Reversing the Incognito Exploit Kit
First let’s clean this up (the complete script is here)! You can see it’s now using p, div, and span tags to hold the obfuscated code which is different than the earlier versions.
At the very top of the script, there are three DIVs. The first one decrypts to the string above. The second and third are used as lookup tables if you will and called upon by the “LywIs” function which decrypts the junk at the top.
What that function does is read in the gibberish, after it has been concatenated into one long string, one character at a time (e.g. “hMTTuHhMTTuFhMTTuUhMTTydhMTTuthMTTudhMTTuQ”). The first character is “h”. Go ahead and find it in the first string of characters below and remember its position.
Now look at the shorter string above and get the character at the same position. That’s the converted value. In this case, it’s the “%” character. The top string is twice as long as the second but only the first half is used.
The next character is “M” which corresponds to “u”. The third is “T” which is “0”. And so on…until you get this.
To shortcut this, you can modify the function this way:
Now, you just need to convert this from UCS2 to Hex then convert Hex to Text. You should then get this:
Unlike some of the other exploit kits, Incognito 2.0 only uses a limited number of exploits:
$exp_list = array(“jark”,”rox”,”hcp”,”jdt”,”libtiff”,”mdac”);
Each of these exploits are spread over four steps in the code we just deobfuscated. Let’s look at the last step, “step3”. This function pushes out one of two PDF exploit files depending on your browser/version.
var j = CekipyboRijehyxo-2007;
If you remember, the value of the variable “j” is 4. 4 x 29.5 = 118. 4 x 24.25 = 97. Keep going till you are done then convert the decimal values to text. You will end up with this:
If you look at the Metasploit PDF exploit module, you will see that this is very familiar. There’s shellcode up at the top, now let’s analyze that. You will first need to convert this to binary. There’s a number of tools to help you do that. I like “Malzilla” by Bobby. Paste the shellcode into the “Misc Decoders” tab:
Click on the “UCS2 to Hex” button then the “Hex to File” button and save the file. You will end up with this:
Another favorite tool I like to use is “sclog” from David Zimmer which dumps and hopefully decodes the shellcode. Just enter the following command:
And you will get the decoded result. If this doesn’t work for you then you can use another one of David Zimmer’s tools called “Shellcode2EXE” then analyze the EXE file.
When I visit this URL, I get an executable file called “setup.exe”. Uploading this to VirusTotal and we get the following results. It looks to be a packed downloader with 12 of 43 (27.9%) coverage.
Since it’s likely to be a downloader, I fire up my packet sniffer and run the program. This program downloads a file also called “setup.exe”.
The downloaded file ends up in c:\windows\temp\ and is renamed to “_ex-68.exe”. I shoot that over to VirusTotal and it is only picked up by 7 of 42 AV engines (16.7%).
What is this last executable? You guessed it…rogueware.