[en] Uptobox hacked ?

Many users reports malwares on the webshare storage service Uptobox thoses last days.
So i take a look.

First attempt, a wonderfull loop redirections.
it begins bad.

but.. in the mess i found a Keitaro TDS :

and an other one :

The two TDS URls are in fact the same server and so the same TDS (

No surprise, the TDS leads to an Exploit Kit.
The malware at the end is a Trojan Furi (very old stuff : https://www.malekal.com/2010/11/12/supprimer-trojan-furi-trojanwin32bohmin-trojan-gamethief-win32-onlinegames/)

Sample : http://malwaredb.malekal.com/index.php?hash=a1eaa1bdefd62580c44489c65963c124

Detection is good : https://www.virustotal.com/file/48825c1a9082ec10188e88d29131b30914bfa3b58dfa69d4b18190cc60a0c605/analysis/
SHA256: 48825c1a9082ec10188e88d29131b30914bfa3b58dfa69d4b18190cc60a0c605
File name: 7rO82bEb.exe
Detection ratio: 7 / 44
Analysis date: 2012-11-28 18:16:36 UTC ( 31 minutes ago )

ESET-NOD32 a variant of Win32/Kryptik.APOH 20121128
Fortinet W32/Zbot.ANQ!tr 20121128
Kaspersky Trojan-Ransom.Win32.PornoAsset.bifu 20121128
McAfee PWS-Zbot.gen.anq 20121128
McAfee-GW-Edition PWS-Zbot.gen.anq 20121128
Panda Suspicious file 20121128



Looking at the code of the differents pages, we can see that the iframe of the TDS is stored in the page ad.uptobox.com/www/delivery/ajs.php
Difficult to say if it's a malvertising or if Uptobox was hacked to injected the code. 


The URLs :

http://www2.kitchener3.com/implementing/clears-dislike-flight-stable.php (


Anyway Uptobox is very popular to hosts movies. I will try to contact them, hope they will fix that ASAP.


EDIT - Kbot stuffs

An edit to add that the TDS leads also to an other BlackHole : http://twixmoi.servehttp.com/analytics/except/shall-towards.php
(sample http://malwaredb.malekal.com/index.php?hash=b1ebc889d5aebdaa2c687d964ba78d42 ).

The Malware is kbot :




I already speak about it on this article : https://www.malekal.com/malvertising-sur-www-freenews-fr-et-www-franceinfo-fr/ (and https://www.malekal.com/kbot-via-malvertising/).
and that explain how they can infect so much computers in few times.

Kbot is an entry to other stuffs, especially stealer like Andromeda and Spyeye, also miner stuff to monetize.


EDIT Novembre 29

Incident is now closed.
Uptobox has confirm the hack.

Avast! banned the TDS yesterday evening.

And this evening, the TDS changed (the previous server didn't response anymore - difficult to say if OVH have moved) to a new OVH server :

an other good news - the kbot C&C seems down - may be an other moved from OVH.
I just sent a mail to NoIP - hope they will ban the account of the botmaster.

* !! Si vous pensez avoir été infecté sur Uptobox, après désinfecter, il est plus que recommandé de changer tout vos mots de passe (Facebook, mails, etc) et jeux en ligne !! *

Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.