Since a few days my Mu-so (1st generation) and Mu-so Qb can’t stream any of the iRadio channels anymore. All other functions do work. Both are connected via wifi to the network. I did a full reboot of the Mu-so but that did not solve the issue. Today the rebooted MU-so is also not visible in my app anymore after I successfully added it yesterday after the reboot?
I also checked my network firewall and security center and there were alerts that my Mu-so was “attacked” on his IP address by a USA IP address with malware !!
see message below from threat center
ET MALWARE User-Agent (Mozilla/4.0 (compatible))
Date 09/16/2021
Time 08:18:19 AM
Severity High
Type A Network Trojan was Detected
Category IPS_VALUES_CATEGORY_EMERGING-MALWARE
Interface eth1
Source 192.168.20.252 : 3142
Country: USA
Destination 154.27.73.59 : 80
Protocol http
ASN 13886 CLOUD-SOUTH
This scares me quite a lot as it looks like my Mu-so equipment is infected by malware and therefore can’t stream or connect to the app. HELP!
I also have a Naim Unity (wired) and that works well, also the iRadio channels.
Hi @Peter27, sounds really frustrating. Might be tricky to solve here without going through a bunch of steps. Could I ask you to contact Support on support@naimaudio.com and they can contact you and launch in to some diagnostics.
Hi Tom,
Sure, I will do that. The firewall blocked all in and outgoing traffic from my mu-so equipment, so that probably also causes the streaming issues. But I need to be sure no malware has been installed on the equipment before reconnecting.
The internet radio service uses two servers based in the USA: naim.vtuner.com - 192.227.85.88 (primary server) naim2.vtuner.com - 154.27.73.59 (secondary server)
These addresses need to be allowed through the firewall for the system to work. As these are http based services the server does not route back in, but rather the streamer does an http request out to the server and a reply comes back.
Once unblocked, restart the Muso (a long press and hold on the standby button to shut it down, then a short press to start it up).
These were indeed the 2 IP addresses that were detected by my Unify network firewall and Threat management and identified as High risk as it was recognized/detected as Network Trojan malware.
Any idea how this could have happened since last Friday, as I never had these warning is the past 3 years? And how certain are we that there is indeed no malware being installed via these 2 servers …
The only thing that these servers return back are text xml files based on requests made by the streamer, which eventually have VTuner URL’s in them for stations to play. The server URL’s haven’t changed for years as well.
What is more likely that the firewall software provider did an update on their side and they’re just misrecognising it. Note in their log its under IPS_VALUES_CATEGORY_EMERGING-MALWARE which uses signatures to double guess if something is questionable. Aka - its not a known real virus, or an antivirus engineer has pulled apart, but they have some code that just looks out for likely characteristics. I suspect lots of URL’s in an XML file might of triggered it,
Hi, I think I have the same issue with one of my 1st Gen QBs. I recently set up a new wi-fi mesh system and one of my QBs now no longer picks up internet radio. Are you able to help with how I can bypass the fire wall?
My firewall (Unify) blocked all traffic from both IP addresses as it identified it as very insecure. Not sure why, but after unblocking it all worked well again.
Thanks, I fear I’m not quite as familiar with my firewall settings as you are with yours, will have to poke around to see what I can find. The odd thing is that it works on my other QB.
