-
You mentioned RKHunter and ChkRootKit, have you ever used them? I think I remember reading about them about a year ago and the consensus was that they were out of date, I'm curious to know how good they are. -
Good point. I'd forgotten about that.Originally posted by Feathers McGraw View Post
The tool was made for computers running Windows. I was just curious to see if it might be possible to compile the tar version and run it under Linux. I don't know what the git pull would bring down, or what parts are dependent on Windows proprietary software, so I can't say if it would be even possible to run it under Linux without a re-write to remove such dependencies if they exist. Those RAT and RCS malware seem to be effective only on Windows, not Linux or Apple.Originally posted by Feathers McGraw View Post
I have no doubt that OUR government is targeting BOTH groups and activists, probably even in your country. It's a shame they are acting like adolescent warez haxors.Leave a comment:
-
Good points Gerry, the only thing I have to add is here:
The tool has been put together by the EFF along with Amnesty and a couple of other organisations with good track records; I trust the EFF enough to be pretty certain that they wouldn't rubber stamp a honeypot. Seeing as they are most technically literate party, I would expect them to be doing the compiling.Originally posted by GreyGeek View Post
If I was a likely surveillance target, I would use the tool. Then again, I would probably not use Windows in that situation... so long as governments are targeting groups of activists (and not individual activists directly) there is less risk in running Linux (and probably even less in running OpenBSD) than there is in running a more commonly used OS like Windows.Leave a comment:
-
@Greygeek;
Thanks for the analysis, it does seem like a weak tool for what it is intended.
Perhaps it will grow with time...Leave a comment:
-
Interesting. I downloaded the tar file and looked at the Readme text file:
Written for Windows to detect malware that attacks Windows.Detekt
======
Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit).
Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer.
Currently it is provided with patterns for:
- DarkComet RAT (RAT=Remote Administration Tool)
- XtremeRAT
- BlackShades RAT
- njRAT
- FinFisher FinSpy
- HackingTeam RCS (RCS=Remote Control System)
- ShadowTech RAT
- Gh0st RAT
Beware that it is possible that Detekt may not successfully detect the most recent versions of those malware families. Indeed, some of them will likely be updated in response to this release in order to remove or change the patterns that we identified. In addition, there may be existing versions of malware, from these families or from other providers, which are not detected by this tool. If Detekt does not find anything, this unfortunately cannot be considered a clean bill of health.
If you encounter samples of such families that are not successfully detected, please open a ticket. In addition, please let us know if you find instances of false positives.
Requirements
------------
When compiling the tool on Windows systems, you'll have to install some requirements first, including:
- Python 2.7
- Yara 3.x
- PyQt4
- PyWin32
Make sure that you install the latest available version of these libraries, for the right architecture and the right version of Python.
You can download latest version of Yara installers for Windows here
https://drive.google.com/folderview?...p=sharing#list
In order for Yara to work correctly you will also need to install Visual C++ 2010 Runtime.
Cloning and compiling
---------------------
Once all requirements are installed on your Windows environment, make sure you clone the full repository and submodules with:
$ git clone --recursive https://github.com/botherder/detekt.git
This will clone also the Volatility and PyInstaller trunks. Copy the whole directory in your Windows environment and launch the ``make.bat`` script, which should successfully generate the final executable.
Known Issues
------------
Performance is the main issue with Detekt, and it will need to be improved.
Some Yara signatures need to be improved, as currently some of them are not able to detect all existing variants of the respective malware families.
Windows 8.1 64bit is currently not supported because the tool appears to be unable to complete the execution and just goes on forever. This issue needs to be investigated and resolved as soon as possible.
It requires Yara 3.x. Yara 2.0.0-2 is in the Trusty repositories, along with everything else. So, perhaps one could compile it and run it on Linux, but why? RKHunter and ChkRootKit are available. (But I haven't checked if they look for these particular malware.)
Looking for only EIGHT? All in all, it looks to me like a publicity stunt. Also, has anyone compiled the tar source and compared it to the Windows executable to prove they are binarily the same? If not, how can anyone be sure this site is not a honey pot?Leave a comment:
-
Who's watching your Computer now?
A new piece of anti-surveillance software announced. For use on local computer systems to check for specific software installations.
http://phys.org/news/2014-11-human-r...ance-tool.html
The software link is: https://resistsurveillance.org/
- If you have copied text output that contains formatting (colors, highlighting, etc.), please do not enclose it in QUOTE or CODE tags. Just right-click your mouse and choose "Paste Without Formatting" or similar (Paste as plain text).
Leave a comment: