New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Domain History - False Positive Results #319
Comments
If there are traces of C2 communication on my device, I want to be alerted. MVT-Tool is flagging those events as suspicious, and they have a disclaimer in their README stating "This is not intended for end-user self-assessment", so no one is blindly using a single suspicious event from MVT-Tool and proclaiming infection. Now, let's get to the part where MVT-Tool reports differ based on connectivity.
Yes, this has been already told to you multiple times.
|
Jonathan, the fact you created this issue and what you are claiming is an issue only proves one thing. You lack the skills and knowledge to even be discussing the topic. Making ignorant statements and ignorant judgements doesn't help your case. You literally have no idea what you are talking about. |
Because MVT-Tool is only IOCs in Safari History based on strings just by visiting the website on safari gives a false positive result.
MVT-Tool delivers 2 different sets of results when presented with the same sample set.
Scenario 1: The iPhone is not connected to network, wifi, or ethernet adapter
Prep
open safari, and for each line item open a new tab, after enter the address press go
Result
MVT-Tool finds all 7 addresses to be positive for Pegasus without ever having an internet connection
Scenario 2: The iPhone is connected to network, wifi, or ethernet adapter
Prep
open safari, and for each line item open a new tab, after enter the address press go
Result
MVT-Tool finds only 6 addresses to be positive for Pegasus. Because statsads.co redirected to 11165151.addotnet.com it was not recognized as a malicious IOC
In Appendix E of the Amnesty Verification report Jordi Sànchez had statsads.co that redirected as well, and when I ran the exact IOCs listed for Jordi in the report, there was no Pegasus detection found in the Safari History because of the redirects.
Jordi Sànchez
Conclusion
MVT-Tool is not using logic to make conclusions of a pegasus infection, it is only looking for strings, and having having an internet connection or not having an internet connection on the device affects the results. This is why MVT-Tool should have documentation showing the scenarios in which false positive results are possible.
A person can manually enter any domain listed as malicious into their browser and MVT-Tool will pick it up as a positive infection when it is not.
The text was updated successfully, but these errors were encountered: