AirVPN Client and MalwareBytes Detection

[skweirmj 0]

I downloaded the AirVPN Client (Ver 2.8.8) on my new system an as soon as it the screen pops up about Network Lock and MalwareBytes kicks in stops a Malicious outbound connection to 91.220.163.33 port 8.

 

I am already running full antivirus and obviously malware premium (paid version).

 

Why is there a outbound from AirVPN Client? 

 

It resolved back to here:

 

IP address: 91.220.163.33

ISP: TOV Commercial Company 'Olevan plus'

Country: Ukraine (UA)

 

Now the real kicker is I kept the interface up for a bit and went to search at Google and they came back and stated it looks like you have some unusual activity coming from your IP address please verify the following letters. Now in all my years using AirVPN I have never had to do this or ever had this nor had malwarebytes block an outbound.

 

The old version (on my other computer) without network blocking does not have this issue and I am afraid to upgrade it until I get a few answers.

 

Thanks for any insight or help!

[Zaroad 26]

The whole range is blacklisted

http://www.spamhaus.org/sbl/query/SBL179440

[Staff 9751]

Hello!

 

91.220.163.33 is not one of our IP addresses. It is in the same /24 subnet of our new server in Ukraine, by the way Eddie does not send any packet to this specific address, but pings 91.220.163.44, i.e. one of the servers entry-IP addresses (to determine latency from your node and help you pick best servers for your system). But not to port 8.

 

Before anything else, did you download the client software Eddie from our web site? Can you verify the downloaded archive fingerprint? Are you sure that this traffic activity is really toward that IP address, originated by Eddie, and to outbound port 8? And anyway this is not a new feature in Eddie, it was implemented even in previous versions.

 

After you have made sure that you have a genuine Eddie copy, what happens if you disable pings from inside Eddie by unticking "Enable Pinger / Latency Tests" in "AirVPN" -> "Preferences" -> "Advanced" ?

 

Kind regards

[skweirmj 0]

I removed the client and downloaded it again while logged into the site directly. Now this is unique. When I go to server listings Theemim in Kiev is at zero ms. and it is between the new Miami locations. When I monitor traffic (which there is plenty of while connected) as soon as I drop it goes away. 

 

 

I have done full low level system scans and nothing seems to be detected but Malwarebytes grabs that every time upon launch and all the port forwarding etc.

[pinoyblood 0]

 

It has the same IP address mentioned, but I'm not sure about the port????

[OpenSourcerer 1359]

Maybe someone operates a server behind AirVPN spreading Malware, and the DynDNS name is theemim... that's possible in conjunction with AirVPN's port forwarding feature.

 

Or it's just MB's database being a moron. I wouldn't use it as a live AV; to be honest, it's only useful to run a quick scan to make way for Kaspersky.

[Staff 9751]

Maybe someone operates a server behind AirVPN spreading Malware, and the DynDNS name is theemim... that's possible in conjunction with AirVPN's port forwarding feature.

 

 

Hello,

 

names provided by our DDNS are *.airdns.org.

 

DynDNS is a service offered by Dyn Corp. and is another DDNS. There's no way they can use *.airvpn.org names, of course.

 

theemim.airvpn.org resolves into Theemim entry-IP address according to the convention "server_name.airvpn.org"

 

The doubts arose from that other IP address cited in the first message, 91.220.163.33. However, as Zaroad pointed out, the whole range 91.220.163,0/24 could be blocked by Malwarebytes.

 

We just fell in that range with the IP addresses of this brand new server, not very lucky, but anyway we saw (probably you remember that) that Malwarebytes blocks enormous IP ranges for just one problematic machine: for example they blocked our frontend in Luxembourg as source of malware, and they confirmed, when inquired about that, that the block was correct because in that datacenter a different machine was spreading malware. Not exactly a fine grain defense for their users...

 

EDIT: this is a funny thread from 2012 https://airvpn.org/topic/5061-mbam-webip-blocking-module-blacklist-airvpn-ips

 

Given all of the above, we think than any person reading this thread can easily draw some conclusions about Malwarebytes.

 

Kind regards

[OpenSourcerer 1359]

Aaah, right, it's airdns.org, hehe  it was night when I wrote it, forgive me

 

Also, I forgot Zaurak has been withdrawn and replaced by Theemim.. that's awkward.