Tuesday, June 14, 2011

Incognito exploit kit

Exploit kits are becoming an increasingly popular means of spreading attacks. Umesh recently blogged about seeing a spike in the usage of the Blackhole exploit kit. This exploit kit targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls.

Recently, I have noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito.

Common URL patterns for Incognito:

Code obfuscation (Formatted for good view),

De-obfuscation of the aforementioned JavaScript, shows the exploit kit carrying out different attack vectors. Let’s analyze different pieces of the de-obfuscated code.

Object Initializations and other functions,


Iframe Injection:


Google safe browsing reports this URL to be malicious. Visiting the above link redirects you to fake search portal delivering ads hxxp://searchportal.information.com/?o_id=164060&domainname=register-domain-names.info.

Step 0: This is the entry point of the malicious code. It completes required initializations of objects for vulnerable ActiveX controls. Upon the successful creation of objects, it launches the first attack vector by calling function 'gr', which injects a malicious file. The code then moves on to Step 1.



Vulnerability Details:
CVE : CVE-2006-4704
Name : Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability

My previous blog post describes a different version of obfuscated JavaScript targeting this vulnerability.

Step 1 : This code targets the “Java Deployment Toolkit”.



Vulnerability Details:
CVE : CVE-2010-1423
Name : Java Deployment Toolkit insufficient argument validation

Step 2 : This creates Iframe tags for malicious PDFs.



This example illustrates how the multi-level attacks targeted by exploit kits are becoming a favored choice of attackers these days. More importantly, the creation of automated tools to deliver these exploits, provides attackers with the opportunity to launch campaigns on a frequent basis, with limited technical knowledge.

Pradeep

No comments: