Blog

The Rise Of Incognito

Have you ever wondered how malware spreads, why there are so many compromised machines out there talking back to their CnC's? There must be a medium, a vehicle if you may, to get a Zeus, a Rogue AV, a Rustock (not anymore :)) or any new malware onto a box. Have you ever wondered what this vehicle could be? If you answered exploits, then your answer is right. Exploits, Pay Per Installs, Social Engineering are the main vectors to get malware on a machine. Exploit Tool kits are like point and click tools that use these exploits to make life easy for a hacker. At FireEye Labs, we continuously monitor the latest threats and exploit toolkits. One such toolkit that has come to our attention is the Incognito Toolkit. In the year 2011 we have noticed a sudden surge in our Incognito detections. This blog attempts to explain why this toolkit is so hard to detect, the obfuscation techniques it uses to the kind of malware it drops.Though not as widespread as the Blackhole Toolkit, this toolkit looks like it is here to make a mark.

Without further delay lets get into the finer workings of this Toolkit.  Let's see what happens once a user clicks on a malicious Incognito link.

The initial GET reuquest gets a heavily obfuscated HTML page, the initial GET request looks like

Initial_incognito_get

The script tag of the HTML page has the following JScript embedded in it.

Js1

Download the full JS as PDF here —-> Download Js1

Not so obvious what all that JS is doing is it? Even before explaining in great detail let me first tell you that the function VyvidIxic() is important to note since it returns the string 'indexOfunescapeevallengthcharAtinnerHTMLgetElementsByTagNamedivgetElementById'.

var CecErasu = VyvidIxic();

The variable "CecErasu " is used in other functions to return the debofuscated results. For instance in the function RezuleKog(), you will see that the "substr" operation (function BimUv() = "substr") is being used to get the values needed, which in this particular function are "getElementByID" and "innerHTML" duly highlighted in green in the function above.

The function XynuxoloxiSyqu() is the function that is responsible for the de-obfuscation.

Func1

All you need to do to get the UTF encoded string is to change the above function to

Chfunc

Decoding the UTF encoded string leads to more JS, the crux of the exploit.

Js2

Download the full JS as PDF here —> Download Js2

In the FireEye VXE, functions step3() and function gr() triggered resulting in the following GET requests. Let's just say that function gr() results in the following GET request and downloads an EXE as you can see in the PCAP below.

Exe_download_incognito

and the function step3() results in this GET request and downloads a PDF called manual.pdf.

Pdf_incognito

 

If function step2() had triggered, the String.CharCode in the function gets converted to

Cmd

The GET request to "http://mullador.cz.cc/l.php?a=QQkEEkcJBQQEBAQB" downloads a VBscript, that looks like this

Vbs

Now lets look at the EXE that got dropped by the ToolKit. The exe is detected by FireEye as Trojan.Anamika and is a Rogue AV. We detect not only the Exploit Toolkit but also the malware , how cool is that?

Rogav

 

The rogue av has a very poor detection on VT. At the time of this writing there were only 5/43 (11.6%) detections on VT. Here is the link to the VT report.

http://www.virustotal.com/file-scan/report.html?id=2545065151f396f1960bf5f8c7eb06254a3582b6506852b7c8069baf3f9aeb92-1300723540

 Here is a comparison chart between the 4 most prevalent toolkits that we notice here at Fireeye Malware Intelligence Labs

 
  Chart2
This is data collected for the year 2011 and you can already see that even though BlackHole is a leader, Incognito is soon catching up.

UPDATE: Removed the JS in the blog and inserted snippets of the JS as images. The entire JS, however has been uploaded as a PDF file and can be downloaded. Hoping AV's don't start alerting on that now :) 

2 thoughts on “The Rise Of Incognito

  1. I guess I can ignore my AV scanner blocking this page due to JS/Exploit.JavaDepKit.A threat being detected :o)

Comments are closed.