Activists release Detekt tool that finds surveillance malware

A free tool released Thursday allows users to scan their computers for surveillance malware that has been used in attacks against journalists, human rights defenders and political activists around the world.

The open-source tool is called Detekt and was developed by security researcher Claudio Guarnieri. It was released in partnership with Amnesty International, Digitale Gesellschaft, the Electronic Frontier Foundation and Privacy International.

Detekt scans computers for infection patterns associated with several families of remote access Trojans (RATs): DarkComet RAT, XtremeRAT, BlackShades RAT, njRAT, FinFisher FinSpy, HackingTeam RCS, ShadowTech RAT and Gh0st RAT.

Some of these malware programs have been used in attacks by cybercriminals, but also in cyberespionage campaigns against non-governmental organizations, human rights activists, journalists and religious or ethnic minority groups.

Some tools, like FinFisher FinSpy and HackingTeam RCS, were created by commercial entities and are sold to law enforcement and other government agencies around the world. They provide a wide range of surveillance capabilities including reading emails and instant messaging conversations, listening in on Skype calls and even remotely turning on a computer's camera and microphone.

Even though the companies that create these tools, Gamma International and Hacking Team, claim to carefully screen their customers and only sell to legitimate law enforcement agencies, independent reports suggest that such tools have been used against journalists and political activists in countries where human rights are poorly protected.

While Detekt can be a good start to identify potential infections, it does not guarantee that a system is completely clean of surveillance malware.

"Beware that it is possible that Detekt may not successfully detect the most recent versions of those malware families," the developers wrote in the tool's readme file. "Indeed, some of them will likely be updated in response to this release in order to remove or change the patterns that we identified. In addition, there may be existing versions of malware, from these families or from other providers, which are not detected by this tool. If Detekt does not find anything, this unfortunately cannot be considered a clean bill of health."

It's also worth noting that Detekt is a detection tool, not a removal tool. The resistsurveillance.org site that was set up to distribute the program advises users who scan their computers with it and find spyware to seek expert help.

"Firstly, stop using the infected computer immediately and disconnect it from the Internet, other network and removable devices, unless strictly necessary," the website reads. "Secondly, decide whether to dispose of the computer or keep it and seek further assistance to investigate the attack and help you to safely recover your computer. We suggest that you speak with an expert to help you make this decision."

The site lists email addresses from experts working with the project.