Incogito Exploit Kit Redux

After posting the previous article on Incognito, I was told by a couple of people that this was an older version (many thanks guys). I have been tracking that exploit kit for awhile and never got around to posting an article on that kit until now.

<request>This is a long shot but I would like to ask those in the scene to share this kit with me. I won't use it nor sell it, I just want to analyze it. And if you want me to keep it private, I will of course honor your request. And since I'm asking, I've always wanted to analyze the following kits (some old, some new) but never been able to find them: Golod, Lupit, Impassioned, Blackhole, iPack, Apache, JustExploit, Dragon, Napoleon, Liberty, Intoxicated, Shaman's Dream, SEO, Bomba, and Siberia. I would gladly trade but looking at this list, I doubt I would have anything you'd want. :) Anyway, you can email it to kahu.security[at]gmail.com if you're feeling generous. Thanks in advance!</request>

Anyway, there's one kit that I've been tracking since the beginning of the year but I can't find any information on it. The URLs all look like this:

website/in.php?a=QQkFBg0BAAEHAAAFEkcJBQYNAQABAwIGAA==
website/in.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA==
website/in.php?a=QQkEEkcJBQQEBAQF

A couple people think it's an updated version of Dragon Pack while others say it's a newer version of Incognito. After doing some research, it appears to be Incognito. And the author has done a lot of work on the Javascript obfuscation and changed it out…not just once, not twice but at least three times!

This is how the Javascript exploit looked like in January. Here's the top part which shows the scrambled text that contains the exploit code:

This is the bottom part which deobfuscates the text:

Here's a cleaned up version of the Javascript:

Once you decrypt it, you get this:

Here's the second iteration of Incognito that I noticed a few weeks later. This is the top part:

And here's the bottom part:

Here's the cleaned up version:

After you deobfuscate it, you come up with this:

Here's the third iteration of the obfuscated script:

And this is the bottom part:

Let's clean this up so it's readable. This is the top part of the script.

This is the bottom part which holds to key to cracking it. The function "BaqyjOvaxube" does the decryption. The variable "PubIjyqid" is defined and then used as an accumulator. We can add the "document.write(PubIjyqid)" statement to grab the result of the function which is a Unicode dump.

All we need to do now is convert UTF7 to text and we get the following exploit code:

As you'll notice, the author uses the same exploit code but creates a new obfuscation routine every month or so in order to bypass anti-virus, web filters, and IDS.

I suppose that the Incognito author is performing the monthly cleaning as part of his package and obviously holding up his end of the deal. I guess that means another version should be out in a couple of weeks.

Posted on: 03/07/2011