seems very useful right now.
I love the EFF (and have donated money) but I am going to disagree with them on this one.
As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this. In the same way that malware authors now check against Microsoft AV because it is the most popular.
So my point is that traditional AV in this scenario is a loser and will remain a loser because it is a race AV just cannot win. It will only alert you to an attacker well after the fact.
A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.
That won't address the "baseband issue" (e.g. firmware infections, uEFI, etc), but neither does this. Only physical security really addresses the baseband.
Hey, Danny O'Brien from EFF here. You're absolutely right: the best defense against malware attacks of any kind is to increase the level of protection that systems have, whether that's read-only distributions, compartmentalization approaches like <a href="https://qubes-os.org/">Qubes</a>, or just generally fixing the vulnerabilities that malware must exploit to take control.
Detekt is mostly about a different and earlier part of the problem: allowing groups that may be currently targets of illegitimate state surveillance to confirm that they have been infected by specific tools that we know to be used by state attackers, and therefore confirm that they are indeed under this specific sort of surveillance.
Up until now getting to the point of confirming that fact, has mostly relied on manual examination by experts. If an activist or journalist suspects they may be under surveillance or infected with malware, they need to navigate the usual challenges to fixing a malware infection, plus they need to eliminate the (often far more probable) case that they are infected with the usual petty criminal spyware.
This is about being able to positively identify a relatively small number of cases of targeted illegitimate surveillance, out of a ecosystem of hundreds of thousands of potential targets, and a huge array of potential exploiters of vulnerabilities. Right now all the organizations supporting Detekt (EFF, Amnesty International, Privacy International and Digitale Gesellschaft) receive queries about potential infection cases from all around the world: now we can scale up a little the first step of that triage we conduct. The positive identifications that come out of Detekt we can take further, and base, for instance, the <a href="http://www.washingtonpost.com/business/technology/us-citizen... cases against the Ethiopian government</a> in the UK and US that PI and EFF are conducting.
Just to back up what Danny is saying here.
As part of a number of groups that do digital and physical security training for journalists and human rights defenders, most of us have/do recommend the use of live CDs like TAILS etc. Unfortunately my experience has shown that it is very very difficult to get anything other than a small percentage of journalists or HRDs using them for any period of time - especially in countries where IT literacy levels are low. Linux (and also PGP) is just too much of a cultural shift for most people. I mean even a security conscious guy like Glen Greenwald didn't even bother to learn PGP or Live CD usage in the first few months of Snowden reaching out to him.
It is a gap in capability that many of us (including Danny at EFF) are working on day and night to try and bridge though!
> As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this ... it is a race AV just cannot win.
This can be said of every security solution. The value of security is to increase the attackers' cost, which will deter attackers who don't want to pay the higher price. There is no absolute security.
Also, the prospect of updates will increase attacker costs more, as some attackers will feel the need to proactively avoid detection by future versions too.
or, gosh, incorporate a security system that doesn't rely on obscurity of defenses or ignorance on the part of your attacker..?
Got a link to this consumer OS whose implementation is mathematically proven secure?
this is the entire point of defenses like ASLR and stack canaries. the attacker knows they are there, but knowing the form of the defenses doesn't inherently aid the attacker...
Knowing a defense has weaknesses doesn't make it worthless when it takes extra effort for an attacker to exploit that weakness. There is no proven secure consumer OS (I'm including common userland apps in that) so things like ASLR and stack canaries are just extra obstacles to get around.
Real security needs to be layered.
Grab a live DVD, but how do you make sure that the hash used to verify the ISO is what it should be? transfer it offline? because if you are trying to avoid being spied on by the government, I don't think CAs/TLS can be used
> A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.
It's called TAILS. It also triggers scrutiny by "the big g".
http://www.theregister.co.uk/2014/07/03/nsa_xkeyscore_stasi_...
All of these memory signature scanning tools have a limited window of opportunity before the malware adapts. The involved organizations probably determined that the value of the current set of signatures was near the end and there was value to getting some parties outside of direct collaborators using the tool during a brief window.
