Have you ever wondered how malware spreads, why there are so many compromised machines out there talking back to their CnC's? There must be a medium, a vehicle if you may, to get a Zeus, a Rogue AV, a Rustock (not anymore :)) or any new malware onto a box. Have you ever wondered what this vehicle could be? If you answered exploits, then your answer is right. Exploits, Pay Per Installs, Social Engineering are the main vectors to get malware on a machine. Exploit Tool kits are like point and click tools that use these exploits to make life easy for a hacker. At FireEye Labs, we continuously monitor the latest threats and exploit toolkits. One such toolkit that has come to our attention is the Incognito Toolkit. In the year 2011 we have noticed a sudden surge in our Incognito detections. This blog attempts to explain why this toolkit is so hard to detect, the obfuscation techniques it uses to the kind of malware it drops.Though not as widespread as the Blackhole Toolkit, this toolkit looks like it is here to make a mark.
Without further delay lets get into the finer workings of this Toolkit. Let's see what happens once a user clicks on a malicious Incognito link.
The initial GET reuquest gets a heavily obfuscated HTML page, the initial GET request looks like
The script tag of the HTML page has the following JScript embedded in it.
Download the full JS as PDF here —-> Download Js1
Not so obvious what all that JS is doing is it? Even before explaining in great detail let me first tell you that the function VyvidIxic() is important to note since it returns the string 'indexOfunescapeevallengthcharAtinnerHTMLgetElementsByTagNamedivgetElementById'.
var CecErasu = VyvidIxic();
The variable "CecErasu " is used in other functions to return the debofuscated results. For instance in the function RezuleKog(), you will see that the "substr" operation (function BimUv() = "substr") is being used to get the values needed, which in this particular function are "getElementByID" and "innerHTML" duly highlighted in green in the function above.
The function XynuxoloxiSyqu() is the function that is responsible for the de-obfuscation.
All you need to do to get the UTF encoded string is to change the above function to
Decoding the UTF encoded string leads to more JS, the crux of the exploit.
Download the full JS as PDF here —> Download Js2
In the FireEye VXE, functions step3() and function gr() triggered resulting in the following GET requests. Let's just say that function gr() results in the following GET request and downloads an EXE as you can see in the PCAP below.
and the function step3() results in this GET request and downloads a PDF called manual.pdf.
If function step2() had triggered, the String.CharCode in the function gets converted to
The GET request to "http://mullador.cz.cc/l.php?a=QQkEEkcJBQQEBAQB" downloads a VBscript, that looks like this
Now lets look at the EXE that got dropped by the ToolKit. The exe is detected by FireEye as Trojan.Anamika and is a Rogue AV. We detect not only the Exploit Toolkit but also the malware , how cool is that?
The rogue av has a very poor detection on VT. At the time of this writing there were only 5/43 (11.6%) detections on VT. Here is the link to the VT report.
Here is a comparison chart between the 4 most prevalent toolkits that we notice here at Fireeye Malware Intelligence Labs
UPDATE: Removed the JS in the blog and inserted snippets of the JS as images. The entire JS, however has been uploaded as a PDF file and can be downloaded. Hoping AV's don't start alerting on that now :)