Announcement

Collapse
No announcement yet.

Who's watching your Computer now?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Who's watching your Computer now?

    A new piece of anti-surveillance software announced. For use on local computer systems to check for specific software installations.

    http://phys.org/news/2014-11-human-r...ance-tool.html

    The software link is: https://resistsurveillance.org/
    If You're Not Paranoid Yet, You Should Be. Kubuntu 20.04.3 64bit under Kernel 5.4.153, Hp Pavilion, 6MB ram. Google is NOT your friend.

    #2
    Interesting. I downloaded the tar file and looked at the Readme text file:
    Detekt
    ======

    Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit).

    Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer.

    Currently it is provided with patterns for:

    - DarkComet RAT (RAT=Remote Administration Tool)
    - XtremeRAT
    - BlackShades RAT
    - njRAT
    - FinFisher FinSpy
    - HackingTeam RCS (RCS=Remote Control System)
    - ShadowTech RAT
    - Gh0st RAT

    Beware that it is possible that Detekt may not successfully detect the most recent versions of those malware families. Indeed, some of them will likely be updated in response to this release in order to remove or change the patterns that we identified. In addition, there may be existing versions of malware, from these families or from other providers, which are not detected by this tool. If Detekt does not find anything, this unfortunately cannot be considered a clean bill of health.

    If you encounter samples of such families that are not successfully detected, please open a ticket. In addition, please let us know if you find instances of false positives.

    Requirements
    ------------

    When compiling the tool on Windows systems, you'll have to install some requirements first, including:

    - Python 2.7
    - Yara 3.x
    - PyQt4
    - PyWin32

    Make sure that you install the latest available version of these libraries, for the right architecture and the right version of Python.
    You can download latest version of Yara installers for Windows here
    https://drive.google.com/folderview?...p=sharing#list
    In order for Yara to work correctly you will also need to install Visual C++ 2010 Runtime.

    Cloning and compiling
    ---------------------

    Once all requirements are installed on your Windows environment, make sure you clone the full repository and submodules with:

    $ git clone --recursive https://github.com/botherder/detekt.git

    This will clone also the Volatility and PyInstaller trunks. Copy the whole directory in your Windows environment and launch the ``make.bat`` script, which should successfully generate the final executable.

    Known Issues
    ------------

    Performance is the main issue with Detekt, and it will need to be improved.
    Some Yara signatures need to be improved, as currently some of them are not able to detect all existing variants of the respective malware families.

    Windows 8.1 64bit is currently not supported because the tool appears to be unable to complete the execution and just goes on forever. This issue needs to be investigated and resolved as soon as possible.
    Written for Windows to detect malware that attacks Windows.
    It requires Yara 3.x. Yara 2.0.0-2 is in the Trusty repositories, along with everything else. So, perhaps one could compile it and run it on Linux, but why? RKHunter and ChkRootKit are available. (But I haven't checked if they look for these particular malware.)


    Looking for only EIGHT? All in all, it looks to me like a publicity stunt. Also, has anyone compiled the tar source and compared it to the Windows executable to prove they are binarily the same? If not, how can anyone be sure this site is not a honey pot?
    "I would rather have questions that can't be answered, than answers that can't be questioned." ― Richard Feynman

    Comment


      #3
      @Greygeek;
      Thanks for the analysis, it does seem like a weak tool for what it is intended.
      Perhaps it will grow with time...
      If You're Not Paranoid Yet, You Should Be. Kubuntu 20.04.3 64bit under Kernel 5.4.153, Hp Pavilion, 6MB ram. Google is NOT your friend.

      Comment


        #4
        Good points Gerry, the only thing I have to add is here:

        Originally posted by GreyGeek View Post
        has anyone compiled the tar source and compared it to the Windows executable to prove they are binarily the same? If not, how can anyone be sure this site is not a honey pot?
        The tool has been put together by the EFF along with Amnesty and a couple of other organisations with good track records; I trust the EFF enough to be pretty certain that they wouldn't rubber stamp a honeypot. Seeing as they are most technically literate party, I would expect them to be doing the compiling.

        If I was a likely surveillance target, I would use the tool. Then again, I would probably not use Windows in that situation... so long as governments are targeting groups of activists (and not individual activists directly) there is less risk in running Linux (and probably even less in running OpenBSD) than there is in running a more commonly used OS like Windows.
        Last edited by Feathers McGraw; Nov 21 2014, 07:21 PM. Reason: added link
        samhobbs.co.uk

        Comment


          #5
          Originally posted by Feathers McGraw View Post
          Good points Gerry, the only thing I have to add is here:



          The tool has been put together by the EFF along with Amnesty and a couple of other organisations with good track records; I trust the EFF enough to be pretty certain that they wouldn't rubber stamp a honeypot. Seeing as they are most technically literate party, I would expect them to be doing the compiling.
          Good point. I'd forgotten about that.

