A fake but good-looking Symantec site, with virus

Discussion in 'Computer Security' started by Tim Murray, Jun 26, 2004.

  1. Tim Murray

    Tim Murray Guest

    I got a very poorly worded, all-caps e-mail saying it was Symantec and that I
    should promptly go to <http://www.symantec.ar.nu/>. I have a computer that
    is both a Mac and sacrificial, so I went to take a look.

    On the top of the initial page is a notice in red that "you have a virus",
    and do download some .exe file. I downloaded it, tested it, and of course, it
    had a virus.

    The site is, generally, of utter professionalism ... it looks like they
    simply downloaded all of Symantec's real site.

    But this is not really the point of the story. The point is that was three
    days ago, and I've contact Symantec three times about it, figuring I'd at
    least get a "thanks-for-letting-us-know" reply. But I've received no reply,
    and the site is still up (I really thought Symantec would be powerful enough
    to get it shut down pronto).
     
    Tim Murray, Jun 26, 2004
    #1
    1. Advertising

  2. Tim Murray

    Zarggg Guest

    On 26 Jun 04 10:36, Tim Murray wrote:
    > I got a very poorly worded, all-caps e-mail saying it was Symantec
    > and that I should promptly go to <http://www.symantec.ar.nu/>. I
    > have a computer that is both a Mac and sacrificial, so I went to take
    > a look.
    >
    > On the top of the initial page is a notice in red that "you have a
    > virus", and do download some .exe file. I downloaded it, tested it,
    > and of course, it had a virus.
    >
    > The site is, generally, of utter professionalism ... it looks like
    > they simply downloaded all of Symantec's real site.
    >
    > But this is not really the point of the story. The point is that was
    > three days ago, and I've contact Symantec three times about it,
    > figuring I'd at least get a "thanks-for-letting-us-know" reply. But
    > I've received no reply, and the site is still up (I really thought
    > Symantec would be powerful enough to get it shut down pronto).


    I tried to get some hosting information on the site, but I don't know of
    any WHOIS servers that worked with that domain. (I kept getting errors
    like "domain not found".)

    If you can find out who hosts them (or provides their DNS, if they
    self-host), report it to them. They're most likely guilty of copyright
    infringement (for the use of Symantec's graphics) among other
    intellectual property crimes if they're US-based.
    --
    Zarggg
    KeyID: 0x6425C4ED
    <http://www.zarggg.net/>
    See <http://www.zarggg.net/contact.html> for contact information.
     
    Zarggg, Jun 26, 2004
    #2
    1. Advertising

  3. Tim Murray

    Toast Guest

    On Sat, 26 Jun 2004 16:31:57 +0000, Zarggg wrote:

    > I tried to get some hosting information on the site, but I don't know of
    > any WHOIS servers that worked with that domain. (I kept getting errors
    > like "domain not found".)


    Traceroute and some whois queries against this site:
    Traceroute:

