How well does the "Detekt" tool identify malware? Are there any other free options similar to this that would be...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
worthy to use in an enterprise setting?
Detection of state-sponsored malware or commercial software that has functionality pioneered by Back Orifice, Dameware or other remote administration Trojans has been tricky for antimalware vendors. Since the intent of newer state-sponsored malware is contrary to the malware's intended target's best interest but is in the best interest of state sponsor, adding detection capabilities to stop the state-sponsored malware could put the antimalware vendor on the state's unfriendly list. The remote administration Trojan Back Orifice was less tricky to deal with in its day since those legitimately using it knew how to allow the software to run, therefore antimalware vendors could block illegitimate Back Orifice use without a lot of difficulty from state-sponsored attackers.
The free Detekt tool can be used by organizations to identify current versions of DarkComet, FinFisher, njRAT and Gh0st RAT malware. It was developed by Claudio Guarnieri in a joint effort with Amnesty International, Digitale Gesellschaft, Privacy International and the Electronic Frontier Foundation to help human rights activists, journalists and others that might be targeted by state-sponsored attackers or using commercial antimalware tools that don't block state-sponsored malware. However, it is important to note that Detekt doesn't detect all of the different varieties of malware that a commercial tool does, it just helps to identify those which the commercial tools don't.
Detekt discovers malware by using the Yara, Volatility and Winpmem tools in conjunction to scan the memory of the potential target system for indicators of surveillance malware. The logs collected by Detekt can then be reviewed by an expert.
Enterprises could benefit from using similar methods to identify and analyze unknown malware. Some endpoint security tools such as Cisco AMP or FireEye MIR Endpoint Forensics will allow for this type of analysis at an enterprise, but most standard antimalware tools do not.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
Is there a RAT on your Exchange system? Explore more RAT-detection strategies here
Learn how to detect and mitigate Poison Ivy RAT malware-style attacks
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Researchers have developed an ASLR Cache side-channel attack that enables them to eliminate ASLR protections. Expert Nick Lewis explains how ...continue reading
The SQL Slammer worm has re-emerged to attack a vulnerability in Microsoft SQL Server 2000. Expert Nick Lewis explains what enterprises can do to ...continue reading
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.