I think AV software, despite all the benefits that it provides, also has a very dangerous dark side - it encourages more-or-less blind trust by its users, and thus can be used as a very powerful means of control to further an agenda. The most common example of this is the detection of keygens/cracks/patches as being malicious, many of which are clearly not (at least back when I was still into that stuff around a decade ago - not sure about now); I'm a reverse-engineer so I can inspect the files manually and see the truth, but the average user will be far more likely to believe their AV and assume it's malicious --- helping to spread the FUD. Seeing how things as simple as completely innocent "Hello World" programs can get detected as false positives[1][2][3][4][5][6][7] while state-sponsored spyware gets let through is very deeply disturbing.
IMHO signature/heuristic-based detection techniques are always prone to error, and should be replaced with behaviour-based detection (and blocking). At the moment, I think a good firewall (on another known-clean machine - ideally running 100% open-source software) should be enough to detect any suspicious network traffic.
[1] http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&i...
[2] http://stackoverflow.com/questions/22926360/malwarebytes-giv...
[3] http://forum.bitdefender.com/index.php?showtopic=45169
[4] http://board.flatassembler.net/topic.php?t=8154
[5] https://forum.avast.com/index.php?topic=152926.0
[6] https://forum.avast.com/index.php?topic=120578.0
[7] http://itsacleanmachine.blogspot.ca/2012/01/antivirus-anger....
It depends on the AV. I have recent experience with 3 of them : Sophos and Avira tends to classify every keygen as a malware (Sophos is the worst) but Kaspersky is OK with them (or don't detect any malware at all for what I know ;-)
And yes I do use cracks : I wish I was able to reward my fellow devs but I don't have a start-up salary (even for my country my salary is pretty low) and open source softwares are usually (and I insist on usually, not always) not up to par.
So sue me.
Looking at the code (https://github.com/botherder/detekt), it's just looking for patterns of known malware. Isn't this just a subset of what anti-virus software does?
Probably, but the suspicion is that some antivirus software "looks the other way" for some signatures. Hard to say if that it true or not.
Name one AV company that "looks the other way"?
Microsoft AV, Norton, McAfee, etc. We know this, how? Because we can look at Google's virustotal and see when a sample was first submitted and when it was "detected." With typical malware there is a fairly short window between A and B, with US G malware there is a HUGE window (months, sometimes years).
Either the US G just gets very lucky that their samples aren't ever looked at deeper or more likely they have national security agreements with most of the large US based anti-virus firms to hush hush.
This is a very interesting claim, and I want to check for myself. Could you give more details? Name of usg malware? How to check time of submission and detection?
Don't forget Kaspersky (at least for Russian gov malware). I believe their CEO came out in favor of surveillance in a blog post for a brief period.
If Microsoft AV looks the other way for one set and Kaspersky looks the other way for another set, is it possible that there is a value of using a union of the two?
I assume Microsoft AV isn't going to look the other way for Russian exploits, unless the US is also using them, and vice versa.
"looks the other way" and poor detection are two separate things. I'm sorry but you don't know what you are talking about.
McAfee
> Isn't this just a subset of what anti-virus software does?
Yes. The signatures are written more generically to detect the samples though. AV software can (or at least shouldn't) write signatures so generically because the potential for false positives. Since the scanner is scanning a non-enterprise environment the signatures can be a little more generic.
That makes no sense to me. Isn't it important for this to be useful in an enterprise environment too? Gov't may be spying on any number of entities, including businesses.
Yes but worse, this is basically a 1990s anti virus + hype.
What I really would like to see in this area is something like an open source LittleSnitch that gets rules from a DHT, where you choose who to trust and everyone using such software publishes their trust list with the certificates they know to be good. For example, I would trust rules published by orgs like OpenBSD, Mozilla and the EFF.
Is there any FOSS equivalent to Little Snitch?
Obviously there are issues that need to be addressed further, but some system where people collectively share who is trustworthy and who is not would be valuable.
It would be something like http://winhelp2002.mvps.org/hosts.htm but for more than just ads.
Isn't clamAV[1] very good at this already and free of charge AND not keen to close an eye on specific signatures.
[1] http://www.clamav.net/doc/install.html
[2] http://www.clamxav.com for OSX
I believe Cisco now owns clamAV.
