Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Suspicious Website

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
cppgenius
Newbie


Joined: 12 Jul 2008
Last Visit: 17 Jul 2008
Posts: 3

PostPosted: Sat Jul 12, 2008 1:57 pm    Post subject: Suspicious Website Reply with quote

Hi there. I've been doing some research on a loan scam involving the name of a company called Future View Financial Services. Now the e-mail did not come from this company but from someone posing as a representative of this company.

I did a Google search for "Future View Financial Services" and found a website for this company. Once I visited the website, I could not visit any other website anymore, not in Firefox, not in Opera nor IE, so something went wrong on my system globally, it was not just the browser. I restarted my PC and everything was back to normal. I cannot find any visible signs of an infection and everything running on my system is legitimate, there are no suspicious processes running in my system's memory. I'm not saying this site is malicious, and the problem could be related to the flash content on the site, but I want someone else to check it out for me if possible, please.

Website in question is: www[dot]futureview[dot]com[dot]ng

The fact that the website messes up my whole system worries me. I running an Apache server, with PHP and MySQL on my PC, so perhaps the site is causing some kind of irrecoverable clash with the server and a restart solves the problem, I don't know. Confused

I know all the ins and outs of my system and have solid experience with malware and malware removal, so I find it very frustrating not being able to determine the reason for this crash/corruption. Mad Any help would be appreciated very much. Thanks.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 28 Jul 2014
Posts: 10320
Location: sunny California

PostPosted: Sun Jul 13, 2008 3:23 pm    Post subject: Reply with quote

Hi,

Looking at the whois information, it looks somewhat suspicious

http://whois.domaintools.com/futureview.com.ng

This is odd on the whois page:
Code:
SSL Cert:  x00*x00.x00nx00sx00hx00ox00sx00tx00sx00.x00cx00ox00m expires in 561 days. 


And the Google results are interesting.

http://www.google.com/search?hl=en&q=futureview.com

I wonder if it might have been hacked or something. Not much on Alexa
http://www.alexa.com/data/details/main/futureview.com.ng

Looking at the page with http://web-sniffer.net, I don't see anything that I can identify as malicious in the code.

http://web-sniffer.net/?url=http%3A%2F%2Ffutureview.com.ng&submit=Submit&http=1.1&gzip=yes&type=GET&uak=1
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 28 Jul 2014
Posts: 10320
Location: sunny California

PostPosted: Sun Jul 13, 2008 3:32 pm    Post subject: Reply with quote

Were you running a firewall that would have logs, or a packet sniffer on the machine, by change? That might give a clue.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
cppgenius
Newbie


Joined: 12 Jul 2008
Last Visit: 17 Jul 2008
Posts: 3

PostPosted: Tue Jul 15, 2008 9:05 am    Post subject: Reply with quote

Firewall log reports nothing strange and the packet log shows nothing from the IP 69.80.208.224

However I have tracked down the problem to this specific file:
http://www[dot]futureview[dot]com[dot]ng/price_watch.aspx

At the moment it seems like a problem with my security software and I'm confirming the details with the vendor. Will post the details as soon as I have received confirmation from them.

Even if it is only a software related problem on my PC, a couple of things still do not match up about the site:

They've been accused of self-promotion on Wikipedia:
http://en.wikipedia.org/wiki/FutureView_Financial_Services_Limited

Their anchor text of the homepage link on Wikipedia (at the bottom of the gray box on the right-hand side) is www.future.com.ng, but the underlying link still goes to futureview[dot]com. So much for branding your domain. However this could possibly be just a typo.

As you pointed out, the SSL Cert looks very funny indeed. The Registry Data is missing in Domaintools.com and DNS Stuff reports Nigeria has no WHOIS or Web Based Whois.

The following site gives more info about the domain
http://www.nigeriancomputersociety.com/domainregistration/whois.nigeria.php

but I can't find a single WHOIS service giving me the Creation date of this domain. Any suggestions?
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 28 Jul 2014
Posts: 10320
Location: sunny California

PostPosted: Tue Jul 15, 2008 9:13 am    Post subject: Reply with quote

You might try here:

http://www.uwhois.com/domains.html
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 20 Apr 2014
Posts: 850
Location: Tyne & Wear, UK

PostPosted: Tue Jul 15, 2008 12:30 pm    Post subject: Reply with quote

They seem to be having problems (deliberate?) with their WhoIs server. It's not connecting either on the normal WhoIs port, or via HTTP;

http://pgebrehiwot.iat.cnr.it/

Ref:
http://www.rwgusa.net/whois-ng.php
http://www.iana.org/domains/root/db/ng.html

Querying their alternate WhoIs server doesn't inspire confidence either as it seems to return WhoIs details for all domains they hold?

http://hosts-file.net/?s=futureview%2Ecom%2Eng

.... and none of the records returned, include the one you mentioned Confused

Querying their alternate server via their own web interface however, is a different story. Again, whether this is deliberate or not is debatable (I don't trust Nigerians as a matter of course), but;

Code:
Whois Server Version 1.0 -  Search Nigerian Domains

NiRA makes this information available "as is" and does not guarantee its accuracy

++ futureview.com.ng ++
  Organization: Future View Securities Ltd                       
   Description: Financial Security Organisation                             
       Address: 39 Ademola Street, SW Ikoyi                                 
       Address: P.M.B 40037 Falomo, Ikoyi                                   
        Postal: 101442                                                     
          City: Lagos                                                       
       Country: Nigeria                                                     

Administrative Contact:
        Handle: DR0-NIRA                               
        Person: Domain Registrar (protected)   (registrar@register.net.ng)
  Organization: Registrar Protected                                         
       Address: c/o NITDA  28 Portharcourt Cresent                         
       Address: Off Gimbiya Street                                         
   Postal Code: 90001                                                       
          City: Abuja                                                       
         Phone: 09-                                                         

Technical Contact:
        Handle: TA5-NIRA                               
        Person: Tunde Ajayi   (tunde@pinet.com.ng)
  Organization: Pinet Informatics Limited                                   
       Address: 5th Floor, Buffalo House                                   
       Address: 2 Allen Avenue                                             
   Postal Code: 101004                                                     
          City: Ikeja                                                       
         Phone: 234-1-4707355                                               

Record updated  on 2008-01-29 09:55:49
  Zone updated on 0000-00-00 00:00:00

Domain servers in listed order:
  ns.nshosts.com  209.163.250.154
  ns2.nshosts.com  216.58.174.151

Domain is Active

Found 1 Record(s)


Since the "Zone updated" date is invalid, one must assume that the "Record updated" is actually the creation date as that is suspiciously missing.

/edit

Forgot to mention, their alternate server is;

HTTP interface: db.register.net.ng/index.php
WhoIs: whois.register.net.ng

/edit 2

Cached incase they correct it Smile

http://hosts-file.net/misc/pgNigerian_WhoIs_Issues.html
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
cppgenius
Newbie


Joined: 12 Jul 2008
Last Visit: 17 Jul 2008
Posts: 3

PostPosted: Wed Jul 16, 2008 9:47 am    Post subject: Reply with quote

Quote:
You might try here:

http://www.uwhois.com/domains.html


Thanks Suzi, I have to bookmark that one!

Thanks for the info MysteryFCM, you certainly know your way around when it comes to domain name lookups. Very Happy

Quote:
Again, whether this is deliberate or not is debatable (I don't trust Nigerians as a matter of course)


That makes two of us.

Quote:
Since the "Zone updated" date is invalid, one must assume that the "Record updated" is actually the creation date as that is suspiciously missing.


Even the "Record updated" date is useless, all .ng domains have this date: 2008-01-29 09:55:49

For instance I did a lookup for google.com.ng and found this:
Code:
Whois Server Version 1.0 -  Search Nigerian Domains

NiRA makes this information available "as is" and does not guarantee its accuracy

++ google.com.ng ++
  Organization: Google Inc                                       
   Description:                                                             
       Address: 1600 Amphitheatre Parkway                                   
        Postal: 94043                                                       
          City: Mountain View, CA                                           
       Country: United States                                               

Administrative Contact:
        Handle: BO7-NIRA                               
        Person: Bolanle Olowu   (dns-admin@google.com)
  Organization: Adepetun, Caxton-Martins, Agbor &                           
       Address: 9th Floor, St Nicholas House                               
       Address: Catholic Mission Street                                     
   Postal Code:                                                             
          City: Lagos                                                       
         Phone: +234-1-263 7178                                             

Technical Contact:
        Handle: KP1-NIRA                               
        Person: Kevin Pearl   (ccops@markmonitor.com)
  Organization: MarkMonitor                                                 
       Address: PMB 155                                                     
       Address: 10400 Overland Road                                         
   Postal Code: 83709                                                       
          City: Boise, Idaho                                               
         Phone: +1.2083895740                                               

Record updated  on 2008-01-29 09:55:49
  Zone updated on 0000-00-00 00:00:00

Domain servers in listed order:
  ns1.google.com  216.239.32.10
  ns2.google.com  216.239.34.10

Domain is Active

Found 1 Record(s)


All the domains listed here have the same "Record updated" date: http://hosts-file.net/misc/pgNigerian_WhoIs_Issues.html

Pretty useless Registry Database if you ask me.

Rhetorical Question: Why do you want to hide a crucial piece of information like the Creation Date of a domain?

Have anyone actually tried to open this site?
Back to top
View user's profile Send private message
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 20 Apr 2014
Posts: 850
Location: Tyne & Wear, UK

PostPosted: Wed Jul 16, 2008 12:44 pm    Post subject: Reply with quote

I've got a sneaky suspicion that their WI servers behaviour may be deliberate .... but I always was the suspicious type Wink
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 20 Apr 2014
Posts: 850
Location: Tyne & Wear, UK

PostPosted: Wed Jul 16, 2008 2:11 pm    Post subject: Reply with quote

WRT futureview.com.ng, antnet noticed the following;

antnet wrote:
More interesting is the link giving problems at http://www.futureview.com.ng/price_watch.aspx

Code:

HTTP request sent, awaiting response... 200 OK
Length: 30,313,363 [text/html]


About 30 MB! There's no way a web page should be that huge, nor can I download that amount on my connection but I did look at the first 500K bytes.

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
      <title>WebForm1</title>
      <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
      <meta content="Visual Basic .NET 7.1" name="CODE_LANGUAGE">
      <meta content="JavaScript" name="vs_defaultClientScript">
      <meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
      <LINK href="style.css" type="text/css" rel="stylesheet">
      <style type="text/css">.style9 { FONT-WEIGHT: bold; FONT-SIZE: 18px }
      </style>
   </HEAD>
   <body bottomMargin="0" leftMargin="0" topMargin="0" rightMargin="0">
      <form name="Form1" method="post" action="price_watch.aspx" id="Form1">
<input type="hidden" name="__VIEWSTATE" value="dDwyMDA5MzE1MTE2O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDE ...[snipped]


That base64 "__VIEWSTATE" value which I've snipped appears to go on for ever! Decoded, it looks like this:
Code:

t<2009315116;t<;l<i<1>;>;l<t<;l<i<1>;i<3>;>;l<t<@0<p<p<l<DataMember;DataKeys;_!ItemCount;>;l<price;l<>;i<65535>;>>;>;;;;;;;;>;l<i<0>;i<1>;i<2>;i<3>;i<4>;i<5>;i<6>;i<7>;i<8>;i<9>;i<10>;i<11>; ...[snipped]


At 500K, it's still going strong at:
Code:

i<44192>;i<44193>;i<44194>;i<44195>;i<44196>;i<44197>;i<44198>;

I've no idea what it means or what's at the end of the page.

_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
Proactive Services
Security Expert


Joined: 06 Feb 2006
Last Visit: 24 Jun 2009
Posts: 169
Location: Hampshire, UK

PostPosted: Thu Jul 17, 2008 1:46 am    Post subject: Reply with quote

I'm rather inclined to say that this huge string is in fact some sort of entire product range/catalogue data set. Something that should be in a database! I couldn't see any of the usual exploit code padding or embedded commands in the base64. It's quite possible it can crash a browser due to its sheer poor coding.
_________________
Adam Piggott, Proprietor, Proactive Services (Computing)

Professional, friendly computer support in Hampshire, UK.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group