qurbat
commented
1 year ago How many real world examples can you locate for applications where the value of the BundleId parameter is Diagnosticd? This is a non-issue.
Closed jonathandata1 closed 1 year ago
qurbat
commented
1 year ago How many real world examples can you locate for applications where the value of the BundleId parameter is Diagnosticd? This is a non-issue.
qurbat
commented
1 year ago I do not mean to be inflammatory, but are you sure you properly understand the concept of what an indicator of compromise represents, and the different contexts within which IoCs are used in real-world security appliances? It is generally understood by everyone that legitimate, non-malicious applications do not attempt to masquerade as malware; making your application intentionally appear as it were malware serves no legitimate end in most contexts.
Lastly, I want to bring to your attention a very clear and unmistakable disclaimer that is provided at the very beginning of the README file for the project, which is that mvt "[...] is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance."
Please close this issue.
jonathandata1
commented
1 year ago Apple does not require a reverse-dns BundleID such as com.apple.example, they say that people typically use that and they pre-fill the reverse-dns when you're making an app, but it is not required.
How many real world examples are is irrelevant. There needs to be better logic put in place, this is the point of me opening an issue.
jonathandata1
commented
1 year ago I do not mean to be inflammatory, but are you sure you properly understand the concept of what an indicator of compromise represents, and the different contexts within which IoCs are used in real-world security appliances? It is generally understood by everyone that legitimate, non-malicious applications do not attempt to masquerade as malware; making your application intentionally appear as it were malware serves no legitimate end in most contexts.
Lastly, I want to bring to your attention a very clear and unmistakable disclaimer that is provided at the very beginning of the README file for the project, which is that
mvt"[...] is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance."Please close this issue.
Did you really just that to me? "It is generally understood by everyone that legitimate, non-malicious applications do not attempt to masquerade as malware"
Malicious Android apps found masquerading as legitimate antivirus tools https://www.techrepublic.com/article/malicious-android-apps-masquerading-as-av/
Bro, never tell me to close a ticket when you can't even understand that YES malicious apps pose as legit tools.
abashinfection
commented
1 year ago Malicious Android apps found masquerading as legitimate antivirus tools
https://www.techrepublic.com/article/malicious-android-apps-masquerading-as-av/
Bro, never tell me to close a ticket when you can't even understand that YES malicious apps pose as legit tools.
He literally told you the other way around: legit apps don't usually pose as malware.
qurbat
commented
1 year ago I do not mean to be inflammatory, but are you sure you properly understand the concept of what an indicator of compromise represents, and the different contexts within which IoCs are used in real-world security appliances? It is generally understood by everyone that legitimate, non-malicious applications do not attempt to masquerade as malware; making your application intentionally appear as it were malware serves no legitimate end in most contexts. Lastly, I want to bring to your attention a very clear and unmistakable disclaimer that is provided at the very beginning of the README file for the project, which is that
mvt"[...] is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance." Please close this issue.Did you really just that to me? "It is generally understood by everyone that legitimate, non-malicious applications do not attempt to masquerade as malware"
Malicious Android apps found masquerading as legitimate antivirus tools https://www.techrepublic.com/article/malicious-android-apps-masquerading-as-av/
Bro, never tell me to close a ticket when you can't even understand that YES malicious apps pose as legit tools.
Please read my comment again. Thanks.
jonathandata1
commented
1 year ago Malicious Android apps found masquerading as legitimate antivirus tools https://www.techrepublic.com/article/malicious-android-apps-masquerading-as-av/ Bro, never tell me to close a ticket when you can't even understand that YES malicious apps pose as legit tools.
He literally told you the other way around: legit apps don't usually pose as malware.
SharkBot malware is known for spreading itself through fake security solution apps on Google Play Store
https://www.hackread.com/security-app-play-store-sharkbot-malware/
do your research
jonathandata1
commented
1 year ago I do not mean to be inflammatory, but are you sure you properly understand the concept of what an indicator of compromise represents, and the different contexts within which IoCs are used in real-world security appliances? It is generally understood by everyone that legitimate, non-malicious applications do not attempt to masquerade as malware; making your application intentionally appear as it were malware serves no legitimate end in most contexts. Lastly, I want to bring to your attention a very clear and unmistakable disclaimer that is provided at the very beginning of the README file for the project, which is that
mvt"[...] is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance." Please close this issue.Did you really just that to me? "It is generally understood by everyone that legitimate, non-malicious applications do not attempt to masquerade as malware" Malicious Android apps found masquerading as legitimate antivirus tools https://www.techrepublic.com/article/malicious-android-apps-masquerading-as-av/ Bro, never tell me to close a ticket when you can't even understand that YES malicious apps pose as legit tools.
Please read my comment again. Thanks.
