Is fake VT scan site leading to backdoor being detected? [SOLVED]

Fake virustotal scan site leads to a backdoor…-http://new-virustotal.tk/ redirects to -http://freedomains4all.tk
Not found by sucuri scanner;
web site:
-http://new-virustotal.tk/
status:
Site verified to be secure and free of malware.
web trust:
Site not blacklisted.
Detected here at VT: http://www.virustotal.com/url-scan/report.html?id=5bb2f8fa8f3995fba534f39c127884a4-1306128162
File detection VT:
http://www.virustotal.com/file-scan/report.html?id=6c542ea029191d4467b46023ca6ac5e4c42c21ef17b0346b9fdb7d307ecfed59-1306135933
detected as Trojan Malscript (not detected by avast)
Detected here: http://www.malwareblacklist.com/searchClearingHouse.php?search=new-virustotal.tk
flagged there as Exploit

polonus

I believe avast! blocks that URL.

Hi igor,

Great, I will add [SOLVED], Network Shields detects as URL:Mal

polonus

It was brought down earlier today :slight_smile:

Update: 15:01 23-05-2011

Better late than never, but dot.tk have now suspended new-virustotal.tk.

http://hphosts.blogspot.com/2011/05/warning-fake-virustotal-site-serving.html

Hi spg SCOTT,

Thanks for reporting, these exploits are shortlived as soon as reported, good the response there now is dead,
I could have known from the SOSWebScan result: Error Reason:Moved Permanently
Redirected-to :
So we cannot scan this website. Please check and try again. Good thing, we do not have to do that now,

polonus

Hi spg SCOTT,

Just in retrospect what happened there was that the false fake site (now taken down) showed a pop-up, trying to load a JAVA Exploit to install the following worm, Worm.MSIL.Arcdoor.ab can launch an HTTP server on a random TCP port, this is then used to download the Worm.MSIL.Arcdoor.ab executable file to other computers. Worm.MSIL.Arcdoor.ab steals the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability in the Server service. This for all that missed this online miscreation ;D

polonus