[en] Uptobox hacked ?

Many users reports malwares on the webshare storage service Uptobox thoses last days.
So i take a look.

First attempt, a wonderfull loop redirections.
it begins bad.

but.. in the mess i found a Keitaro TDS :

and an other one :

The two TDS URls are in fact the same server and so the same TDS (5.39.70.118)

No surprise, the TDS leads to an Exploit Kit.
The malware at the end is a Trojan Furi (very old stuff : http://www.malekal.com/2010/11/12/supprimer-trojan-furi-trojanwin32bohmin-trojan-gamethief-win32-onlinegames/)

Sample : http://malwaredb.malekal.com/index.php?hash=a1eaa1bdefd62580c44489c65963c124

Detection is good : https://www.virustotal.com/file/48825c1a9082ec10188e88d29131b30914bfa3b58dfa69d4b18190cc60a0c605/analysis/
SHA256: 48825c1a9082ec10188e88d29131b30914bfa3b58dfa69d4b18190cc60a0c605
File name: 7rO82bEb.exe
Detection ratio: 7 / 44
Analysis date: 2012-11-28 18:16:36 UTC ( 31 minutes ago )

ESET-NOD32 a variant of Win32/Kryptik.APOH 20121128
Fortinet W32/Zbot.ANQ!tr 20121128
Kaspersky Trojan-Ransom.Win32.PornoAsset.bifu 20121128
McAfee PWS-Zbot.gen.anq 20121128
McAfee-GW-Edition PWS-Zbot.gen.anq 20121128
Panda Suspicious file 20121128

 

 

Looking at the code of the differents pages, we can see that the iframe of the TDS is stored in the page ad.uptobox.com/www/delivery/ajs.php
Difficult to say if it’s a malvertising or if Uptobox was hacked to injected the code. 

 

The URLs :

http://ns2272279.ovh.net/?1
http://5.39.70.118/?8
http://www2.kitchener3.com/implementing/clears-dislike-flight-stable.php (91.213.126.182)
http://www2.kitchener3.com/implementing/clears-dislike-flight-stable.php?niis=iljr&qpbrwef=hcq
http://www2.kitchener3.com/implementing/clears-dislike-flight-stable.php?niis=iljr&qpbrwef=hcq
http://www2.kitchener3.com/implementing/clears-dislike-flight-stable.php?niis=iljr&qpbrwef=hcq
http://www2.kitchener3.com/implementing/hw.class
http://www2.kitchener3.com/implementing/hw.class
http://www2.kitchener3.com/implementing/clears-dislike-flight-stable.php?chs=1k:1k:1i:30:30&xcoh=3a:3j:39&oebkc=1m:1g:2w:1h:1k:1l:1m:1h:1m:1m&ycevf=1m:1d:1f:1d:1f:1d:1f
http://www2.kitchener3.com/implementing/clears-dislike-flight-stable.php?rnd=1k:1k:1i:30:30&zpt=1m:1g:2w:1h:1k:1l:1m:1h:1m:1m&vxe=1h&gzrfa=nzcfp&nkijvyz=eps

 

Anyway Uptobox is very popular to hosts movies. I will try to contact them, hope they will fix that ASAP.

 

EDIT – Kbot stuffs

An edit to add that the TDS leads also to an other BlackHole : http://twixmoi.servehttp.com/analytics/except/shall-towards.php
(sample http://malwaredb.malekal.com/index.php?hash=b1ebc889d5aebdaa2c687d964ba78d42 ).

The Malware is kbot :

 

 

 

I already speak about it on this article : http://www.malekal.com/2012/11/22/malvertising-sur-www-freenews-fr-et-www-franceinfo-fr/ (and http://www.malekal.com/2012/10/08/kbot-via-malvertising/).
and that explain how they can infect so much computers in few times.

Kbot is an entry to other stuffs, especially stealer like Andromeda and Spyeye, also miner stuff to monetize.

 

EDIT Novembre 29

Incident is now closed.
Uptobox has confirm the hack.

Avast! banned the TDS yesterday evening.

And this evening, the TDS changed (the previous server didn’t response anymore – difficult to say if OVH have moved) to a new OVH server :

an other good news – the kbot C&C seems down – may be an other moved from OVH.
I just sent a mail to NoIP – hope they will ban the account of the botmaster.

* !! Si vous pensez avoir été infecté sur Uptobox, après désinfecter, il est plus que recommandé de changer tout vos mots de passe (Facebook, mails, etc) et jeux en ligne !! *

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 111 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *