In 2011, just after the first BSides London, I gave a talk at the local DC4420 chapter on evading detection.
There I made the point that there are four main technical areas that give an attacker’s existence away: network communications, disk communications, logs and memory. From an attacker’s point of view, their ability to stay undetected depends on balancing all of these things against their adversaries capabilities just as defenders must do the same.
So when I saw that groups such as Amnesty International, Privacy International, the EFF and Digitale Gesellschaft backed the release of a new tool designed to provide protection against state sponsored surveillance technology by detecting state sponsored malware, I felt it warranted a detailed look both from the view of a pentester as an attacker, and as an incident responding defender.
I’ve written up my technical findings here, but to summarise (and specific to the version of Detekt I reviewed on Saturday):
* Detekt doesn’t work on 64-bit Windows 8.1, Windows Server 2012 or later
* Detekt only works with userland processes, so it won’t detect anything in the kernel, or that a compromised kernel tries to hide
* Detekt skips processes based on process name, something trivial for even the weakest nation state adversary to impersonate
* Detekt can’t look at all processes in memory, so if the malware is in a process Detekt can’t access, it won’t be found
* Detekt does not check its own integrity, so if the malware is resident in Detekt’s memory while running it won’t be found
* Detekt installs a binary driver for which there’s no source code made available
* Detekt only works against two specific pieces of malware
* Detekt requires you to disable any security software you have (such as anti-virus) while it installs the binary only driver and executes
* Detekt’s scan approach leads to masses of false positives, as illustrated by the issues raised on [the project’s Github account
In 15 years of penetration testing and bypassing various anti-malware tools from the simplest of anti-virus software to multi-million pound SOC deployments, I’ve never seen a piece of anti-malware as badly implemented as this, including the anti-malware software I once bought from a pound store in Basingstoke (because it had a man in a suit using a laptop while wearing a balaclava on the cover, I mean what could possibly go wrong?)
When an anti-malware tool is this bad and has this much fanfare behind it, the response as you might imagine is somewhat … mixed. Some people have praised author Claudio Guarnieri for stepping up to release a tool targeting people affected by state sponsored malware. Indeed, there’s now a page on the project’s website detailing how the purpose of the project is to raise awareness of Governments attacking jour
nalists, activists and dissidents using the two pieces of malware, presumably focused on people unaware of the Snowden revelations.
I spoke to Guarnieri about his intentions with the project. He said that he was targeting people that he’d found being targeted with the two pieces of malware that it tries to detect and pointed to a Virus Total sample showing that the latest versions of one of the pieces of malware are not detected by pieces of anti-virus software, while his tool is.
I found this a little disingenuous as malware authors often use Virus Total specifically as a testing ground for techniques. Likewise, using various evasion techniques it’s perfectly possible to make the EICAR test string (a non-malicious string designed to act as an automatic anti-virus test) invisible to anti-virus products on virustotal. Having said that, there’s been a lot of backtracking from the initial hype, with Claudio consistently saying that he was specifically targeting two pieces of malware, although initially there were signatures for seven.
The reason for much of the vitriol from the naysayers’ side is that the gaps in the tools technical abilities could introduce a false sense of security for the journalists, activists and dissidents the tool aims to target. With many reported false positives there’s also risk of instilling a false sense of insecurity for people who might not be targeted by these pieces of malware.
One reasonably savvy Windows using blogger appears to have already found themselves confused while using the tool. If what Claudio says is correct, and he’s only targeting people that might be attacked by nation states using these two specific pieces of malware, then this person probably shouldn’t have used the tool at all.
But the false positive ratio is surprisingly high, and potential for false negatives as the two malware authors start to roll out evasion techniques for Detekt is also there.
Now imagine if you’re a blogger in a repressive regime who gets a false alert from this tool, or worse, a false negative. Firstly, the tool’s technical limitations mean that a false negative is certainly feasible, and secondly the tool’s assumption that a nation state adversary only has two pieces of malware to choose to attack you with is more than naive, it’s dangerously misplaced.
This presents an odd quandary. In order for this tool to be relevant and proportionate, a journalist, activist or dissident targeted by this tool needs to suspect that they’ve been compromised with one or both of these specific pieces of malware. However, the tool can’t guarantee that it can detect it because the technical approach doesn’t necessarily provide the coverage needed to draw full conclusions. Either way, you’re probably looking at reinstalling said person’s computer from scratch, in which case there probably wasn’t much point in running the tool in the first place.
The Snowden disclosures have taught us that if you’re remotely involved in doing anything that a Government doesn’t like, assume your equipment was compromised when it was shipped, take appropriate steps to protect yourself and that OPSEC is key.
If you’re aware that you are a genuine target, you’re hopefully already taking measures exceeding that which Detekt can add much to. If you’re aware you’re a genuine target and you’re relying on Detekt at all, then you’re buying into a dangerous idea with an implementation that leaves a lot to be desired.
Ironically, if t
his was a commercial tool, there’d be widespread condemnation and accusations of selling snakeoil, but strangely with the badge from privacy groups and open source claims, several security researchers have quietly told me that they’re too scared to speak their minds publicly for fear of reprisals. As such it looks like Detekt gets a free pass for all the wrong reasons.
If you lack the skills to spot a false positive or a false negative, and you’re not a journalist, activist or dissident, then at least other security products will most likely start to integrate Detekt’s indicators in the near future. All the more reason the average user should give Detekt a wide berth.
Steve Lord is technical director of Mandalorian