 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
cppgenius
Newbie
Joined: 12 Jul 2008
Last Visit: 17 Jul 2008
Posts: 3
|
 Posted: Sat Jul 12, 2008 1:57 pm Post subject: Suspicious Website |
 |
|
Hi there. I've been doing some research on a loan scam involving the name of a company called Future View Financial Services. Now the e-mail did not come from this company but from someone posing as a representative of this company.
I did a Google search for "Future View Financial Services" and found a website for this company. Once I visited the website, I could not visit any other website anymore, not in Firefox, not in Opera nor IE, so something went wrong on my system globally, it was not just the browser. I restarted my PC and everything was back to normal. I cannot find any visible signs of an infection and everything running on my system is legitimate, there are no suspicious processes running in my system's memory. I'm not saying this site is malicious, and the problem could be related to the flash content on the site, but I want someone else to check it out for me if possible, please.
Website in question is: www[dot]futureview[dot]com[dot]ng
The fact that the website messes up my whole system worries me. I running an Apache server, with PHP and MySQL on my PC, so perhaps the site is causing some kind of irrecoverable clash with the server and a restart solves the problem, I don't know. 
I know all the ins and outs of my system and have solid experience with malware and malware removal, so I find it very frustrating not being able to determine the reason for this crash/corruption.  Any help would be appreciated very much. Thanks. |
|
| Back to top |
|
 |
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 17 May 2013
Posts: 10271
Location: sunny California
|
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 17 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Sun Jul 13, 2008 3:32 pm Post subject: |
|
|
Were you running a firewall that would have logs, or a packet sniffer on the machine, by change? That might give a clue.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
cppgenius
Newbie
Joined: 12 Jul 2008
Last Visit: 17 Jul 2008
Posts: 3
|
| Posted: Tue Jul 15, 2008 9:05 am Post subject: |
|
|
Firewall log reports nothing strange and the packet log shows nothing from the IP 69.80.208.224
However I have tracked down the problem to this specific file:
http://www[dot]futureview[dot]com[dot]ng/price_watch.aspx
At the moment it seems like a problem with my security software and I'm confirming the details with the vendor. Will post the details as soon as I have received confirmation from them.
Even if it is only a software related problem on my PC, a couple of things still do not match up about the site:
They've been accused of self-promotion on Wikipedia:
http://en.wikipedia.org/wiki/FutureView_Financial_Services_Limited
Their anchor text of the homepage link on Wikipedia (at the bottom of the gray box on the right-hand side) is www.future.com.ng, but the underlying link still goes to futureview[dot]com. So much for branding your domain. However this could possibly be just a typo.
As you pointed out, the SSL Cert looks very funny indeed. The Registry Data is missing in Domaintools.com and DNS Stuff reports Nigeria has no WHOIS or Web Based Whois.
The following site gives more info about the domain
http://www.nigeriancomputersociety.com/domainregistration/whois.nigeria.php
but I can't find a single WHOIS service giving me the Creation date of this domain. Any suggestions? |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 17 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Tue Jul 15, 2008 9:13 am Post subject: |
|
|
You might try here:
http://www.uwhois.com/domains.html
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 01 Mar 2013
Posts: 841
Location: Tyne & Wear, UK
|
| Posted: Tue Jul 15, 2008 12:30 pm Post subject: |
|
|
They seem to be having problems (deliberate?) with their WhoIs server. It's not connecting either on the normal WhoIs port, or via HTTP;
http://pgebrehiwot.iat.cnr.it/
Ref:
http://www.rwgusa.net/whois-ng.php
http://www.iana.org/domains/root/db/ng.html
Querying their alternate WhoIs server doesn't inspire confidence either as it seems to return WhoIs details for all domains they hold?
http://hosts-file.net/?s=futureview%2Ecom%2Eng
.... and none of the records returned, include the one you mentioned
Querying their alternate server via their own web interface however, is a different story. Again, whether this is deliberate or not is debatable (I don't trust Nigerians as a matter of course), but;
| Code: |
Whois Server Version 1.0 - Search Nigerian Domains
NiRA makes this information available "as is" and does not guarantee its accuracy
++ futureview.com.ng ++
Organization: Future View Securities Ltd
Description: Financial Security Organisation
Address: 39 Ademola Street, SW Ikoyi
Address: P.M.B 40037 Falomo, Ikoyi
Postal: 101442
City: Lagos
Country: Nigeria
Administrative Contact:
Handle: DR0-NIRA
Person: Domain Registrar (protected) (registrar@register.net.ng)
Organization: Registrar Protected
Address: c/o NITDA 28 Portharcourt Cresent
Address: Off Gimbiya Street
Postal Code: 90001
City: Abuja
Phone: 09-
Technical Contact:
Handle: TA5-NIRA
Person: Tunde Ajayi (tunde@pinet.com.ng)
Organization: Pinet Informatics Limited
Address: 5th Floor, Buffalo House
Address: 2 Allen Avenue
Postal Code: 101004
City: Ikeja
Phone: 234-1-4707355
Record updated on 2008-01-29 09:55:49
Zone updated on 0000-00-00 00:00:00
Domain servers in listed order:
ns.nshosts.com 209.163.250.154
ns2.nshosts.com 216.58.174.151
Domain is Active
Found 1 Record(s) |
Since the "Zone updated" date is invalid, one must assume that the "Record updated" is actually the creation date as that is suspiciously missing.
