Detekt tool finds the Hacking Team's secret surveillance malware on PC

If you’ve ever wondered if the government has you under surveillance via your PC, then you need to run the new and free malware detection tool Detekt. It has already found traces of the Hacking Team's stealthy surveillance malware, but it also hunts for remote control system toolkits created by FinFisher as well as other remote access Trojans (RAT) like DarkComet RATs, XtremeRAT, BlackShades RAT, njRAT, ShadowTech RAT, and Gh0st RAT.

Detekt detects government surveillance malware
Credit: Detekt

If you’ve ever wondered if the government has you under surveillance, via your PC, then you need to run the new and free malware detection tool Detekt. It scans Windows computers for traces of covert government surveillance spyware. Although the tool has only been available for four days, it’s already finding surveillance malware capable of remotely turning on a webcam and microphone, recording keystrokes and passwords, and allowing some government snoop to listen in on audio calls as well as read emails as if Big Brother were surfing right off your shoulder on a Windows PC.

Resist Surveillance said Detekt looks for traces of remote control system toolkits created by FinFisher and the Hacking Team. Detekt was developed by Claudio Guarnieri, who tweeted that Detekt discovered a “new undetected Hacking Team sample” that was “disguised” as the bookmark manager Linkman made by Outertech.

Detekt finds surveillance malware created by the Hacking Team Virus Bulletin

The German software company Outertech responded, “Fake, infected Linkman has been seen in the wild. Please make sure the publisher is Outertech when installing Linkman.” The next tweet advised downloading the product directly from Outertech to insure receiving “clean files.”

The write up on Virus Bulletin points out that “surveillance malware should be detected by anti-virus solutions, and the fact that it is written by a government should not make a difference;” but no one should rely on only “one protection layer – especially if you're worried that a government might be spying on you.”

Detekt is not out to replace your anti-virus which should, in theory, detect government surveillance malware. Meanwhile, demonstrating how “should” is not the same thing as actually detecting spyware, magwep posted on BleepingComputer that Detekt detected both njRat and XtremeRAT on a machine running Windows 7, McAfee, Super Anti Spyware and Malwarebytes.

Detekt detects two RATs magwep via BleepingComputer

Detekt was developed by Guarnieri and released in partnership with organizations including Amnesty International and the Electronic Frontier Foundation. Anyone can use the free Detekt tool to look for traces of remote control system toolkits created by FinFisher and the Hacking Team, but activists, human rights defenders and journalists are frequently targeted for surveillance.

Back in June, Kaspersky Lab and Citizen Lab took aim at the Italian Hacking Team’s Remote Control System (RCS) toolkits infecting iPhones and Androids; feds and cops were using the Hacking Team’s “lawful intercept” Galileo software to conduct secret surveillance on journalists, activists, human rights advocates and politicians. A few weeks ago, Michael Horowitz took a deep dive into Wi-Fi security after reading manuals describing the Hacking Team’s RCS software capable of covert actions such as “activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords.”

Gamma FinFisher was hacked back in August and the latest round of documents about the secret FinFisher spyware were released to the public. FinFisher surveillance malware became well-known after WikiLeaks Spy Files first released documents in 2011. In 2012, Citizen Lab detailed FinFisher mobile malware.

If you wonder why you should try it, as Amnesty International put it, “Imagine never being alone. Someone looking over your shoulder, recording every computer keystroke; reading and listening to your private Skype conversations; using your phone’s microphone and camera to monitor you and your colleagues, without you even knowing it.”

“It's obvious that Detekt will be evaded soon, so what?” Guarnieri added, “For a few days people will be empowered to do something about it.”

The latest 26 MB version is Detekt v1.7; it includes more fixes for false positives. Go download Detekt and then disconnect from the Internet. Right-click on detekt.exe and select Run as administrator.

Run Detekt as admin redacted

When the Detekt GUI comes up, click on “Scan now!” 

Detekt

There’s no guarantee the tool will definitely detect government surveillance malware on your machine, but it’s a step in the right direction. A scan that turns up no spyware will give a message such as “Looks good. I wasn't able to identify the presence of any obvious spyware. Please note that this does not necessarily mean your computer is clean. If you have strong suspicion of being targeted, please do seek assistance.”

Although there is a possibility of false positives in the results, if Detekt finds spyware on your PC, then follow these steps which kick off with “stop using the infected computer immediately and disconnect it from the Internet, other network and removable devices, unless strictly necessary.”

Detekt does not remove any infection or delete any file that it considers suspicious. If Detekt indicates signs of infection, you should assume that your computer has been compromised and is no longer safe for use. The attacker will likely have remote-control access of your computer, meaning they can view not only your files and emails but everything you type on your keyboard and could even switch on your webcam and microphone remotely. 

Unfortunately, Windows 8.1 is not yet supported. If you still try it, then you will receive the following warning.

Detekt error for windows 8 cropped

I tried right-clicking on detekt.exe, selecting Properties, and then going to the “Compatibility” tab. From there, I checked the box labeled “Run this program in compatibility mode for:” and selected Windows 7.  Then I ran it as admin, but don’t bother to try that method on Windows 8.1.

Windows 7 compatibility mode

Clearly that ended up being an unwise decision as the program ran endlessly for hours until I finally stopped it and reviewed the log.

Detekt scanning

See what happens when you don’t read the directions and “known issues” in full? “Windows 8.1 64 bit is currently not supported because the tool appears to be unable to complete the execution and just goes on forever. This issue needs to be investigated and resolved as soon as possible.”

An issue posted about needing Windows 8.1 support includes several people trying to run Detekt in Windows 7 compatibility mode. Apparently that’s a mistake as “it doesn't work correctly then (as it will be searching for things from windows 7 only; it won't try to see if you have any spyware hidden in the new modern user interface apps).” If you have a solution or would like to help fix the compatibility issues for Windows 8.1 or OS X, then please do!

The EFF explained, “Because Detekt is a best-effort tool and spyware companies make frequent changes to their software to avoid detection, users should keep in mind that Detekt cannot conclusively guarantee that your computer is not compromised by the spyware it aims to detect. However, we hope that the availability of this tool will help us to detect some ongoing infections, provide advice to infected users, and contribute to the debate around curbing the use of government spyware in countries where it is linked to human rights abuses.”

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.