Have you ever wondered how malware spreads, why there are so many compromised machines out there talking back to their CnC's? There must be a medium, a vehicle if you may, to get a Zeus, a Rogue AV, a Rustock (not anymore ) or any new malware onto a box. Have you ever wondered what this vehicle could be? If you answered exploits, then your answer is right. Exploits, Pay Per Installs, Social Engineering are the main vectors to get malware on a machine. Exploit Tool kits are like point and click tools that use these exploits to make life easy for a hacker. At FireEye Labs, we continuously monitor the latest threats and exploit toolkits. One such toolkit that has come to our attention is the Incognito Toolkit. In the year 2011 we have noticed a sudden surge in our Incognito detections. This blog attempts to explain why this toolkit is so hard to detect, the obfuscation techniques it uses to the kind of malware it drops.Though not as widespread as the Blackhole Toolkit, this toolkit looks like it is here to make a mark.
Without further delay lets get into the finer workings of this Toolkit. Let's see what happens once a user clicks on a malicious Incognito link.
The initial GET reuquest gets a heavily obfuscated HTML page, the initial GET request looks like