The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Fake virustotal website propagated java worm

Jorge Mieres
Kaspersky Lab Expert
Posted May 24, 00:48  GMT
Tags: Botnets, DDoS, JavaScript

The infection strategies using java script technology are on the agenda and that because of his status as a "hybrid", criminals looking to expand its coverage of attack recruiting infected computers regardless of the browser or operating system you use.

In terms of criminal activities, the techniques of Drive-by-Download by injecting malicious java script in different websites, are a combo of social engineering that requires users to increasingly sharpen the senses of "detection".

During this weekend, we encountered a fake website of the popular system analyzes suspicious files Virustotal, by Hispasec company, touted to infect users through the methods mentioned above.

A view of users, the website looks the same way as the original. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware detected by Kaspersky Lab as Worm.MSIL.Arcdoor.ov.

The worm is developed to recruit zombies that will be part of a botnet designed primarily to perform DDoS attacks synflood, httpflood, udpflood and icmpflood. The communication focuses on a C&C that stores information obtained from the victim machine. Some of the parameters involved in the communication are:

& mode: type of DDoS attack

&botver: malware version

&pcname: name victim machine (hostname)

&winver: type and versión of operating system

Usually these attacks through a centralized hub from which the attacker manages malicious maneuvers using web applications DDoS Framework such as N0ise (used in this case), Cythosia, or NOPE. Such applications have a high impact and demand in terms of development, especially since the European zone of Germany.

Kaspersky Lab detects this threat proactive and continues the investigations into these criminal activities.


Oldest first
Threaded view

Rod MacPherson

2011 May 25, 18:45

Why censor these?

Why do people censor screenshots of malicious sites?
You cut off the address bar and blacked out the URL to the malicious code in the screenshots. WHY?!?!

There is nothing more annoying for a network defender than to have someone say I have found a threat here is a screenshot... but to protect the threat agent's privacy I've censored the URL.

If you are worried that other AntiVirus companies will use your blog post to find the malware code and write a detection of their own and you will lose business because you don't have the exclusive... then I am sorry, you are in the wrong business. You should not be worrying about how many you catch vs. the other guy and trying to protect your position in the market at the expense of the folks that are just trying to protect themselves. All you accomplish is making it easier for the bad guys to continue doing what they are doing.
The fact that you found it first and blogged about it to help others should be the marketing point, not that you have a way to detect the worm and no one else does.
Stop protecting the criminals and give us the ammo we need to prevent an infection in the first place.


Rod MacPherson

2011 May 25, 18:48

Re: Why censor these?

'An ounce of prevention is worth a pound of cure'


Kurt Baumgartner

2011 Jun 02, 21:18

Re: Why censor these?

Hi Rod-

Simple answer - we are in the business of protecting customers and preventing infections, not spreading malicious links. Yes, sometimes we may post a link, but I believe that Jorge darkened the link here so that kids and individuals would not mistakenly visit the site and infect their own system.
Yes, that sort of thing happens. Some of us have learned the hard way, but unfortunately it does happen.

Kaspersky Lab has been a vendor in this business for a long time. Frequently, our researchers share and receive information with other vendors and organizations about malware, including the one in this fine post. You can dismiss your concern that we don't share information with other vendors and sec pros, because we do just that within infosec communities. The industry is highly competitive, but the knowledge share occurs.

Jorge found it interesting and blogged about it. I learned something and I am hoping that you did too. Thanks for the questions and please enjoy the posts.




2011 May 26, 13:41

Useless report/alert

Nice read however totally useless info.

Should this be an alert? By removing the URL you make the alert a joke: you deliver some insight (fwiw, to me nothing new in it) and provide the reader with scare, at the same time you hide the most important info - the URL that should be avoided to visit. I have no understanding at all for such objectionable behavior.


Owner Smokey's Security Forums

Edited by Smokey, 2011 May 26, 21:57


Kurt Baumgartner

2011 Jun 02, 21:25

Re: Useless report/alert

Hi Smokey- thanks for the questions. It's great that you understand the security problems that were are dealing with here. Surely, the DDoS framework described and the social engineering piece are interesting. Do you know of another phony Vtotal site used right now for malware delivery?

Please see my response to Rod's comment above.



Venus V.

2011 Jul 01, 16:29

I found a site selling a fake VirusTotal uploader...

it was advertised at hxxp://www.wardom.com.tr/ on the front page for some time... and there were several boasts on the site giving screenshots of exactly one of the pieces of malware that has been used against me to try to discredit my very small beginning efforts on VirusTotal... and to prevent my being able to successfully upload the large amount of malware of all kinds on my system...

They'd even done quite a bit of "search engine pessimization" (as I phrase it) to make sure that their recruitment messages for "affiliates" and "investing partners" got a higher page rank!



2011 Aug 15, 10:19

Kaspersky - You need help!

You don't know how funny I find this. You're representing Kaspersky and you don't even know what a Java Drive-By is? Okay, let me explain to you what a Java Drive-By is so you can re-write this article correctly. A Java Drive-By is a web application that can be used to download an executable file pretty much anywhere on the user's computer and executed once downloaded when they press "Run".

I honestly don't understand why you put "JavaScript" as one of the tags when "Javascript" is not even involved in any of this. Please learn the difference between Javascript and Java. Let me explain it better yet. Javascript is a type of website coding that is used for websites and Java is used as a program or application. Javascript doesn't even have access to the computer like Java has, cause Javascript is a language that is used for websites.



2011 Sep 12, 08:36


Would it be possible to get a pcap, so that i could write rules for emerging threats?

If you would like to comment on this article you must first

Bookmark and Share