/edit
Forgot to mention, their alternate server is;
HTTP interface: db.register.net.ng/index.php
WhoIs: whois.register.net.ng
/edit 2
Cached incase they correct it
http://hosts-file.net/misc/pgNigerian_WhoIs_Issues.html
_________________
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net |
|
| Back to top |
|
|
cppgenius
Newbie
Joined: 12 Jul 2008
Last Visit: 17 Jul 2008
Posts: 3
|
| Posted: Wed Jul 16, 2008 9:47 am Post subject: |
|
|
Thanks Suzi, I have to bookmark that one!
Thanks for the info MysteryFCM, you certainly know your way around when it comes to domain name lookups. 
| Quote: |
| Again, whether this is deliberate or not is debatable (I don't trust Nigerians as a matter of course) |
That makes two of us.
| Quote: |
| Since the "Zone updated" date is invalid, one must assume that the "Record updated" is actually the creation date as that is suspiciously missing. |
Even the "Record updated" date is useless, all .ng domains have this date: 2008-01-29 09:55:49
For instance I did a lookup for google.com.ng and found this:
| Code: |
Whois Server Version 1.0 - Search Nigerian Domains
NiRA makes this information available "as is" and does not guarantee its accuracy
++ google.com.ng ++
Organization: Google Inc
Description:
Address: 1600 Amphitheatre Parkway
Postal: 94043
City: Mountain View, CA
Country: United States
Administrative Contact:
Handle: BO7-NIRA
Person: Bolanle Olowu (dns-admin@google.com)
Organization: Adepetun, Caxton-Martins, Agbor &
Address: 9th Floor, St Nicholas House
Address: Catholic Mission Street
Postal Code:
City: Lagos
Phone: +234-1-263 7178
Technical Contact:
Handle: KP1-NIRA
Person: Kevin Pearl (ccops@markmonitor.com)
Organization: MarkMonitor
Address: PMB 155
Address: 10400 Overland Road
Postal Code: 83709
City: Boise, Idaho
Phone: +1.2083895740
Record updated on 2008-01-29 09:55:49
Zone updated on 0000-00-00 00:00:00
Domain servers in listed order:
ns1.google.com 216.239.32.10
ns2.google.com 216.239.34.10
Domain is Active
Found 1 Record(s)
|
All the domains listed here have the same "Record updated" date: http://hosts-file.net/misc/pgNigerian_WhoIs_Issues.html
Pretty useless Registry Database if you ask me.
Rhetorical Question: Why do you want to hide a crucial piece of information like the Creation Date of a domain?
Have anyone actually tried to open this site? |
|
| Back to top |
|
|
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 01 Mar 2013
Posts: 841
Location: Tyne & Wear, UK
|
| Posted: Wed Jul 16, 2008 12:44 pm Post subject: |
|
|
I've got a sneaky suspicion that their WI servers behaviour may be deliberate .... but I always was the suspicious type 
_________________
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net |
|
| Back to top |
|
|
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 01 Mar 2013
Posts: 841
Location: Tyne & Wear, UK
|
| Posted: Wed Jul 16, 2008 2:11 pm Post subject: |
|
|
WRT futureview.com.ng, antnet noticed the following;
| antnet wrote: |
More interesting is the link giving problems at http://www.futureview.com.ng/price_watch.aspx
| Code: |
HTTP request sent, awaiting response... 200 OK
Length: 30,313,363 [text/html]
|
About 30 MB! There's no way a web page should be that huge, nor can I download that amount on my connection but I did look at the first 500K bytes.
| Code: |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<title>WebForm1</title>
<meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
<meta content="Visual Basic .NET 7.1" name="CODE_LANGUAGE">
<meta content="JavaScript" name="vs_defaultClientScript">
<meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
<LINK href="style.css" type="text/css" rel="stylesheet">
<style type="text/css">.style9 { FONT-WEIGHT: bold; FONT-SIZE: 18px }
</style>
</HEAD>
<body bottomMargin="0" leftMargin="0" topMargin="0" rightMargin="0">
<form name="Form1" method="post" action="price_watch.aspx" id="Form1">
<input type="hidden" name="__VIEWSTATE" value="dDwyMDA5MzE1MTE2O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDE ...[snipped]
|
That base64 "__VIEWSTATE" value which I've snipped appears to go on for ever! Decoded, it looks like this:
| Code: |
t<2009315116;t<;l<i<1>;>;l<t<;l<i<1>;i<3>;>;l<t<@0<p<p<l<DataMember;DataKeys;_!ItemCount;>;l<price;l<>;i<65535>;>>;>;;;;;;;;>;l<i<0>;i<1>;i<2>;i<3>;i<4>;i<5>;i<6>;i<7>;i<8>;i<9>;i<10>;i<11>; ...[snipped]
|
At 500K, it's still going strong at:
| Code: |
i<44192>;i<44193>;i<44194>;i<44195>;i<44196>;i<44197>;i<44198>;
|
I've no idea what it means or what's at the end of the page.
|
_________________
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net |
|
| Back to top |
|
|
Proactive Services
Security Expert
Joined: 06 Feb 2006
Last Visit: 24 Jun 2009
Posts: 169
Location: Hampshire, UK
|
| Posted: Thu Jul 17, 2008 1:46 am Post subject: |
|
|
I'm rather inclined to say that this huge string is in fact some sort of entire product range/catalogue data set. Something that should be in a database! I couldn't see any of the usual exploit code padding or embedded commands in the base64. It's quite possible it can crash a browser due to its sheer poor coding.
_________________
Adam Piggott, Proprietor, Proactive Services (Computing)
Professional, friendly computer support in Hampshire, UK. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