    traceroute www.symantec.ar.nu
    traceroute to www.symantec.ar.nu (65.108.204.171), 30 hops max, 38 byte packets
    1 10.226.128.1 (10.226.128.1) 28.757 ms 39.635 ms 18.598 ms
    2 * * *
    3 bur-edge-01.inet.qwest.net (65.112.160.53) 32.082 ms 11.243 ms 22.287 ms
    4 bur-core-01.inet.qwest.net (205.171.13.13) 11.756 ms 20.097 ms 33.280 ms
    5 iah-core-02.inet.qwest.net (205.171.205.26) 57.420 ms 43.475 ms 42.946 ms
    MPLS Label=739785 CoS=3 TTL=1 S=0
    6 iah-core-03.inet.qwest.net (205.171.31.42) 45.134 ms 43.044 ms 43.911 ms
    MPLS Label=100291 CoS=3 TTL=1 S=0
    7 atl-core-01.inet.qwest.net (205.171.8.146) 62.547 ms 62.356 ms 87.278 ms
    MPLS Label=233053 CoS=3 TTL=1 S=0
    8 atl-core-02.inet.qwest.net (205.171.21.150) 63.001 ms 74.594 ms 61.454 ms
    MPLS Label=163358 CoS=3 TTL=1 S=0
    9 dca-core-02.inet.qwest.net (205.171.8.154) 79.793 ms 78.566 ms 88.956 ms
    MPLS Label=233361 CoS=3 TTL=1 S=0
    10 dca-core-01.inet.qwest.net (205.171.9.5) 81.906 ms 100.543 ms 79.149 ms
    11 dca-edge-01.inet.qwest.net (205.171.9.22) 77.481 ms 78.920 ms 78.197 ms
    12 65.113.64.30 (65.113.64.30) 81.634 ms 128.513 ms 90.741 ms
    13 208.49.89.194 (208.49.89.194) 82.035 ms 116.602 ms 80.002 ms
    14 dominiosfree.com (65.108.204.171) 80.692 ms 78.990 ms 79.492 ms

    (sorry for the leading asterisk - my ISP plays games with internal
    traceroutes)

    dig results
    dig www.symantec.ar.nu

    ; <<>> DiG 9.2.3 <<>> www.symantec.ar.nu
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36460
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

    ;; QUESTION SECTION:
    ;www.symantec.ar.nu. IN A

    ;; ANSWER SECTION:
    www.symantec.ar.nu. 86400 IN A 65.108.204.171

    ;; AUTHORITY SECTION:
    ar.nu. 86400 IN NS ns1.10red.net.
    ar.nu. 86400 IN NS ns2.10red.net.

    ;; ADDITIONAL SECTION:
    ns1.10red.net. 172800 IN A 65.108.51.150
    ns2.10red.net. 172800 IN A 65.108.52.231

    ;; Query time: 663 msec
    ;; SERVER: 127.0.0.1#53(0.0.0.0)
    ;; WHEN: Sat Jun 26 09:36:14 2004
    ;; MSG SIZE rcvd: 129

    And some various whois queries:
    whois 10red.net
    [Querying whois.internic.net]
    [Redirected to whois.directi.com]
    [Querying whois.directi.com]
    [whois.directi.com]
    Registration Service Provided By: IDEAS PARA NUEVOS MERCADOS SL
    Contact:

    Domain Name: 10RED.NET

    Registrant:
    Carlos del Valle
    Carlos del Valle ()
    c/ emisora 3 calet 35
    Pozuelo de Alarcon
    Madrid,28224
    ES
    Tel. +34.917000041

    Creation Date: 05-Jul-2001
    Expiration Date: 05-Jul-2005

    Domain servers in listed order:
    ns1.10red.net
    ns2.10red.net


    Administrative Contact:
    Carlos del Valle
    Carlos del Valle ()
    c/ emisora 3 calet 35
    Pozuelo de Alarcon
    Madrid,28224
    ES
    Tel. +34.917000041

    Technical Contact:
    Carlos del Valle
    Carlos del Valle ()
    c/ emisora 3 calet 35
    Pozuelo de Alarcon
    Madrid,28224
    ES
    Tel. +34.917000041

    Billing Contact:
    Carlos del Valle
    Carlos del Valle ()
    c/ emisora 3 calet 35
    Pozuelo de Alarcon
    Madrid,28224
    ES
    Tel. +34.917000041

    Status:ACTIVE

    whois dominiosfree.com
    [Querying whois.internic.net]
    [Redirected to whois.directi.com]
    [Querying whois.directi.com]
    [whois.directi.com]
    Registration Service Provided By: IDEAS PARA NUEVOS MERCADOS SL
    Contact:

    Domain Name: DOMINIOSFREE.COM

    Registrant:
    Ideas para nuevos mercados,sl
    Ideas para nuevos mercados,sl ()
    C/ Jose Abascal, 48 1
    Madrid
    Madrid,28003
    ES
    Tel. +34.913035764

    Creation Date: 09-Jul-2001
    Expiration Date: 09-Jul-2005

    Domain servers in listed order:
    ns1.10red.net


    Administrative Contact:
    Ideas para nuevos mercados,sl
    Ideas para nuevos mercados,sl ()
    C/ Jose Abascal, 48 1
    Madrid
    Madrid,28003
    ES
    Tel. +34.913035764

    Technical Contact:
    Ideas para nuevos mercados,sl
    Ideas para nuevos mercados,sl ()
    C/ Jose Abascal, 48 1
    Madrid
    Madrid,28003
    ES
    Tel. +34.913035764

    Billing Contact:
    Ideas para nuevos mercados,sl
    Ideas para nuevos mercados,sl ()
    C/ Jose Abascal, 48 1
    Madrid
    Madrid,28003
    ES
    Tel. +34.913035764

    Status:ACTIVE

    whois 208.49.89.194
    [Querying whois.arin.net]
    [whois.arin.net]

    OrgName: Global Crossing
    OrgID: GBLX
    Address: 14605 South 50th Street
    City: Phoenix
    StateProv: AZ
    PostalCode: 85044-6471
    Country: US

    ReferralServer: rwhois://rwhois.gblx.net:4321

    NetRange: 208.48.224.0 - 208.50.127.255
    CIDR: 208.48.224.0/19, 208.49.0.0/16, 208.50.0.0/17
    NetName: GBLX-6C
    NetHandle: NET-208-48-224-0-1
    Parent: NET-208-0-0-0-0
    NetType: Direct Allocation
    NameServer: NAME.ROC.GBLX.NET
    NameServer: NAME.PHX.GBLX.NET
    NameServer: NAME.SNV.GBLX.NET
    NameServer: NAME.JFK1.GBLX.NET
    Comment: THESE ADDRESSES ARE NON-PORTABLE
    RegDate:
    Updated: 2002-10-14

    TechHandle: IA12-ORG-ARIN
    TechName: GBLX-IPADMIN
    TechPhone: +1-800-404-7714
    TechEmail:

    OrgAbuseHandle: GBLXA-ARIN
    OrgAbuseName: GBLX-Abuse
    OrgAbusePhone: +1-800-404-7714
    OrgAbuseEmail:

    OrgNOCHandle: GBLXN-ARIN
    OrgNOCName: GBLX-NOC
    OrgNOCPhone: +1-800-404-7714
    OrgNOCEmail:

    OrgTechHandle: IA12-ORG-ARIN
    OrgTechName: GBLX-IPADMIN
    OrgTechPhone: +1-800-404-7714
    OrgTechEmail:

    whois 65.108.204.171
    [Querying whois.arin.net]
    [whois.arin.net]

    OrgName: Alabanza, Inc.
    OrgID: ALAB
    Address: 10 East Baltimore St., 10th floor
    City: Baltimore
    StateProv: MD
    PostalCode: 21202
    Country: US

    NetRange: 65.108.0.0 - 65.109.255.255
    CIDR: 65.108.0.0/15
    NetName: ALABANZA-BALT-5
    NetHandle: NET-65-108-0-0-1
    Parent: NET-65-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS.ALABANZA.COM
    NameServer: NS2.ALABANZA.COM
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2001-02-09
    Updated: 2002-02-26

    TechHandle: TC12-ARIN
    TechName: Cunningham, Thomas
    TechPhone: +1-410-779-1400
    TechEmail:

    OrgTechHandle: TECHS24-ARIN
    OrgTechName: Tech Support
    OrgTechPhone: +1-410-779-1400
    OrgTechEmail:

    whois alabanza.com

    Alabanza Corp
    10 East Baltimore Street
    Baltimore, MD 21202
    US

    Domain Name: ALABANZA.COM

    Administrative Contact
    V.P. of Web Services:
    Alabanza Corp
    10 East Baltimore Street
    Baltimore, MD 21202
    US
    Phone 410-779-1400
    Fax 410-735-3417
    Technical Contact
    Technical Support Dept.:
    Alabanza Corp
    10 East Baltimore Street
    Baltimore, MD 21202
    US
    Phone 410-779-1400
    Fax 410-735-3417

    Record updated date: 2004-04-23 15:49:24
    Record created date: 1996-08-18
    Record expires on date: 2013-08-17
    Database last updated on: 2004-06-26 12:48:33 EST

    Domain servers in listed order:

    NS.ALABANZA.COM 209.239.47.252
    NS2.ALABANZA.COM 209.239.47.201
    NS3.ALABANZA.COM 216.226.19.254

    Have fun folks

    /mde/
     
    Toast, Jun 26, 2004
    #3
  4. \Crash\ Dummy, Jun 26, 2004
    #4
  5. You got no answer because symantec does not read messages to them. There are
    a number of sites which give you a virus for which you need to buy their AV
    product.

    Beware.

    --
    Regards,
    Werner

    Remove "Nospam" when e-mailing
    "Tim Murray" <> wrote in message
    news:...
    > I got a very poorly worded, all-caps e-mail saying it was Symantec and

    that I
    > should promptly go to <http://www.symantec.ar.nu/>. I have a computer

    that
    > is both a Mac and sacrificial, so I went to take a look.
    >
    > On the top of the initial page is a notice in red that "you have a virus",
    > and do download some .exe file. I downloaded it, tested it, and of course,

    it
    > had a virus.
    >
    > The site is, generally, of utter professionalism ... it looks like they
    > simply downloaded all of Symantec's real site.
    >
    > But this is not really the point of the story. The point is that was

    three
    > days ago, and I've contact Symantec three times about it, figuring I'd at
    > least get a "thanks-for-letting-us-know" reply. But I've received no

    reply,
    > and the site is still up (I really thought Symantec would be powerful

    enough
    > to get it shut down pronto).
    >
     
    Bullwinkel J. Moose, Jun 26, 2004
    #5
  6. Tim Murray

    jason Guest

    Hello,

    Well I always wondered who wrote antivirus software!
    It would make sense for a company knocking out antivirus programs to
    introduce mass panic, or the need to keep selling updates.

    "Bullwinkel J. Moose" <> wrote in message
    news:dEjDc.7884$...
    > You got no answer because symantec does not read messages to them. There

    are
    > a number of sites which give you a virus for which you need to buy their

    AV
    > product.
    >
    > Beware.
    >
    > --
    > Regards,
    > Werner
    >
    > Remove "Nospam" when e-mailing
    > "Tim Murray" <> wrote in message
    > news:...
    > > I got a very poorly worded, all-caps e-mail saying it was Symantec and

    > that I
    > > should promptly go to <http://www.symantec.ar.nu/>. I have a computer

    > that
    > > is both a Mac and sacrificial, so I went to take a look.
    > >
    > > On the top of the initial page is a notice in red that "you have a

    virus",
    > > and do download some .exe file. I downloaded it, tested it, and of

    course,
    > it
    > > had a virus.
    > >
    > > The site is, generally, of utter professionalism ... it looks like they
    > > simply downloaded all of Symantec's real site.
    > >
    > > But this is not really the point of the story. The point is that was

    > three
    > > days ago, and I've contact Symantec three times about it, figuring I'd

    at
    > > least get a "thanks-for-letting-us-know" reply. But I've received no

    > reply,
    > > and the site is still up (I really thought Symantec would be powerful

    > enough
    > > to get it shut down pronto).
    > >

    >
    >



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.711 / Virus Database: 467 - Release Date: 25/06/2004
     
    jason, Jun 27, 2004
    #6
  7. Tim Murray

    Bill Unruh Guest

    ]> "Tim Murray" <> wrote in message
    ]> news:...
    ]> > I got a very poorly worded, all-caps e-mail saying it was Symantec and
    ]> that I
    ]> > should promptly go to <http://www.symantec.ar.nu/>. I have a computer
    ]> that

    That was not actually a symantec site, nor is the site to which they point
    you with the "cleaner".
    www.symantec.ar.nu=65.108.204.171

    whois 65.108.204.171

    OrgName: Alabanza, Inc.
    OrgID: ALAB
    Address: 10 East Baltimore St., 10th floor
    City: Baltimore
    StateProv: MD
    PostalCode: 21202
    Country: US

    --------------------
    ping www.nikroot.com
    PING premium.geo.yahoo.akadns.net (66.218.79.189) 56(84) bytes of data.

    ]> > is both a Mac and sacrificial, so I went to take a look.
    ]> >
    ]> > On the top of the initial page is a notice in red that "you have a
    ]virus",
    ]> > and do download some .exe file. I downloaded it, tested it, and of
    ]course,
    ]> it
    ]> > had a virus.
    ]> >
    ]> > The site is, generally, of utter professionalism ... it looks like they
    ]> > simply downloaded all of Symantec's real site.
    ]> >
    ]> > But this is not really the point of the story. The point is that was
    ]> three
    ]> > days ago, and I've contact Symantec three times about it, figuring I'd
    ]at
    ]> > least get a "thanks-for-letting-us-know" reply. But I've received no
    ]> reply,
    ]> > and the site is still up (I really thought Symantec would be powerful
    ]> enough
    ]> > to get it shut down pronto).

    Yes. It looks like yahoo is falling down in their responsibility.

    ]> >
     
    Bill Unruh, Jun 27, 2004
    #7
  8. Tim Murray

    Joe-46er Guest

    What? ... Did you really EXPECT symantec to respond when they don't
    even respond to customer's needs?

    I truly hope that this company dies and dies soon because of its
    pathetic support reputation.


    On Sat, 26 Jun 2004 10:36:34 -0400, Tim Murray <>
    wrote:

    >I got a very poorly worded, all-caps e-mail saying it was Symantec and that I
    >should promptly go to <http://www.symantec.ar.nu/>. I have a computer that
    >is both a Mac and sacrificial, so I went to take a look.
    >
    >On the top of the initial page is a notice in red that "you have a virus",
    >and do download some .exe file. I downloaded it, tested it, and of course, it
    >had a virus.
    >
    >The site is, generally, of utter professionalism ... it looks like they
    >simply downloaded all of Symantec's real site.
    >
    >But this is not really the point of the story. The point is that was three
    >days ago, and I've contact Symantec three times about it, figuring I'd at
    >least get a "thanks-for-letting-us-know" reply. But I've received no reply,
    >and the site is still up (I really thought Symantec would be powerful enough
    >to get it shut down pronto).





    _________________________________

    "Take a little 5FU, leucovorin and oxaliplatin for thy stomach's sake." -- 1 Timothy 5:23 (adapted)
     
    Joe-46er, Jul 4, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Qintin

    Fake site details.

    Qintin, May 23, 2004, in forum: Computer Support
    Replies:
    10
    Views:
    672
    -= Hawk =-
    May 24, 2004
  2. All Things Mopar
    Replies:
    18
    Views:
    645
    All Things Mopar
    Jul 11, 2005
  3. dfinc
    Replies:
    0
    Views:
    627
    dfinc
    Sep 30, 2009
  4. Buffalo

    Re: that fake anti-virus program

    Buffalo, Jan 5, 2010, in forum: Computer Support
    Replies:
    3
    Views:
    354
    Leythos
    Jan 8, 2010
  5. why?

    Re: that fake anti-virus program

    why?, Jan 6, 2010, in forum: Computer Support
    Replies:
    2
    Views:
    325
Loading...

Share This Page