Incognito Exploit Kit

Incognito is a relatively new exploit kit.

It uses the following Javascript code to perform its drive-by downloads.

Let’s take a closer look at the obfuscated Javascript. As you can see, it’s using arrays like crazy.

There are three functions. The function at the top is used to decrypt the function at the bottom. The ‘domama’ array translates to “eval from char code” which is used later. The function at the center holds the main code. It’s rather long so it’s likely to be exploit code rather than a redirect script.

The main decryptor is at the very bottom of the following screenshot. It is taking the large array of decimal numbers to pluck out the individual decimal values of the final script from the small array near the bottom. So the first value of ‘1’ extracts the decimal value of ’13’, the second value of ’29’ extracts the decimal value of ’10’. Here’s what you end up with.

When you convert the decimal values to text, you get the deobfuscated final script.

This one here appears to either borrow the Java exploit from another exploit pack called “Bomba” or it’s the same author who’s reusing code…or neither I suppose. At any rate, what gets installed on the victim’s PC is ZeuS.

Posted on: 02/25/2011