Andrea Danti - Fotolia

Get started Bring yourself up to speed with our introductory content.

Can Detekt identify remote administration Trojans and spyware?

State-sponsored malware and commercial surveillance software can be difficult to identify. Expert Nick Lewis explains how the Detekt tool can help.

How well does the "Detekt" tool identify malware? Are there any other free options similar to this that would be worthy to use in an enterprise setting?

Detection of state-sponsored malware or commercial software that has functionality pioneered by Back Orifice, Dameware or other remote administration Trojans has been tricky for antimalware vendors. Since the intent of newer state-sponsored malware is contrary to the malware's intended target's best interest but is in the best interest of state sponsor, adding detection capabilities to stop the state-sponsored malware could put the antimalware vendor on the state's unfriendly list. The remote administration Trojan Back Orifice was less tricky to deal with in its day since those legitimately using it knew how to allow the software to run, therefore antimalware vendors could block illegitimate Back Orifice use without a lot of difficulty from state-sponsored attackers.

The free Detekt tool can be used by organizations to identify current versions of DarkComet, FinFisher, njRAT and Gh0st RAT malware. It was developed by Claudio Guarnieri in a joint effort with Amnesty International, Digitale Gesellschaft, Privacy International and the Electronic Frontier Foundation to help human rights activists, journalists and others that might be targeted by state-sponsored attackers or using commercial antimalware tools that don't block state-sponsored malware. However, it is important to note that Detekt doesn't detect all of the different varieties of malware that a commercial tool does, it just helps to identify those which the commercial tools don't.

Detekt discovers malware by using the Yara, Volatility and Winpmem tools in conjunction to scan the memory of the potential target system for indicators of surveillance malware. The logs collected by Detekt can then be reviewed by an expert.

Enterprises could benefit from using similar methods to identify and analyze unknown malware. Some endpoint security tools such as Cisco AMP or FireEye MIR Endpoint Forensics will allow for this type of analysis at an enterprise, but most standard antimalware tools do not.

Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)

Next Steps

Is there a RAT on your Exchange system? Explore more RAT-detection strategies here

Learn how to detect and mitigate Poison Ivy RAT malware-style attacks

This was last published in June 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal