UPDATE: The tool „Detekt“: what you should know about it

11/24/2014
G DATA Blog

As reported, the recently launched tool “Detekt” is a tool to detect nation-state spyware by performing in-memory scans with the help of static Yara rules. G DATA appreciates the approach to raise awareness against spyware, but looking at the technical realization of the tool, we have to say that it is for sure well-intentioned, but far from well-made.

Rules pulled from source code

The developers have pulled six of, at that time, eight rules out of the Yara rule set. This means that, in its current version, Detekt can only find two spyware families! We suspect that the reason for this action were massive false positive problems, as the GitHub source code comment reads:
# TODO: this is hacky, need to find a better solution to false positives
# especially with security software.

Detekt falsely identifies G DATA solution as spyware

Especially the security solutions seem to generate problems for the “Detekt” tool, as most of them have an effective scanning mechanism, often referred to as “On Access Scan”. This means: As soon as a file is accessed (e.g. on execution), the security solution scans the file for evil traces.
This situation happens when “Detekt” is executed after it has been saved to the user’s HDD. As soon as the user launches “Detekt”, an installed G DATA solution starts its scanning process, therefore loads the “Detekt” code including all the Yara rules into the memory to work with it. But “Detekt” scans the memory and therefore…. let’s say… detects itself! It finds the strings it is supposed to look for while G DATA is scanning the program’s code. The created “Detekt” log file then reveals GDScan.exe as a an alleged perpetrator.

Detekt falsely identifies browsers as spyware

Another scenario we have already encountered is the “detection” of a browser as spyware, in this case, Mozilla’s Firefox. In a test on a new and fresh Windows machine, we have opened the browser, downloaded “Detekt” to our HDD and checked out the website with the current Yara rules.
After launching “Detekt”, it triggered firefox.exe as infected with spyware, because the browser memory still held information about the tool and, more importantly, about the Yara rules. So, again, “Detekt” actually detected itself.

There might be even many more effects that can lead to false positive detections. “Detekt” acts quite aggressively with its detections and we can only understand that users are unsettled by the many messages that seem to occur. Especially as one of the developers’ advices is as drastic as “decide whether to dispose of the computer” in case an infection is found.

The Detekt tool is available for everyone, but making sense of the results is for specialists only. If you don’t know about the internals of the system, strange situations can occur. Think twice and don’t panic. Seek advice from experts.