MD5 : 8a5bf0dd71a1b8ea8155963b252e2105
V/T report: 13/42 now (seen <6 detects in some cases)
|Zscaler Safe Shopping extension for Opera|
|Zscaler Safe Shopping warning for a fake store|
|Zscaler Safe Shopping approved on the Opera Extensions site|
|Google search shows spam pages|
|Fake video layer hiding a Like button|
|Like buttons rendered visible|
|User asked for a Captcha|
|Spam link on my user profile after visiting hxxp://kingsoz.org/|
|PasteHtml.com home page|
|Warning from PasteHtml|
|Facebook phishing page|
Exploit kits are becoming an increasingly popular means of spreading attacks. Umesh recently blogged about seeing a spike in the usage of the Blackhole exploit kit. This exploit kit targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls.
Recently, I have noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito.
Common URL patterns for Incognito:
Code obfuscation (Formatted for good view),
Object Initializations and other functions,
Google safe browsing reports this URL to be malicious. Visiting the above link redirects you to fake search portal delivering ads hxxp://searchportal.information.com/?o_id=164060&domainname=register-domain-names.info.
Step 0: This is the entry point of the malicious code. It completes required initializations of objects for vulnerable ActiveX controls. Upon the successful creation of objects, it launches the first attack vector by calling function 'gr', which injects a malicious file. The code then moves on to Step 1.
CVE : CVE-2006-4704
Name : Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
Step 1 : This code targets the “Java Deployment Toolkit”.
CVE : CVE-2010-1423
Name : Java Deployment Toolkit insufficient argument validation
Step 2 : This creates Iframe tags for malicious PDFs.
This example illustrates how the multi-level attacks targeted by exploit kits are becoming a favored choice of attackers these days. More importantly, the creation of automated tools to deliver these exploits, provides attackers with the opportunity to launch campaigns on a frequent basis, with limited technical knowledge.
|Virustotal result page|
|Malicious file download attempt|
|Only 1 of these results is legitimate!|