21/11/2014

The tool „Detekt“: what you should know about it

The tool „Detekt“: what you should know about it Malware

What is “Detekt”?

It is a small detection tool for, currently, seven malware families which are categorized as spyware. FinFisher’s FinSpy is one of the popular examples that are said to be detected with it.

How does it work?

The tool uses Yara rules to perform an in-memory scan, looking for certain strings (e.g. file names or paths) which are known to be used by the malware families it is said to detect. In case a representative amount of dedicated strings is found on the scanned machine, the tool alarms the user about a possible infection.

The limitations of “Detekt”

First of all, “Detekt” is a tool which only uses a reactive approach, scanning in-memory with a list of rules. This means, it can only report an infection after this infection has already occurred. It does not prevent any infection and as far as we can see the descriptions, it is also not able to isolate or clean any present infection. The project’s website asks users to “stop using the infected computer immediately and disconnect it from the Internet, other network and removable devices, unless strictly necessary” and even to “decide whether to dispose of the computer”. Such a drastic step may clearly unsettle users, as the alarm “Detekt” emits does not help to evaluate the situation any further. We strongly recommend, as the project does as well, to contact an expert and seek advice. [1] 

Furthermore, the Yara rules used for this tool, are publicly available. This means, as the developer's webiste resistsurveillance.org reports, that “some spyware will likely be updated in response to the release of Detekt in order to avoid detection.. In addition, there may be existing versions of spyware, from these or other providers, which are not detected by this tool.” Consequently, this tool has to be maintained and updated regularly to ensure that newer versions of any spyware can be detected as well, but amnesty.org admits that “Detekt” “cannot detect all surveillance software“.
They are “encouraging security researchers in the open-source community to help the organizations behind this project to identify additional spyware or new versions to help Detekt keep up to date” which costs a lot of resources – for a good cause, no doubt about it.
But „it is important to underline that if Detekt does not find trace of spyware on a computer, it does not necessarily mean that none is present” concludes amnesty.org.

Do I still need an AV solution when I install “Detekt”?

Yes, you certainly do need one! Security solutions like G DATA’s products have a totally different approach to detect and fight malware: reactive and pro-active technologies engage to defend the computer before malware reaches the machine and before an infection can happen. Especially the dynamic components like behavior blocker, exploit protection, keylogger protection and more are quite effective in preventing infections. 

Conclusion

“Detekt” is an approach we appreciate a lot – it is a simple tool which can help to identify certain threats against computers. Nevertheless, we have to make sure that users do not mistake this tool with a comprehensive security solution, because “Detekt” is not one of them.

G DATA has always affirmed that it does not distinguish between malware created and used by criminals and malware created and used by governments or similar and has also voluntarily signed a code of conduct of Germany’s TeleTrusT organization to guarantee security solutions without implemented backdoors and consequently receive the quality seal IT Security made in Germany.

[1] In case you encounter any detection with this tool and wish to seek advice from G DATA’s experts, please use the sample submission form on the G DATA SecurityLabs website to upload the scan log file created by “Detekt” and indicate that your detection is connected to the “Detekt” tool. You may of course also contact G DATA’s customer support to seek advice.