A New Malware Detection Tool That Can Expose Illegitimate State Surveillance

195 点作者 silenteh超过 10 年前

16 条评论

moyix超过 10 年前

Oh cool, I (indirectly) have code in this, since the Volatility memory analysis framework is used to scan memory for the malware signatures.As others have noted, this is unlikely to protect against new infections, since governments will surely just check to make sure their malware isn't detected by the scanner. On the other hand, since we don't really trust corporate AV to detect state-sponsored malware, it seems like this fills a need right now, and will likely result in some organizations discovering they've been compromised by this kind of surveillance malware. So this still seems very useful right now.

Someone1234超过 10 年前

I love the EFF (and have donated money) but I am going to disagree with them on this one.As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this. In the same way that malware authors now check against Microsoft AV because it is the most popular.So my point is that traditional AV in this scenario is a loser and will remain a loser because it is a race AV just cannot win. It will only alert you to an attacker well after the fact.A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.That won't address the "baseband issue" (e.g. firmware infections, uEFI, etc), but neither does this. Only physical security really addresses the baseband.

评论 #8639430 未加载

评论 #8638954 未加载

评论 #8639089 未加载

评论 #8639456 未加载

评论 #8639189 未加载

userbinator超过 10 年前

I think AV software, despite all the benefits that it provides, also has a very dangerous dark side - it encourages more-or-less blind trust by its users, and thus can be used as a very powerful means of control to further an agenda. The most common example of this is the detection of keygens/cracks/patches as being malicious, many of which are clearly not (at least back when I was still into that stuff around a decade ago - not sure about now); I'm a reverse-engineer so I can inspect the files manually and see the truth, but the average user will be far more likely to believe their AV and assume it's malicious --- helping to spread the FUD. Seeing how things as simple as completely innocent "Hello World" programs can get detected as false positives[1][2][3][4][5][6][7] while state-sponsored spyware gets let through is very deeply disturbing.IMHO signature/heuristic-based detection techniques are always prone to error, and should be replaced with behaviour-based detection (and blocking). At the moment, I think a good firewall (on another known-clean machine - ideally running 100% open-source software) should be enough to detect any suspicious network traffic.[1] <a href="http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&id=217712" rel="nofollow">http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&i...</a>[2] <a href="http://stackoverflow.com/questions/22926360/malwarebytes-gives-trojan-warning-for-basic-c-sharp-hello-world-program" rel="nofollow">http://stackoverflow.com/questions/22926360/malwarebytes-giv...</a>[3] <a href="http://forum.bitdefender.com/index.php?showtopic=45169" rel="nofollow">http://forum.bitdefender.com/index.php?showtopic=45169</a>[4] <a href="http://board.flatassembler.net/topic.php?t=8154" rel="nofollow">http://board.flatassembler.net/topic.php?t=8154</a>[5] <a href="https://forum.avast.com/index.php?topic=152926.0" rel="nofollow">https://forum.avast.com/index.php?topic=152926.0</a>[6] <a href="https://forum.avast.com/index.php?topic=120578.0" rel="nofollow">https://forum.avast.com/index.php?topic=120578.0</a>[7] <a href="http://itsacleanmachine.blogspot.ca/2012/01/antivirus-anger.html" rel="nofollow">http://itsacleanmachine.blogspot.ca/2012/01/antivirus-anger....</a>

评论 #8641585 未加载

unclesaamm超过 10 年前

Looking at the code (<a href="https://github.com/botherder/detekt" rel="nofollow">https://github.com/botherder/detekt</a>), it's just looking for patterns of known malware. Isn't this just a subset of what anti-virus software does?

评论 #8638089 未加载

评论 #8638446 未加载

评论 #8639819 未加载

malandrew超过 10 年前

What I really would like to see in this area is something like an open source LittleSnitch that gets rules from a DHT, where you choose who to trust and everyone using such software publishes their trust list with the certificates they know to be good. For example, I would trust rules published by orgs like OpenBSD, Mozilla and the EFF.Is there any FOSS equivalent to Little Snitch?Obviously there are issues that need to be addressed further, but some system where people collectively share who is trustworthy and who is not would be valuable.It would be something like <a href="http://winhelp2002.mvps.org/hosts.htm" rel="nofollow">http://winhelp2002.mvps.org/hosts.htm</a> but for more than just ads.

atmosx超过 10 年前

Isn't clamAV[1] very good at this already and free of charge AND not keen to close an eye on specific signatures.[1] <a href="http://www.clamav.net/doc/install.html" rel="nofollow">http://www.clamav.net/doc/install.html</a>[2] <a href="http://www.clamxav.com" rel="nofollow">http://www.clamxav.com</a> for OSX

评论 #8639247 未加载

gadfly超过 10 年前

I observed some suspicious spy-like activity by Detekt v.1.1 and added an issue to the Detekt github site:<a href="https://github.com/botherder/detekt/issues/20" rel="nofollow">https://github.com/botherder/detekt/issues/20</a>The developer immediately closed my report, without discussion and all he could say is: "Trust me. Detekt definitely isn't spyware."Somehow, this does not make me feel secure.

评论 #8640914 未加载

Varcht超过 10 年前

Before going through the trouble, it does not run on Windows 8.1 64bit.

评论 #8638580 未加载

评论 #8638795 未加载

评论 #8641460 未加载

daveloyall超过 10 年前

The tool's website is being EFF'd. (hah!)NB: I haven't read about the technical features of the tool.It probably uses some kind of signature mechanism to identify malware....Surely the authors realize that they've just drawn a line in the sand against an APT. The biggest one ever.Their tool and signature updates are presumably freely available online.Have fun keeping those sigs up to date, tool authors!You'd have been better off passing it around to journalists only via sneakernet and simply not talking about it.

评论 #8637923 未加载

na85超过 10 年前

Seems like just another regular anti-virus tool. Surely state-sponsored hackers have been getting around these for years?

click170超过 10 年前

"Detekt is a free tool that scans your Windows computer..."This is awesome, just not for me as a non-Windows user. I don't want this to perpetuate the myth that using Mac or Linux makes you impervious though.I still think the best solution to this, and other problems, is outbound filtering at the gateway.

jameshart超过 10 年前

How does it avoid false positives and not alert on legitimate state surveillance?

评论 #8639794 未加载

Animats超过 10 年前

This is signature-based virus detection, right? I thought everybody had given up on that, now that only the dumb attacks have a constant signature.

Max_Mustermann超过 10 年前

I find it curious that it available in amharic but not other much more widespread languages.

评论 #8639394 未加载

willvarfar超过 10 年前

Why aren't they instead recommending journalists use Tails?

cjbenedikt超过 10 年前

Doesn't work with Windows 8.1 though :-(

评论 #8641464 未加载