SharkBot malware is known for spreading itself through fake security solution apps on Google Play Store
https://www.hackread.com/security-app-play-store-sharkbot-malware/
do your research and then come back to me.
abashinfection
commented
1 year ago SharkBot malware is known for spreading itself through fake security solution apps on Google Play Store
https://www.hackread.com/security-app-play-store-sharkbot-malware/
do your research
As per your linked article: "The malware is disguised as antivirus"
Your issue depicts the opposite situation: a legitimate application intentionally showing malware traits publicly available in IOC lists.
jonathandata1
commented
1 year ago SharkBot malware is known for spreading itself through fake security solution apps on Google Play Store https://www.hackread.com/security-app-play-store-sharkbot-malware/ do your research
As per your linked article: "The malware is disguised as antivirus"
Your issue depicts the opposite situation: a legitimate application intentionally showing malware traits publicly available in IOC lists.
SharkBot malware is known for spreading itself through fake security solution apps on Google Play Store https://www.hackread.com/security-app-play-store-sharkbot-malware/ do your research
As per your linked article: "The malware is disguised as antivirus"
Your issue depicts the opposite situation: a legitimate application intentionally showing malware traits publicly available in IOC lists.
Apple Apps can be seen as malicious BY MVT-TOOL because they are only looking at CFBundleIdentifier and checking it against a keyword list.
It's literally in my issue, try to fight whatever way you want, my issue is reproducible it's legitimate, and my proof of concept needs to be addressed.
abashinfection
commented
1 year ago Apple Apps can be seen as malicious BY MVT-TOOL because they are only looking at CFBundleIdentifier and checking it against a keyword list.
It's literally in my issue, try to fight whatever way you want, my issue is reproducible it's legitimate, and my proof of concept needs to be addressed.
See @qurbat replies.
jonathandata1
commented
1 year ago Apple Apps can be seen as malicious BY MVT-TOOL because they are only looking at CFBundleIdentifier and checking it against a keyword list. It's literally in my issue, try to fight whatever way you want, my issue is reproducible it's legitimate, and my proof of concept needs to be addressed.
See @qurbat replies.
I read @qurbat's replies and they ignore the issue I present without providing any reason other than an opinion.
abashinfection
commented
1 year ago I read @qurbat's replies and they ignore the issue I present without providing any reason other than an opinion.
Those are perfectly valid responses for your issue as they don't ignore the scenario you are depicting, they are addressing it.
Scenario: legitimate app intentionally (or even accidentally) posing as malicious by setting CFBundleDisplayName to a very specific value listed in a public IOC list.
Tool behavior: flags the event as suspicious. This is perfectly normal, if a write an app that communicates with known malicious C2 server, showing malware traits, I'd expect the IDS/Antivirus to flag/stop the event.
Bonus: the MVT README also contains a warning message to specifically address situations where the infection is not clear and more investigation is needed.
Warning: MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the > basics of forensic analysis and using command-line tools. This is not intended for end-user self-assessment. If you are concerned with the security of your device please seek expert assistance.
ornaeric
commented
1 year ago Oh look, Jonathan Villarreal over he making up lies and commenting on topics he lacks the skills or knowledge to talk about. Kind of like DNS. https://twitter.com/russianhackscry/status/1598111555585212416?s=20&t=rTh6C13vbE51ECWPu9k-8w
Don't worry folks he's a known charlatan, he even has webpages dedicated to letting people see the truth. https://jonathandata1.com/
Legitimate Apple Apps can be seen as malicious
Setting Up
I performed the following to achieve the forgery.
idevicebackup2 encryption on 123idevicebackup2 backup --full .mkdir decryptmkdir resultsmvt-ios decrypt-backup -d decrypt/ -p 123 0137152d6c6b1fe5cc8af13f34f123e080128445/mvt-ios check-backup -o results/ decrypt/Results
Watch the video here
WARNING [mvt.ios.cli] The analysis of the backup produced 2 detections!WARNING [mvt.ios.modules.mixed.locationd] Found a known suspicious process name "Diagnosticd" matching indicators from "Pegasus"WARNING [mvt.ios.modules.mixed.locationd] Found a suspicious process name in LocationD entry DiagnosticdWARNING [mvt.ios.modules.mixed.osanalytics_addaily] Found a known suspicious process name "Diagnosticd" matching indicators from "Pegasus"The results generated by the MVT-Tool do not show The CFBundleDisplayName of the malicious process
The application is only looking for the "BundleId"
This is an example output from the results file generated by MVT-Tool
{ "BundleId": "Diagnosticd", "SupportedAuthorizationMask": 1, "Executable": "/private/var/containers/Bundle/Application/F0DD3918-FD87-4733-A89A-7B32A0B13C2C/Dignosticd.app/Dignosticd", "Registered": "/private/var/containers/Bundle/Application/F0DD3918-FD87-4733-A89A-7B32A0B13C2C/Dignosticd.app/Dignosticd", "package": "Diagnosticd", "matched_indicator": { "value": "Diagnosticd", "type": "processes", "name": "Pegasus", "stix2_file_name": "raw.githubusercontent.com_AmnestyTech_investigations_master_2021-07-18_nso_pegasus.stix2" }If you run the following command with the physical iPhone you will see that Diagnosticd is the identifier for a legitimate iPhone App.
ideviceinstaller --list-appsCFBundleIdentifier, CFBundleVersion, CFBundleDisplayNameDiagnosticd, "1.0", "Phone Diagnostics"Conclusion