Author Topic: Malware blocked airport data  (Read 5257 times)

peter.seddon

Malware blocked airport data
« on: February 05, 2021, 11:48:33 am »
I keep getting a notification from Malware Bites that www.airport-data.com. It says there is a trojan the website www.airportdat.com on the other hand loads OK. Has there been an update and a typo or is there someone trying to hack us. I got the first notification on 02/20/2021 at 12:22.
« Last Edit: February 05, 2021, 11:50:36 am by peter.seddon »
Peter S
G-DDLA

exfirepro

Re: Malware blocked airport data
« Reply #1 on: February 05, 2021, 12:18:07 pm »
Hi Peter,

I take it you mean when you click on a picture via the Aircraft Data link from your ATOM display? I'm certainly not seeing any issues either on my iPad or Windows PC and Airport-Data.com opens fine. I'm using Virgin's standard 'F-Secure SAFE' 'anti-virus' software, so the issue may be specific to Malware Bites.

Last ATOM firmware update was on 20210123 so it's been running almost 2 weeks now with no reported problems (to my knowledge).

Regards

Peter R

peter.seddon

Re: Malware blocked airport data
« Reply #2 on: February 05, 2021, 12:28:18 pm »
If I click on the website it gets blocked saying it may contain a trojan, I'll have to try it on a non connected PC and see what happens.
Peter S
G-DDLA

steveu

Re: Malware blocked airport data
« Reply #3 on: February 05, 2021, 06:11:04 pm »
Is it worth escalating this to Malwarebytes as a false positive?

no problem here with Avast Free...

peter.seddon

Re: Malware blocked airport data
« Reply #4 on: February 06, 2021, 10:18:33 am »
Posted a topic on the Malware bites forum, will see what transpires.
Peter S
G-DDLA

peter.seddon

Re: Malware blocked airport data
« Reply #5 on: February 07, 2021, 09:52:05 am »
This is the reply I got so there must be something to it.

"Hi,

The block will be reviewed. It's currently being blocked as part of a banker trojan using the IP the domain resides on. -- https://www.virustotal.com/gui/url/3dd6a5e4e6e3aea72ad5a6bb676b5e30269cedaf5b270767161188babc25a941/detection

Thank you"

So it is under review, perhaps this needs to be passed to the website owner.

Cheers
Peter.
Peter S
G-DDLA

Ian Melville

Re: Malware blocked airport data
« Reply #6 on: February 07, 2021, 01:30:01 pm »
Yes, I would report it to the webmaster.

peter.seddon

Re: Malware blocked airport data
« Reply #7 on: February 07, 2021, 05:33:14 pm »
Does anyone know his email address, I tried webmaster@ but that bounced.
Peter S
G-DDLA

steveu

Re: Malware blocked airport data
« Reply #8 on: February 07, 2021, 05:45:05 pm »
It seems like they are a bunch of wannabe Secret Squirrels, any "Contact Us" link result in the same stupid loop.

I looked up the domain owner here in Whois:

https://lookup.icann.org/lookup

but it seemed to be the same sort of Secret Squirrel stuff.

Not sure if I can post the output of an ICANN query in public but if you put the domain in there you'll get an email address which you might try...

It looks a bit strange or even like a bit bucket...


peter.seddon

Re: Malware blocked airport data
« Reply #9 on: February 07, 2021, 10:20:47 pm »
comes up with some silly email addresses and a mailing address in Toronto. It does seem sus as there is a similar website called www.airportdata.com i.e. no hyphen.
Peter S
G-DDLA

steveu

Re: Malware blocked airport data
« Reply #10 on: February 07, 2021, 11:36:43 pm »
comes up with some silly email addresses and a mailing address in Toronto. It does seem sus as there is a similar website called www.airportdata.com i.e. no hyphen.

But the issue is where the link comes from, who serves up that web page, is 360Radar, PilotAware or someone else?

Whoever has coded that page has put a website with a hyphen in it alongside airliners.net and airframes.org

This is either intentional (whoever code that web page intended for the URL with the hyphen to be there) or the site code has been hacked.

I'm going to suggest that if it really is the correct site, does whoever serves up the web page want to remove the hyphened link until the malware issues are resolved?

I'm an admin on a free flying forum and we had problems with someone trying to screen scrape the whole web site, short term resolved with an IP block. There could be one site cloning another, but this can only be resolved by web masters...


exfirepro

Re: Malware blocked airport data
« Reply #11 on: February 08, 2021, 08:57:23 am »
Steve,

The link to airport-data.com will be down to VRS - www.virtualradarserver.co.uk.

PilotAware simply incorporate the VRS application into the ATOM firmware so that station owners / maintainers (as ‘non-commercial’ users) can use it to visualise and display traffic. As ‘users’ of their system, we are subject to VRS’s rules and have very little influence or control over how VRS is configured and operates or its external links.

If Peter and yourself want to pass on your findings, there are contact details at the bottom of the VRS Home Page. I’m sure they would be interested to hear from you - especially if this exposes a threat (or potential threat) to their system.

Please keep us informed.

Best Regards

Peter R
« Last Edit: February 08, 2021, 09:00:48 am by exfirepro »

peter.seddon

Re: Malware blocked airport data
« Reply #12 on: February 08, 2021, 09:58:23 am »
I've just sent an email to Andrew at Virtual Radar server so we'll se what he says.
Peter S
G-DDLA

peter.seddon

Re: Malware blocked airport data
« Reply #13 on: February 08, 2021, 10:11:38 pm »
Got a reply from Andrew and he is looking into this issue.
Peter S
G-DDLA

steveu

Re: Malware blocked airport data
« Reply #14 on: March 07, 2021, 03:15:38 pm »
It's back!