Fake VirusTotal Site Ships Malware

Friday, May 27, 2011 @ 11:05 AM gHale

A fake VirusTotal website is distributing a malware via a Java-based downloader, said security researchers from antivirus vendor Kaspersky Lab.

VirusTotal, a popular service that allows users to scan files with a large number of antivirus engines, sees use by hundreds of thousands of professionals on a daily basis.

The spoofed site discovered by Kaspersky researchers looks exactly like the real one and prompts users to run a Java applet. Because the applet does not have a valid certificate, users must confirm its execution.

The applet is a Java-based Tojan downloader that distributes a piece of malware detected by Kaspersky Lab as Worm.MSIL.Arcdoor.ov.

“The worm is developed to recruit zombies that will be part of a botnet designed primarily to perform DDoS attacks synflood, httpflood, udpflood and icmpflood,” Kaspersky’s Jorge Mieres said.

Control of the botnet comes via a commercial web-based DDoS framework known as N0ise. It accepts commands to initiate several types of DDoS, report the hostname of the victim machine, type and version of the operation system, as well as the version of the malware itself.

This was not the first time VirusTotal suffered from a malware attack. In February last year, there was a faux VirusTotal site that distributed scareware.

Advise to users: Run an up-to-date antivirus at all times and do not allow unsigned Java applets to execute.

Leave a Reply

You must be logged in to post a comment.