14 DAY TRIAL // Security researchers from antivirus vendor Kaspersky Lab have come across a fake VirusTotal website that is being used to distribute a malware via a Java-based downloader.
VirusTotal is a popular service that allows users to scan files with a large number of antivirus engines. The site is used by hundreds of thousands of professionals and regular users on a daily basis.
VirusTotal is a powerful brand name because even people who never personally used the service are likely to have seen it mentioned in security news articles, on forums, blogs, etc.
The spoofed site discovered by Kaspersky researchers looks exactly like the real one and prompts users to run a Java applet.
Because the applet is not signed with a valid certificate, users are asked to confirm it's execution, although, based on similar attacks in the past, this doesn't make much of a difference.
The applet is actually a Java-based trojan downloader that distributes a piece of malware detected by Kaspersky Lab as Worm.MSIL.Arcdoor.ov.
"The worm is developed to recruit zombies that will be part of a botnet designed primarily to perform DDoS attacks synflood, httpflood, udpflood and icmpflood," Kaspersky's Jorge Mieres explains.
The botnet is controlled through a commercial web-based DDoS framework known as N0ise. It accepts commands to initiate several types of DDoS, report the hostname of the victim machine, type and version of the operation system, as well as the version of the malware itself.
This is not the first time when the VirusTotal brand is abused to distribute malware. Back in February 2010, we reported about a fake VirusTotal website which was used to distribute scareware.
Java-based downloaders are also very common. According to an earlier Kaspersky Lab report, the web threat landscape was dominated in December by Java trojans. Users are advised to run an up-to-date antivirus at all times and not allow unsigned Java applets to execute.