          Originally posted by Feathers McGraw View Post
          If I was a likely surveillance target, I would use the tool. Then again, I would probably not use Windows in that situation... so long as governments are targeting groups of activists (and not individual activists directly) there is less risk in running Linux (and probably even less in running OpenBSD) than there is in running a more commonly used OS like Windows.
          The tool was made for computers running Windows. I was just curious to see if it might be possible to compile the tar version and run it under Linux. I don't know what the git pull would bring down, or what parts are dependent on Windows proprietary software, so I can't say if it would be even possible to run it under Linux without a re-write to remove such dependencies if they exist. Those RAT and RCS malware seem to be effective only on Windows, not Linux or Apple.

          I have no doubt that OUR government is targeting BOTH groups and activists, probably even in your country. It's a shame they are acting like adolescent warez haxors.
          "I would rather have questions that can't be answered, than answers that can't be questioned." ― Richard Feynman

          Comment


            #6
            You mentioned RKHunter and ChkRootKit, have you ever used them? I think I remember reading about them about a year ago and the consensus was that they were out of date, I'm curious to know how good they are.
            samhobbs.co.uk

            Comment


              #7
              Originally posted by Feathers McGraw View Post
              You mentioned RKHunter and ChkRootKit, have you ever used them? I think I remember reading about them about a year ago and the consensus was that they were out of date, I'm curious to know how good they are.
              I don't know where you got that "consensus" but both are currently maintained.
              I've run them both for almost 10 years.
              https://help.ubuntu.com/community/RKhunter
              http://www.chkrootkit.org/

              The received wisdom is to run them both. Like any detection tool, it is no more secure than the most recent update to its db, which it does automatically in the background.

              In 10 years I have yet to see any malware detected on my equipment, but I run it regularly as a cron task every week. You can change the settings in /etc/default/rkhunter to set the cron task to what ever you want. I have it run daily, nice="0", with email reports of results of the run to my home account and email notifications of db updates.

              chkrootkit also has a cron file that sets it to run daily in the background.

              They are pretty much transparent and I never notice them.
              "I would rather have questions that can't be answered, than answers that can't be questioned." ― Richard Feynman

              Comment


                #8
                I don't remember where I read it but I think it was ubuntuforums - when you mentioned it I thought it must be worth another look, which is why I asked. As I was hoping, you gave a really useful answer - thanks!

                Setting them as a cron job sounds much more convenient than I thought it would be.

                Have you ever used snort (the intrusion detection software)? That's another one I'm curious about.
                samhobbs.co.uk

                Comment


                  #9
                  Originally posted by Feathers McGraw View Post
                  I don't remember where I read it but I think it was ubuntuforums - when you mentioned it I thought it must be worth another look, which is why I asked. As I was hoping, you gave a really useful answer - thanks!

                  Setting them as a cron job sounds much more convenient than I thought it would be.

                  Have you ever used snort (the intrusion detection software)? That's another one I'm curious about.
                  The cron config files are installed by default (/etc/chkrootkit.conf) and (/etc/default/rkhunter) and all you have to do is edit the true/false conditions to suit your needs.

                  I have snort, nmap, etherape, kismet and zenmap installed. I play with them but haven't had a real need for them because I don't have much pounding on my back door ... and ... using them injudiciously can get you in trouble with your ISP. I probably use EtherApe and Kismet more than the others because they show me all the devices connected to my computer/wifi.
                  "I would rather have questions that can't be answered, than answers that can't be questioned." ― Richard Feynman

                  Comment


                    #10
                    I wish I had more time to learn about all of these tools, there are so many cool free software projects out there! It's amazing that people give so much of their time for free and share their software, and that other people spend their time packaging it for different distributions.

                    Of the ones you listed, I have only used nmap (on my local network mainly). Wireshark is another one I feel I should invest some time in, networks are fascinating and I'm sure it would lead to other interesting knowledge.

                    By the way, my adventures with C++ and sqlite are coming along (slowly!). It's a very rewarding process, I've had a few eureka moments today already where something clicked and I understood rather than just copying. I'm writing a text based program at the moment but will put a qt GUI on it when it is functional!
                    samhobbs.co.uk

                    Comment


                      #11
                      Originally posted by Feathers McGraw View Post
                      ... By the way, my adventures with C++ and sqlite are coming along (slowly!). It's a very rewarding process, I've had a few eureka moments today already where something clicked and I understood rather than just copying. I'm writing a text based program at the moment but will put a qt GUI on it when it is functional!
                      If it is a single purpose utility program that approach is the best. You can test it in a konsole and when it runs right you can design a GUI around it. Isn't it a lot of fun?
                      "I would rather have questions that can't be answered, than answers that can't be questioned." ― Richard Feynman

                      Comment


                        #12
                        Originally posted by Feathers McGraw View Post
                        Wireshark is another one I feel I should invest some time in, networks are fascinating and I'm sure it would lead to other interesting knowledge.
                        It's a great tool. Naw, I'm not biased.

                        Comment


                          #13
                          Last time I looked at wireshark I found it a bit overwhelming and had some problems using it properly because of my rubbish WiFi card at the time. Perhaps it's time for another look, I've learned quite a bit about networking since then.
                          samhobbs.co.uk

                          Comment


                            #14
                            Did you upgrade your wi-fi to something not rubbish?

                            Comment


                              #15
                              I upgraded my whole laptop to something not rubbish!
                              samhobbs.co.uk

                              Comment

                              Working...
                              X