Andrea Danti - Fotolia
How well does the "Detekt" tool identify malware? Are there any other free options similar to this that would be worthy to use in an enterprise setting?
Detection of state-sponsored malware or commercial software that has functionality pioneered by Back Orifice, Dameware or other remote administration Trojans has been tricky for antimalware vendors. Since the intent of newer state-sponsored malware is contrary to the malware's intended target's best interest but is in the best interest of state sponsor, adding detection capabilities to stop the state-sponsored malware could put the antimalware vendor on the state's unfriendly list. The remote administration Trojan Back Orifice was less tricky to deal with in its day since those legitimately using it knew how to allow the software to run, therefore antimalware vendors could block illegitimate Back Orifice use without a lot of difficulty from state-sponsored attackers.
The free Detekt tool can be used by organizations to identify current versions of DarkComet, FinFisher, njRAT and Gh0st RAT malware. It was developed by Claudio Guarnieri in a joint effort with Amnesty International, Digitale Gesellschaft, Privacy International and the Electronic Frontier Foundation to help human rights activists, journalists and others that might be targeted by state-sponsored attackers or using commercial antimalware tools that don't block state-sponsored malware. However, it is important to note that Detekt doesn't detect all of the different varieties of malware that a commercial tool does, it just helps to identify those which the commercial tools don't.
Detekt discovers malware by using the Yara, Volatility and Winpmem tools in conjunction to scan the memory of the potential target system for indicators of surveillance malware. The logs collected by Detekt can then be reviewed by an expert.
Enterprises could benefit from using similar methods to identify and analyze unknown malware. Some endpoint security tools such as Cisco AMP or FireEye MIR Endpoint Forensics will allow for this type of analysis at an enterprise, but most standard antimalware tools do not.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
Is there a RAT on your Exchange system? Explore more RAT-detection strategies here
Learn how to detect and mitigate Poison Ivy RAT malware-style attacks
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading