Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > A fake but good-looking Symantec site, with virus

Reply
Thread Tools

A fake but good-looking Symantec site, with virus

 
 
Tim Murray
Guest
Posts: n/a
 
      06-26-2004
I got a very poorly worded, all-caps e-mail saying it was Symantec and that I
should promptly go to <http://www.symantec.ar.nu/>. I have a computer that
is both a Mac and sacrificial, so I went to take a look.

On the top of the initial page is a notice in red that "you have a virus",
and do download some .exe file. I downloaded it, tested it, and of course, it
had a virus.

The site is, generally, of utter professionalism ... it looks like they
simply downloaded all of Symantec's real site.

But this is not really the point of the story. The point is that was three
days ago, and I've contact Symantec three times about it, figuring I'd at
least get a "thanks-for-letting-us-know" reply. But I've received no reply,
and the site is still up (I really thought Symantec would be powerful enough
to get it shut down pronto).

 
Reply With Quote
 
 
 
 
Zarggg
Guest
Posts: n/a
 
      06-26-2004
On 26 Jun 04 10:36, Tim Murray wrote:
> I got a very poorly worded, all-caps e-mail saying it was Symantec
> and that I should promptly go to <http://www.symantec.ar.nu/>. I
> have a computer that is both a Mac and sacrificial, so I went to take
> a look.
>
> On the top of the initial page is a notice in red that "you have a
> virus", and do download some .exe file. I downloaded it, tested it,
> and of course, it had a virus.
>
> The site is, generally, of utter professionalism ... it looks like
> they simply downloaded all of Symantec's real site.
>
> But this is not really the point of the story. The point is that was
> three days ago, and I've contact Symantec three times about it,
> figuring I'd at least get a "thanks-for-letting-us-know" reply. But
> I've received no reply, and the site is still up (I really thought
> Symantec would be powerful enough to get it shut down pronto).


I tried to get some hosting information on the site, but I don't know of
any WHOIS servers that worked with that domain. (I kept getting errors
like "domain not found".)

If you can find out who hosts them (or provides their DNS, if they
self-host), report it to them. They're most likely guilty of copyright
infringement (for the use of Symantec's graphics) among other
intellectual property crimes if they're US-based.
--
Zarggg
KeyID: 0x6425C4ED
<http://www.zarggg.net/>
See <http://www.zarggg.net/contact.html> for contact information.
 
Reply With Quote
 
 
 
 
Toast
Guest
Posts: n/a
 
      06-26-2004
On Sat, 26 Jun 2004 16:31:57 +0000, Zarggg wrote:

> I tried to get some hosting information on the site, but I don't know of
> any WHOIS servers that worked with that domain. (I kept getting errors
> like "domain not found".)


Traceroute and some whois queries against this site:
Traceroute:

traceroute www.symantec.ar.nu
traceroute to www.symantec.ar.nu (65.108.204.171), 30 hops max, 38 byte packets
1 10.226.128.1 (10.226.128.1) 28.757 ms 39.635 ms 18.598 ms
2 * * *
3 bur-edge-01.inet.qwest.net (65.112.160.53) 32.082 ms 11.243 ms 22.287 ms
4 bur-core-01.inet.qwest.net (205.171.13.13) 11.756 ms 20.097 ms 33.280 ms
5 iah-core-02.inet.qwest.net (205.171.205.26) 57.420 ms 43.475 ms 42.946 ms
MPLS Label=739785 CoS=3 TTL=1 S=0
6 iah-core-03.inet.qwest.net (205.171.31.42) 45.134 ms 43.044 ms 43.911 ms
MPLS Label=100291 CoS=3 TTL=1 S=0
7 atl-core-01.inet.qwest.net (205.171.8.146) 62.547 ms 62.356 ms 87.278 ms
MPLS Label=233053 CoS=3 TTL=1 S=0
8 atl-core-02.inet.qwest.net (205.171.21.150) 63.001 ms 74.594 ms 61.454 ms
MPLS Label=163358 CoS=3 TTL=1 S=0
9 dca-core-02.inet.qwest.net (205.171.8.154) 79.793 ms 78.566 ms 88.956 ms
MPLS Label=233361 CoS=3 TTL=1 S=0
10 dca-core-01.inet.qwest.net (205.171.9.5) 81.906 ms 100.543 ms 79.149 ms
11 dca-edge-01.inet.qwest.net (205.171.9.22) 77.481 ms 78.920 ms 78.197 ms
12 65.113.64.30 (65.113.64.30) 81.634 ms 128.513 ms 90.741 ms
13 208.49.89.194 (208.49.89.194) 82.035 ms 116.602 ms 80.002 ms
14 dominiosfree.com (65.108.204.171) 80.692 ms 78.990 ms 79.492 ms

(sorry for the leading asterisk - my ISP plays games with internal
traceroutes)

dig results
dig www.symantec.ar.nu

; <<>> DiG 9.2.3 <<>> www.symantec.ar.nu
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36460
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.symantec.ar.nu. IN A

;; ANSWER SECTION:
www.symantec.ar.nu. 86400 IN A 65.108.204.171

;; AUTHORITY SECTION:
ar.nu. 86400 IN NS ns1.10red.net.
ar.nu. 86400 IN NS ns2.10red.net.

;; ADDITIONAL SECTION:
ns1.10red.net. 172800 IN A 65.108.51.150
ns2.10red.net. 172800 IN A 65.108.52.231

;; Query time: 663 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Sat Jun 26 09:36:14 2004
;; MSG SIZE rcvd: 129

And some various whois queries:
whois 10red.net
[Querying whois.internic.net]
[Redirected to whois.directi.com]
[Querying whois.directi.com]
[whois.directi.com]
Registration Service Provided By: IDEAS PARA NUEVOS MERCADOS SL
Contact: http://www.velocityreviews.com/forums/(E-Mail Removed)

Domain Name: 10RED.NET

Registrant:
Carlos del Valle
Carlos del Valle ((E-Mail Removed))
c/ emisora 3 calet 35
Pozuelo de Alarcon
Madrid,28224
ES
Tel. +34.917000041

Creation Date: 05-Jul-2001
Expiration Date: 05-Jul-2005

Domain servers in listed order:
ns1.10red.net
ns2.10red.net


Administrative Contact:
Carlos del Valle
Carlos del Valle ((E-Mail Removed))
c/ emisora 3 calet 35
Pozuelo de Alarcon
Madrid,28224
ES
Tel. +34.917000041

Technical Contact:
Carlos del Valle
Carlos del Valle ((E-Mail Removed))
c/ emisora 3 calet 35
Pozuelo de Alarcon
Madrid,28224
ES
Tel. +34.917000041

Billing Contact:
Carlos del Valle
Carlos del Valle ((E-Mail Removed))
c/ emisora 3 calet 35
Pozuelo de Alarcon
Madrid,28224
ES
Tel. +34.917000041

Status:ACTIVE

whois dominiosfree.com
[Querying whois.internic.net]
[Redirected to whois.directi.com]
[Querying whois.directi.com]
[whois.directi.com]
Registration Service Provided By: IDEAS PARA NUEVOS MERCADOS SL
Contact: (E-Mail Removed)

Domain Name: DOMINIOSFREE.COM

Registrant:
Ideas para nuevos mercados,sl
Ideas para nuevos mercados,sl ((E-Mail Removed))
C/ Jose Abascal, 48 1
Madrid
Madrid,28003
ES
Tel. +34.913035764

Creation Date: 09-Jul-2001
Expiration Date: 09-Jul-2005

Domain servers in listed order:
ns1.10red.net


Administrative Contact:
Ideas para nuevos mercados,sl
Ideas para nuevos mercados,sl ((E-Mail Removed))
C/ Jose Abascal, 48 1
Madrid
Madrid,28003
ES
Tel. +34.913035764

Technical Contact:
Ideas para nuevos mercados,sl
Ideas para nuevos mercados,sl ((E-Mail Removed))
C/ Jose Abascal, 48 1
Madrid
Madrid,28003
ES
Tel. +34.913035764

Billing Contact:
Ideas para nuevos mercados,sl
Ideas para nuevos mercados,sl ((E-Mail Removed))
C/ Jose Abascal, 48 1
Madrid
Madrid,28003
ES
Tel. +34.913035764

Status:ACTIVE

whois 208.49.89.194
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Global Crossing
OrgID: GBLX
Address: 14605 South 50th Street
City: Phoenix
StateProv: AZ
PostalCode: 85044-6471
Country: US

ReferralServer: rwhois://rwhois.gblx.net:4321

NetRange: 208.48.224.0 - 208.50.127.255
CIDR: 208.48.224.0/19, 208.49.0.0/16, 208.50.0.0/17
NetName: GBLX-6C
NetHandle: NET-208-48-224-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
NameServer: NAME.ROC.GBLX.NET
NameServer: NAME.PHX.GBLX.NET
NameServer: NAME.SNV.GBLX.NET
NameServer: NAME.JFK1.GBLX.NET
Comment: THESE ADDRESSES ARE NON-PORTABLE
RegDate:
Updated: 2002-10-14

TechHandle: IA12-ORG-ARIN
TechName: GBLX-IPADMIN
TechPhone: +1-800-404-7714
TechEmail: (E-Mail Removed)

OrgAbuseHandle: GBLXA-ARIN
OrgAbuseName: GBLX-Abuse
OrgAbusePhone: +1-800-404-7714
OrgAbuseEmail: (E-Mail Removed)

OrgNOCHandle: GBLXN-ARIN
OrgNOCName: GBLX-NOC
OrgNOCPhone: +1-800-404-7714
OrgNOCEmail: (E-Mail Removed)

OrgTechHandle: IA12-ORG-ARIN
OrgTechName: GBLX-IPADMIN
OrgTechPhone: +1-800-404-7714
OrgTechEmail: (E-Mail Removed)

whois 65.108.204.171
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Alabanza, Inc.
OrgID: ALAB
Address: 10 East Baltimore St., 10th floor
City: Baltimore
StateProv: MD
PostalCode: 21202
Country: US

NetRange: 65.108.0.0 - 65.109.255.255
CIDR: 65.108.0.0/15
NetName: ALABANZA-BALT-5
NetHandle: NET-65-108-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: NS.ALABANZA.COM
NameServer: NS2.ALABANZA.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-02-09
Updated: 2002-02-26

TechHandle: TC12-ARIN
TechName: Cunningham, Thomas
TechPhone: +1-410-779-1400
TechEmail: (E-Mail Removed)

OrgTechHandle: TECHS24-ARIN
OrgTechName: Tech Support
OrgTechPhone: +1-410-779-1400
OrgTechEmail: (E-Mail Removed)

whois alabanza.com

Alabanza Corp
10 East Baltimore Street
Baltimore, MD 21202
US

Domain Name: ALABANZA.COM

Administrative Contact
V.P. of Web Services: (E-Mail Removed)
Alabanza Corp
10 East Baltimore Street
Baltimore, MD 21202
US
Phone 410-779-1400
Fax 410-735-3417
Technical Contact
Technical Support Dept.: (E-Mail Removed)
Alabanza Corp
10 East Baltimore Street
Baltimore, MD 21202
US
Phone 410-779-1400
Fax 410-735-3417

Record updated date: 2004-04-23 15:49:24
Record created date: 1996-08-18
Record expires on date: 2013-08-17
Database last updated on: 2004-06-26 12:48:33 EST

Domain servers in listed order:

NS.ALABANZA.COM 209.239.47.252
NS2.ALABANZA.COM 209.239.47.201
NS3.ALABANZA.COM 216.226.19.254

Have fun folks

/mde/

 
Reply With Quote
 
\Crash\ Dummy
Guest
Posts: n/a
 
      06-26-2004
The phony site is reregistered twice behind two name services
www.symantec.ar.nu
http://www.nic.ar/frameset.html
http://www.nunames.nu/
--
Dave "Crash" Dummy - A weapon of mass destruction
(E-Mail Removed)?subject=Techtalk (Do not alter!)
http://lists.gpick.com


 
Reply With Quote
 
Bullwinkel J. Moose
Guest
Posts: n/a
 
      06-26-2004
You got no answer because symantec does not read messages to them. There are
a number of sites which give you a virus for which you need to buy their AV
product.

Beware.

--
Regards,
Werner
(E-Mail Removed)
Remove "Nospam" when e-mailing
"Tim Murray" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) llsouth.net...
> I got a very poorly worded, all-caps e-mail saying it was Symantec and

that I
> should promptly go to <http://www.symantec.ar.nu/>. I have a computer

that
> is both a Mac and sacrificial, so I went to take a look.
>
> On the top of the initial page is a notice in red that "you have a virus",
> and do download some .exe file. I downloaded it, tested it, and of course,

it
> had a virus.
>
> The site is, generally, of utter professionalism ... it looks like they
> simply downloaded all of Symantec's real site.
>
> But this is not really the point of the story. The point is that was

three
> days ago, and I've contact Symantec three times about it, figuring I'd at
> least get a "thanks-for-letting-us-know" reply. But I've received no

reply,
> and the site is still up (I really thought Symantec would be powerful

enough
> to get it shut down pronto).
>



 
Reply With Quote
 
jason
Guest
Posts: n/a
 
      06-27-2004
Hello,

Well I always wondered who wrote antivirus software!
It would make sense for a company knocking out antivirus programs to
introduce mass panic, or the need to keep selling updates.

