Reversing the Incognito Exploit Kit

Looks like Incognito got updated yet again. Let’s reverse the Javascript exploit code…

First let’s clean this up (the complete script is here)! You can see it’s now using p, div, and span tags to hold the obfuscated code which is different than the earlier versions.

While the Javascript code at the bottom looks different than the previous version, there are several similiarities.

What the Javascript does first is build out the list of key Javascript objects:

“indexOfunescapeevallengthcharAtinnerHTMLgetElementsByTagNamedivgetElementById”

Other functions in the script uses “substr” to extract the text (i.e. the Javascript object) it needs to perform its tasks.

At the very top of the script, there are three DIVs. The first one decrypts to the string above. The second and third are used as lookup tables if you will and called upon by the “LywIs” function which decrypts the junk at the top.

What that function does is read in the gibberish, after it has been concatenated into one long string, one character at a time (e.g. “hMTTuHhMTTuFhMTTuUhMTTydhMTTuthMTTudhMTTuQ”). The first character is “h”. Go ahead and find it in the first string of characters below and remember its position.

qgxuMoLXtBywHhFDzTNdYPUQclvJpbKIikAnOZfSWaERrmVsjCeG
AaE6ub2Bd87F4%f9D0c51C3e

Now look at the shorter string above and get the character at the same position. That’s the converted value. In this case, it’s the “%” character. The top string is twice as long as the second but only the first half is used.

The next character is “M” which corresponds to “u”. The third is “T” which is “0”. And so on…until you get this.

To shortcut this, you can modify the function this way:

Now, you just need to convert this from UCS2 to Hex then convert Hex to Text. You should then get this:

Unlike some of the other exploit kits, Incognito 2.0 only uses a limited number of exploits:

$exp_list = array(“jark”,”rox”,”hcp”,”jdt”,”libtiff”,”mdac”);

Each of these exploits are spread over four steps in the code we just deobfuscated. Let’s look at the last step, “step3”. This function pushes out one of two PDF exploit files depending on your browser/version.

This PDF file I downloaded contains Javascript code that deobfuscates the junk at the bottom. This is rather simple to figure out. In fact, this technique looks similar to what the Black Hole exploit kit uses.

Up near the top of the Javascript are two variables which look like years:

CekipyboRijehyxo=2011;
var j = CekipyboRijehyxo-2007;

The result is 4. Remember that for later. After a bunch of concatenation, text replacements, and other steps to try and throw you off, the Javascript code takes the junk at the bottom and decrypts it. Here’s an excerpt of the gibberish:

j*29.5,j*24.25,j*28.5,j*8,j*24.5,j*26.5,j*28.75,j*25.75,j*15.25,j*9.75,j*9.25,j*29.25,j*14.25,j*12…

If you remember, the value of the variable “j” is 4. 4 x 29.5 = 118. 4 x 24.25 = 97. Keep going till you are done then convert the decimal values to text. You will end up with this:

If you look at the Metasploit PDF exploit module, you will see that this is very familiar. There’s shellcode up at the top, now let’s analyze that. You will first need to convert this to binary. There’s a number of tools to help you do that. I like “Malzilla” by Bobby. Paste the shellcode into the “Misc Decoders” tab:

Click on the “UCS2 to Hex” button then the “Hex to File” button and save the file. You will end up with this:

Another favorite tool I like to use is “sclog” from David Zimmer which dumps and hopefully decodes the shellcode. Just enter the following command:

And you will get the decoded result. If this doesn’t work for you then you can use another one of David Zimmer’s tools called “Shellcode2EXE” then analyze the EXE file.

When I visit this URL, I get an executable file called “setup.exe”. Uploading this to VirusTotal and we get the following results. It looks to be a packed downloader with 12 of 43 (27.9%) coverage.

Here’s the link: http://www.virustotal.com/file-scan/report.html?id=fcd8e5146b67bcc3de663cd29dd805af5dea50e6dcad60c3328fefbdae0e2c8f-1306709857#

Since it’s likely to be a downloader, I fire up my packet sniffer and run the program. This program downloads a file also called “setup.exe”.

The downloaded file ends up in c:\windows\temp\ and is renamed to “_ex-68.exe”. I shoot that over to VirusTotal and it is only picked up by 7 of 42 AV engines (16.7%).

Here’s the link: http://www.virustotal.com/file-scan/report.html?id=066e29c43bf818e1cb35efe8bc408fe5ac65632814198382b3f7c7c1aecad5ce-1306726815

What is this last executable? You guessed it…rogueware.

Hopefully this helps you better understand how to reverse Javascript and tackle some of the binaries you get during your analysis.

Posted on: 06/04/2011