Hello,
I already posted this issue as a comment here: https://help.locusmap.eu/topic/23479-trojaner-im-karten-download
I am facing the same problem as Juergen. Today the IT department had to block access of my mobile to the internal net due to exactly the same traffic and malware detection as Juergen reported. We tested the problem and detection of malware
ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)
activity occured exactly in the moment when I tried to download some tiles of offline maps:
MTB Europe:
Severity High
Type A Network Trojan was Detected
CategoryIPS_VALUES_CATEGORY_EMERGING-MALWARE
Interface eth0
Source x.x.x.x : x
CountryCzech Republic
Destination 147.251.54.117 : 80
Protocol http
ASN 2852 CESNET z.s.p.o.
Hike & Bike:
Severity High
TypeA Network Trojan was Detected
Category IPS_VALUES_CATEGORY_EMERGING-MALWARE
Interface eth0
Source x.x.x.x : x
Country Netherlands
Destination 185.15.56.55 : 80
Protocol http
ASN 14907 WIKIMEDIA
Wanderreit:
No malware activity
Could you help with the solution of this problem? I can't afford to have blocked access to internal network and only solution seems to be uninstalling the Locus Map Pro from my device.
Thanks in advance
Jan
The same question 
Hello Juergen,
thanks for the report.
As I see,
147.251.54.117 > address of the MTB map server (Czech university project). Not sure what the problem is with this server, but I do not expect any risk there. If your antivirus has any suspicion, do not use this map.
185.15.56.55 > open some "WikiMiniAtlas" web page. Never saw this. Is it some KML overlay you use?
Both problematic places are not directly provided by us (Asamm team), so it is hard to do something with them.
Thanks for understanding,
Menion
Hello Juergen,
thanks for the report.
As I see,
147.251.54.117 > address of the MTB map server (Czech university project). Not sure what the problem is with this server, but I do not expect any risk there. If your antivirus has any suspicion, do not use this map.
185.15.56.55 > open some "WikiMiniAtlas" web page. Never saw this. Is it some KML overlay you use?
Both problematic places are not directly provided by us (Asamm team), so it is hard to do something with them.
Thanks for understanding,
Menion
Hello Menion,
I am facing the same problem as Juergen. Today the IT department had to block access of my mobile to the internal net due to exactly the same traffic and malware detection as Juergen reported. We tested the problem and detection of malware
ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)
activity occured exactly in the moment when I try to download some tiles of offline maps:
MTB Europe:
Severity High
Type A Network Trojan was Detected
CategoryIPS_VALUES_CATEGORY_EMERGING-MALWARE
Interface eth0
Source x.x.x.x : x
CountryCzech Republic
Destination 147.251.54.117 : 80
Protocol http
ASN 2852 CESNET z.s.p.o.
Hike & Bike:
Severity High
TypeA Network Trojan was Detected
Category IPS_VALUES_CATEGORY_EMERGING-MALWARE
Interface eth0
Source x.x.x.x : x
Country Netherlands
Destination 185.15.56.55 : 80
Protocol http
ASN 14907 WIKIMEDIA
Wanderreit:
No malware activity
Could you help with the solution of this problem? I can't afford to have blocked access to internal network and only solution seems to be uninstalling the Locus Map Pro from my device.
Thanks in advance
Jan
Hello Menion,
I am facing the same problem as Juergen. Today the IT department had to block access of my mobile to the internal net due to exactly the same traffic and malware detection as Juergen reported. We tested the problem and detection of malware
ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)
activity occured exactly in the moment when I try to download some tiles of offline maps:
MTB Europe:
Severity High
Type A Network Trojan was Detected
CategoryIPS_VALUES_CATEGORY_EMERGING-MALWARE
Interface eth0
Source x.x.x.x : x
CountryCzech Republic
Destination 147.251.54.117 : 80
Protocol http
ASN 2852 CESNET z.s.p.o.
Hike & Bike:
Severity High
TypeA Network Trojan was Detected
Category IPS_VALUES_CATEGORY_EMERGING-MALWARE
Interface eth0
Source x.x.x.x : x
Country Netherlands
Destination 185.15.56.55 : 80
Protocol http
ASN 14907 WIKIMEDIA
Wanderreit:
No malware activity
Could you help with the solution of this problem? I can't afford to have blocked access to internal network and only solution seems to be uninstalling the Locus Map Pro from my device.
Thanks in advance
Jan
Hi Jan,
hmm, but this looks like that the problem is caused by the remote map server and not directly Locus Map or our infrastructure. The unsolvable problem I think. The best for you is to avoid these maps or contact map providers with more specific info about this problem.
Menion
Hi Jan,
hmm, but this looks like that the problem is caused by the remote map server and not directly Locus Map or our infrastructure. The unsolvable problem I think. The best for you is to avoid these maps or contact map providers with more specific info about this problem.
Menion
Hello, I'm one of the guys maintaining the server (and occasional Locus user).
We are still investigating the issue, however so far it seems to be an alert triggered by the definition (https://doc.emergingthreats.net/bin/view/Main/2007845), capturing user agent header of http request with value starting "Locus " (thus both Locus Map and Locus Map Pro trigger the signature). I'm in contact with Jan, we should be able to track it down.
Regards, L.
Hello, I'm one of the guys maintaining the server (and occasional Locus user).
We are still investigating the issue, however so far it seems to be an alert triggered by the definition (https://doc.emergingthreats.net/bin/view/Main/2007845), capturing user agent header of http request with value starting "Locus " (thus both Locus Map and Locus Map Pro trigger the signature). I'm in contact with Jan, we should be able to track it down.
Regards, L.
Zdravím Lukáši,
nice to meet you and thanks for the time you invest into this issue. If there is something I may help with, please let me know.
I personally have no idea where this spyware comes from to be true. User-agent defined by the app definitely does not contain work "NetInstaller". Also, MTB map server is a university server hosted in Prague. I'll gladly share any info you may need to find out the reason, just ask. Thanks.
Jiří M. aka Menion
Zdravím Lukáši,
nice to meet you and thanks for the time you invest into this issue. If there is something I may help with, please let me know.
I personally have no idea where this spyware comes from to be true. User-agent defined by the app definitely does not contain work "NetInstaller". Also, MTB map server is a university server hosted in Prague. I'll gladly share any info you may need to find out the reason, just ask. Thanks.
Jiří M. aka Menion
Hi guys,
Sorry, I cant remember the sec. card...
But thank you for investigation, it was a pleasure to read what u wrote...
Br, Juergen
--
Diese Nachricht wurde von meinem Android Mobiltelefon mit 1&1 Mail gesendet.
Hi guys,
Sorry, I cant remember the sec. card...
But thank you for investigation, it was a pleasure to read what u wrote...
Br, Juergen
--
Diese Nachricht wurde von meinem Android Mobiltelefon mit 1&1 Mail gesendet.
Hey guys,
Thx so much for your investigations and to avoid future issues wirh Ubiquity infrastructure...
Br, Juergen
--
Diese Nachricht wurde von meinem Android Mobiltelefon mit 1&1 Mail gesendet.
Hey guys,
Thx so much for your investigations and to avoid future issues wirh Ubiquity infrastructure...
Br, Juergen
--
Diese Nachricht wurde von meinem Android Mobiltelefon mit 1&1 Mail gesendet.
Replies have been locked on this page!