[Pegasus]

21 minutes ago, treed said:

Malwarebytes for Mac still fully supports Mojave, and if any NSO spyware for Mac were ever discovered, we'd update very quickly to detect it.

Little Snitch wouldn't be able to detect a particular piece of malware unless you knew exactly what IP addresses and/or domains that malware communicated with. That information isn't readily available. The problem with using something like Little Snitch is that it can be difficult - even for a knowledgeable person - to determine whether a particular connection attempt is legitimate or not. Is that strangely-named process trying to communicate with Amazon AWS malware, or is it a part of some legitimate software? Legit software often uses some strange names, and anyone can communicate with Amazon AWS, for either legit or criminal reasons.

I don't recommend using Little Snitch, or something like it, unless you know _exactly_ what you're doing. I've seen too many people cause too many different weird problems by misconfiguring Little Snitch and other similar tools.

Thomas,

Thanks for the quick response. You make some good points about Little Snitch. 

[Pegasus]

On 9/14/2021 at 9:42 AM, treed said:

We're actually not aware of any current Pegasus malware for macOS. Keep in mind that the vulnerability affected both iOS and macOS, but the only known exploits are on iOS (where, of course, nobody can do anything), and not on macOS.

That's not to say a Mac Pegasus implant can't exist, but no security researchers to my knowledge have found it. Either it exists, but is used so cautiously that nobody's managed to find it, or NSO is only focused on mobile.

Presumably for malware like this to be useful to the bad actor, it needs to send data home from the infected device. Assuming a Pegasus/FORCEDENTRY exploit were developed for macOS Mojave and older, would it be detectable by Malwarebytes or something like Little Snitch?

I have a couple of systems running macOS Mojave and I have no desire to update them for a few reasons. I'd like to know if I can keep them protected using software like Malwarebytes, Little Snitch, and others.

[MWB keeps flagging Private Internet Access and random IP addreses]

I heard back from PIA Support. They said that the IP address '212.102.52.87' is managed by Private Internet Access. Their additional instructions were as follows:

 

Quote

I understand that PIA is being detected as a threat by Malwarebytes.

 

Due to two (2) of the protection systems found in Malware Bytes, it may sometimes interfere with the processes our VPN application requires to operate. To resolve this, please follow the below instructions: 

 

1. Right-click on the Malware Bytes icon in your system tray. 
2. Click on Malwarebytes Anti-Malware. 
3. Click the Settings icon at the top. 
4. Select the Detection and Protection menu on the left-hand side of the window. 
5. Click into the drop-down menu under the heading "PUP (Potentially Unwanted Program) detections," and select "Warn User About Detections."
6. Click into the drop-down menu under the heading "PUM (Potentially Unwanted Modification) detections," and select "Warn User About Detections." 

 

Additionally, you may also add the following exceptions below to your Malwarebytes antivirus program (NOTE: Please be aware that disabling or uninstalling your antivirus software will not resolve this issue as if PIA has been flagged as a potential threat. This has already been written to the Windows registry and adding the exceptions is the only way to remove these entries from the Windows registry):

 

**NOTE: Please be aware that these files may not line up with your specific version of antivirus software; if this is the case, you may need to search online for steps that are a better match to your version.**

 

File Exclusions:
Windows:

• C:\Program Files\Private Internet Access
• C:\Program Files\Private Internet Access\tap\win10
• C:\Program Files\Private Internet Access\tap\win7
• C:\Program Files\Private Internet Access\pia-client.exe
• C:\Program Files\Private Internet Access\pia-openvpn.exe
• C:\Program Files\Private Internet Access\pia-service.exe
• C:\Program Files\Private Internet Access\pia-support-tool.exe
• C:\Program Files\Private Internet Access\pia-wgservice.exe
• C:\Program Files\Private Internet Access\pia-unbound.exe

 

 

[MWB keeps flagging Private Internet Access and random IP addreses]

1 hour ago, Zynthesist said:

That data should be in your protection log, should show associated process path. 

 

-Website Data-
Category: RiskWare
Domain:
IP Address: 212.102.52.87
Port: 0
(No malicious items detected)
Type: Outbound
File: C:\Program Files\Private Internet Access\pia-service.exe

 

Why would Private Internet Access be trying to connect to a malware domain? Is this a false positive because if PIA was doing anything malicious, it would be all over social media by now.

 

[MWB keeps flagging Private Internet Access and random IP addreses]

10 hours ago, JPopovic said:

Hello,

199.36.223.34 - IP address has been unblocked.

212.102.52.87 - is blocked due to this communicating file (C2)

https://www.virustotal.com/gui/file/f4455ede7b38234cb5072c608990fada9a63fb3806df9638e03506e470c06902/behavior/VirusTotal%20Jujubox

 

Thank you.

Thank you for the update.

How do I identify which process or program is trying to contact this IP address from my system? When I do a system wide search for "Jujubox", nothing shows up. And full scans of my system both with Windows Defender and Malwarebytes find no threats.

[MWB keeps flagging Private Internet Access and random IP addreses]

So, any idea about why MBytes is freaking out about these IP addresses? And from which processes they're originating from?

[MWB keeps flagging Private Internet Access and random IP addreses]

Weird, looks like it uploaded anyway despite giving an upload failed error message.

[MWB keeps flagging Private Internet Access and random IP addreses]

I can't uploaded the requested mbst-grab-results logs because the upload fails with a -200 error.

 

mbst-grab-results.zip

mbst-grab-results.zip mbst-grab-results.zip

[MWB keeps flagging Private Internet Access and random IP addreses]

There are two IP addresses that Malwarebytes' RTP detection repeatedly blocks as either malware or trojan.

199.36.223.34 - Quebec, Canada; ISP: Total Server Solutions L.L.C. and Perfomive LLC (https://performive.com/)

212.102.52.87 - UK; ISP: Datacamp Ltd (https://datacamp.co.uk/)

 

They are outbound either from the System (which is too vague to be helpful) or from Private Internet Access. The lack of details is frustrating, especially when compared to a product like Little Snitch on macOS which gives detailed information about the exact process and port number on both outbound and inbound IP addresses.

 

 

detection_1.txt detection_2.txt detection_3.txt

[MWB keeps flagging Private Internet Access and random IP addreses]

Ever since I installed the trial of Malwarebytes, it keeps flagging and blocking random IP addresses without identifying the source. How is this helpful? It doesn't tell me the location of the IP address or what app or browser plugin or process initiated the outgoing connection.

In addition, Malwarebytes repeatedly blocks Private Internet Access IP address even when I'm not connected via VPN. What's going on there? Is this design by obscurity? How can I trust Malwarebytes when it gives me no option to verify what it's doing? And why would a legitimate VPN service like PIA with a long history of trust be considered a "trojan" or "riskware"?

 

And here's another example: Malwarebytes keeps blocking one particular IP address (199.36.223.34). Great. So why is RTP detection blocking this? It claims it's malware and yet when I scan for malware with Malwarebytes or other apps, it finds none. So what is trying to phone home? Without this information, I can't troubleshoot or diagnose this. How is this helpful to the user?