Hours spent on long-distance phone calls to political activists in the Middle East, journalists in Africa or human rights organizations in Asia are stressful for Claudio Guarnieri, an independent security researcher, white-hat hacker and civil rights activist.
Often he has to convince that party, who is living in some remote and oppressed part of the planet that their computer and essentially their lives, are under surveillance by a nasty piece of computer code that won’t let go of their contacts, files or keystrokes.
The result, far too many times, is that the hacked laptop ends up being physically destroyed as does the passion and good work the voice on the phone has been doing. Too often, fear makes them close up shop, stop helping others, and in extreme cases, make a dash for the border.
Such organizations or individuals aren’t resourced to ward off suspicious governments or paranoid dictators who buy and use powerful spyware to keep tabs on their subjects. Far too many, Guarnieri says, are still running woefully out of date Windows XP machines for example, with no means to license security software or an updated OS in order to protect themselves from remote access Trojans or the FinFisher spyware of the world.
“In the beginning when I started working on this, I was mostly interested in the pure technical aspect of it. And to be honest, I’m not really interested in the technical aspect of it anymore,” Guarnieri said. “The interesting part is seeing the social and political context of this and also the human aspect of this. Learning how these kinds of attacks and this kind of surveillance could affect people individually is really interesting.”
Guarnieri, today, with a number of partners such as Amnesty International, The Electronic Frontier Foundation, Privacy International and Digitalle Gesellschaft, took a step toward scaling out his efforts to help activists and journalists in need with the release of Detekt.
Detekt is detection software that Guarnieri has been using for some time in an ad hoc fashion to help victims scan their Windows computers for certain spyware families. It’s written in Python and relies on malware scanners such as Yara, Volatility and Winpmem to look memory for traces of the worst of the worst spyware, such as DarkComet, Xtreme, BlackShades, njRAT, ShadowTech, Gh0st and FinFisher from FinSpy and HackingTeam RCS.
Detekt does not remediate, and is not meant to be a substitute for antivirus or intrusion detection capabilities, Guarnieri said. It is limited to the malware families listed and is meant to be a quick triage for victims suspicious that their computers may have been compromised.
“It’s a tool with a very specific purpose and with a very small coverage; it detects less than 10 families of spyware and probably doesn’t detect all the variants of them,” Guarnieri said. “We wanted to do this because firstly some of them are not very well detected by a traditional security system. If you take the most sophisticated ones like HackingTeam and FinFisher they make sure they regularly and rigorously evade all antivirus products before they come out. We see that. We see newer versions completely undetected but with these techniques, we detect them pretty effectively. I guess that’s because we have an advantage of seeing it firsthand. Obviously, when this thing is out, I assume within a couple of days our detections will be defeated as well.”
Guarnieri expects he’ll be spending some time committed to updating signatures as new variants come out and especially if uptake is swift for Detekt. That won’t mean, however, that this first public iteration of Detekt is immediately obsolete. Guarnieri said that some of the malware families are not updated any longer, while in other cases, some governments or oppressive groups are still using older versions of FinFisher or HackingTeam.
“If people think that it’s somewhat useful, then certainly I’m committed to keeping it up to date as well as having other people contributing to it since it’s on Github now,” Guarnieri said.
Attacks against groups fighting for a Free Tibet, for example, have evolved beyond just monitoring computers and mobile devices, but also exploiting weaknesses to track physical location, putting personal safety at even greater risk. For groups such as these, Guarnieri said, Detekt is likely to be a welcome sight.
“It’s a difficult thing to realize that everything they’ve done online and offline has been monitored and stolen from them,” Guarnieri said. “It’s not an easy thing especially when we work with journalists or political advocacy groups; the first thing they are concerned about is their sources and networks which is often the reason they are attacked in the first place.”
Situations such as these, as well as the Snowden leaks starting in June 2013, has brought out the activist in more than one white hat.
“As a technical person coming from the hacking community and security industry, seeing that there are other things you can do with your skills that are more meaningful for the public in general and not just for a corporation of some kind, it’s very satisfying. Especially when you see that these kinds of communities are very much left out of interest from the commercial security industry,” Guarnieri said. “They don’t have the resources, expertise or people who can do these kinds of things because people with these skill sets don’t generally work for free with NGOs but rather go to work for big corporations or Google and gets lots of money. There’s a need for help in this area but there is very little supply unfortunately.”