You don't have to use/trust the official database (or its whitelist). You could create a custom database with just the signatures you are interested in and run a scan with just that.
I observed some suspicious spy-like activity by Detekt v.1.1 and added an issue to the Detekt github site:
https://github.com/botherder/detekt/issues/20
The developer immediately closed my report, without discussion and all he could say is: "Trust me. Detekt definitely isn't spyware."
Somehow, this does not make me feel secure.
detekt.exe imports from WS2_32.DLL "ntohl" function, which shouldn't be a cause for concern, but then shortly after startup it does spawn another instance of itself, which listens... debugging into the child process, I set a breakpoint on all of ws2_32.dll's functions and resume, leading to this:
This leads back to _socket.pyd , sip.pyd, and eventually QtCore4.dll. Tracing a bit further, I see what's happening:0350F024 012D4110 /CALL to socket from _socket.012D410A 0350F028 00000002 |Family = AF_INET 0350F02C 00000001 |Type = SOCK_STREAM 0350F030 00000000 \Protocol = IPPROTO_IP 0350F034 012DBAD8 _socket.012DBAD8 0350F038 02D93610 0350F03C 00000000 0350F040 00000001 0350F044 00000002 0350F048 1E0C18A8 RETURN to python27.1E0C18A8It starts a local Python web server in order to serve the main dialog of the application, the one with the language selector, which is an HTML page embedded in a browser control. No wonder it hung when you denied the connection and showed a blank frame. If you let it continue and figure out where it's listening, you can actually visit the page in your web browser and see the program's dialog. One of the most convoluted ways to display a dialog I've ever seen, and probably worth a "WTF?", but I don't think it's intended to be malicious. The developer could've handled this a bit better, that's for sure.
I do think it's intended to be malicious!!!
consider that the majority of the people who aim to download and use this THING are those who do something against their government's red lines. This is quiet enough to make this THING a good Trojan horse for hiding anything than can track/detect(detekt!?) an activist. serving the main dialog of the application may be merely a camouflage for other uses of Python inside the file.
any idea?
Thanks for your great analysis.
The developer has re-opened my report now, which will probably never be addressed anyway, since the UI is so convoluted.
Funny thing is that this 'anti-spyware' app creates more confusion than most of the spyware I've seen. Sadly, most people will just run this thing and think they're safe, since they believe the authorities (eff.org, amnesty) but don't even use a firewall.
Before going through the trouble, it does not run on Windows 8.1 64bit.
I got it to run by setting compatibility mode to Windows 7.
I couldn't.
Nor Linux. We know they have exploits for all operating systems, so it's pretty useless... For the EFF, this is a pretty useless action.
It ran on my 8.1 Pro 64-bit guest VM without issue.
The tool's website is being EFF'd. (hah!)
NB: I haven't read about the technical features of the tool.
It probably uses some kind of signature mechanism to identify malware.
...Surely the authors realize that they've just drawn a line in the sand against an APT. The biggest one ever.
Their tool and signature updates are presumably freely available online.
Have fun keeping those sigs up to date, tool authors!
You'd have been better off passing it around to journalists only via sneakernet and simply not talking about it.
Security through obscurity? 70% of the time, it works every time...
Yeah! :) "better off" != "best off". I don't know what "best off" might be...
Oh, user moyix brings up an excellent point that I had not considered re: "right now".
Seems like just another regular anti-virus tool. Surely state-sponsored hackers have been getting around these for years?
"Detekt is a free tool that scans your Windows computer..."
This is awesome, just not for me as a non-Windows user. I don't want this to perpetuate the myth that using Mac or Linux makes you impervious though.
I still think the best solution to this, and other problems, is outbound filtering at the gateway.
How does it avoid false positives and not alert on legitimate state surveillance?
> legitimate state surveillance?
lol
This is signature-based virus detection, right? I thought everybody had given up on that, now that only the dumb attacks have a constant signature.
I find it curious that it available in amharic but not other much more widespread languages.
Perhaps an amharic speaker was involved?
Why aren't they instead recommending journalists use Tails?
Doesn't work with Windows 8.1 though :-(
It does for me.