"Bullwinkel J. Moose" <(E-Mail Removed)> wrote in message
news:dEjDc.7884$(E-Mail Removed)...
> You got no answer because symantec does not read messages to them. There

are
> a number of sites which give you a virus for which you need to buy their

AV
> product.
>
> Beware.
>
> --
> Regards,
> Werner
> (E-Mail Removed)
> Remove "Nospam" when e-mailing
> "Tim Murray" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) llsouth.net...
> > I got a very poorly worded, all-caps e-mail saying it was Symantec and

> that I
> > should promptly go to <http://www.symantec.ar.nu/>. I have a computer

> that
> > is both a Mac and sacrificial, so I went to take a look.
> >
> > On the top of the initial page is a notice in red that "you have a

virus",
> > and do download some .exe file. I downloaded it, tested it, and of

course,
> it
> > had a virus.
> >
> > The site is, generally, of utter professionalism ... it looks like they
> > simply downloaded all of Symantec's real site.
> >
> > But this is not really the point of the story. The point is that was

> three
> > days ago, and I've contact Symantec three times about it, figuring I'd

at
> > least get a "thanks-for-letting-us-know" reply. But I've received no

> reply,
> > and the site is still up (I really thought Symantec would be powerful

> enough
> > to get it shut down pronto).
> >

>
>



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.711 / Virus Database: 467 - Release Date: 25/06/2004


 
Reply With Quote
 
Bill Unruh
Guest
Posts: n/a
 
      06-27-2004
]> "Tim Murray" <(E-Mail Removed)> wrote in message
]> news:(E-Mail Removed) llsouth.net...
]> > I got a very poorly worded, all-caps e-mail saying it was Symantec and
]> that I
]> > should promptly go to <http://www.symantec.ar.nu/>. I have a computer
]> that

That was not actually a symantec site, nor is the site to which they point
you with the "cleaner".
www.symantec.ar.nu=65.108.204.171

whois 65.108.204.171

OrgName: Alabanza, Inc.
OrgID: ALAB
Address: 10 East Baltimore St., 10th floor
City: Baltimore
StateProv: MD
PostalCode: 21202
Country: US

--------------------
ping www.nikroot.com
PING premium.geo.yahoo.akadns.net (66.218.79.189) 56(84) bytes of data.

]> > is both a Mac and sacrificial, so I went to take a look.
]> >
]> > On the top of the initial page is a notice in red that "you have a
]virus",
]> > and do download some .exe file. I downloaded it, tested it, and of
]course,
]> it
]> > had a virus.
]> >
]> > The site is, generally, of utter professionalism ... it looks like they
]> > simply downloaded all of Symantec's real site.
]> >
]> > But this is not really the point of the story. The point is that was
]> three
]> > days ago, and I've contact Symantec three times about it, figuring I'd
]at
]> > least get a "thanks-for-letting-us-know" reply. But I've received no
]> reply,
]> > and the site is still up (I really thought Symantec would be powerful
]> enough
]> > to get it shut down pronto).

Yes. It looks like yahoo is falling down in their responsibility.

]> >
 
Reply With Quote
 
Joe-46er
Guest
Posts: n/a
 
      07-04-2004
What? ... Did you really EXPECT symantec to respond when they don't
even respond to customer's needs?

I truly hope that this company dies and dies soon because of its
pathetic support reputation.


On Sat, 26 Jun 2004 10:36:34 -0400, Tim Murray <(E-Mail Removed)>
wrote:

>I got a very poorly worded, all-caps e-mail saying it was Symantec and that I
>should promptly go to <http://www.symantec.ar.nu/>. I have a computer that
>is both a Mac and sacrificial, so I went to take a look.
>
>On the top of the initial page is a notice in red that "you have a virus",
>and do download some .exe file. I downloaded it, tested it, and of course, it
>had a virus.
>
>The site is, generally, of utter professionalism ... it looks like they
>simply downloaded all of Symantec's real site.
>
>But this is not really the point of the story. The point is that was three
>days ago, and I've contact Symantec three times about it, figuring I'd at
>least get a "thanks-for-letting-us-know" reply. But I've received no reply,
>and the site is still up (I really thought Symantec would be powerful enough
>to get it shut down pronto).





_________________________________

"Take a little 5FU, leucovorin and oxaliplatin for thy stomach's sake." -- 1 Timothy 5:23 (adapted)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"Antivirus Soft" (fake spyware virus) removal guide dfinc Cisco 1 02-04-2010 08:41 AM
Re: that fake anti-virus program Buffalo Computer Support 3 01-08-2010 05:18 AM
Re: that fake anti-virus program why? Computer Support 2 01-06-2010 04:31 PM
Green AV virus (new rogue spyware fake program) dfinc Cisco 0 09-30-2009 06:02 AM



Advertisments