[DE] Trojaner im Karten Download

Juergen Bogner shared this question 6 months ago
Answered

Hallo,

meine FW schlägt Alarm beim download von offline Karten!!

Threat Management Alarm 1: A Network Trojan was Detected.

Signatur ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller).

Von: xxxx, auf: 147.251.54.117:80, Protokoll: TCP


Siehe Anhang

BItte um Erklärung/Prüfung ob das ein false positiv ist

Danke

Replies (7)

photo
1

Hello Juergen,

thanks for the report.

As I see,

147.251.54.117 > address of the MTB map server (Czech university project). Not sure what the problem is with this server, but I do not expect any risk there. If your antivirus has any suspicion, do not use this map.

185.15.56.55 > open some "WikiMiniAtlas" web page. Never saw this. Is it some KML overlay you use?

Both problematic places are not directly provided by us (Asamm team), so it is hard to do something with them.

Thanks for understanding,

Menion

photo
1

Hello Menion,

I am facing the same problem as Juergen. Today the IT department had to block access of my mobile to the internal net due to exactly the same traffic and malware detection as Juergen reported. We tested the problem and detection of malware

ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)

activity occured exactly in the moment when I try to download some tiles of offline maps:

MTB Europe:

Severity High

Type A Network Trojan was Detected

CategoryIPS_VALUES_CATEGORY_EMERGING-MALWARE

Interface eth0

Source x.x.x.x : x

CountryCzech Republic

Destination 147.251.54.117 : 80

Protocol http

ASN 2852 CESNET z.s.p.o.


Hike & Bike:

Severity High

TypeA Network Trojan was Detected

Category IPS_VALUES_CATEGORY_EMERGING-MALWARE

Interface eth0

Source x.x.x.x : x

Country Netherlands

Destination 185.15.56.55 : 80

Protocol http

ASN 14907 WIKIMEDIA


Wanderreit:

No malware activity


Could you help with the solution of this problem? I can't afford to have blocked access to internal network and only solution seems to be uninstalling the Locus Map Pro from my device.

Thanks in advance

Jan

photo
1

Hi Jan,

hmm, but this looks like that the problem is caused by the remote map server and not directly Locus Map or our infrastructure. The unsolvable problem I think. The best for you is to avoid these maps or contact map providers with more specific info about this problem.

Menion

photo
1

Hello, I'm one of the guys maintaining the server (and occasional Locus user).


We are still investigating the issue, however so far it seems to be an alert triggered by the definition (https://doc.emergingthreats.net/bin/view/Main/2007845), capturing user agent header of http request with value starting "Locus " (thus both Locus Map and Locus Map Pro trigger the signature). I'm in contact with Jan, we should be able to track it down.


Regards, L.

photo
1

Zdravím Lukáši,

nice to meet you and thanks for the time you invest into this issue. If there is something I may help with, please let me know.

I personally have no idea where this spyware comes from to be true. User-agent defined by the app definitely does not contain work "NetInstaller". Also, MTB map server is a university server hosted in Prague. I'll gladly share any info you may need to find out the reason, just ask. Thanks.

Jiří M. aka Menion

photo
1

Hi,


we have successfully managed to track it down to paranoid Ubiquity gateway traffic filter. It seems that Ubiquity uses the mallware definition identical to the one listed above, marking all http requests having User-Agent header starting with "Locus " as trojan web communication.


This assumption was later confirmed against different map server which also serves tiles as plain http, triggering the alert as well. As expected, https traffic avoids the alarm. Thus, this is false positive. Perhaps a temporary solution might be an override of Locus user agent to avoid spaces, however the bug is still on Ubiquity's side. I'll try to get https certificate for mtbmap.cz, however it might be slightly more complicated than usual, since our lab is not the owner of the domain, just running the map server.

Regards, L.

photo
1

Thanks Lukas,

I've added mentioned fix for MBT Europe.

@Juergen, what exactly was the second problematic map?

photo
1

Hi, I had enabled Letsencrypt HTTPS certificate on the server. Can you please @Menion, provide me and Jan a test build to check that ubiquity does not complain on the https version?

photo
1

Hello Lukas,

what exactly should this test build do? The Latest Beta version of the Locus Map is available here: http://bit.ly/lmVersionsTest. Or do you need a special version of the app where access to tile.mtbmap.cz will be over "https" protocol?

photo
1

> Or do you need a special version of the app where access to tile.mtbmap.cz will be over "https" protocol?


Exactly. I had enabled https on the server, but I did not set up mandatory redirection to https (just optional if client suggest https upgrade via Upgrade-Insecure-Requests header), thus locus sticks to plain http (even redirection would still trigger the Ubiquity blacklist).

photo
1

It took a while, sorry.

New version with https access just generated: http://bit.ly/lmVersionsTest . So give it a try if you find a moment, thanks!

photo
photo
1

Hi guys,

Sorry, I cant remember the sec. card...

But thank you for investigation, it was a pleasure to read what u wrote...

Br, Juergen

--

Diese Nachricht wurde von meinem Android Mobiltelefon mit 1&1 Mail gesendet.

photo
1

Hey guys,

Thx so much for your investigations and to avoid future issues wirh Ubiquity infrastructure...

Br, Juergen

--

Diese Nachricht wurde von meinem Android Mobiltelefon mit 1&1 Mail gesendet.

Leave a Comment
 
Attach a file