Avast WEBforum
Other => Viruses and worms => Topic started by: razoreqx on December 20, 2011, 02:02:07 PM
-
But VT reports no hits. Anyone?
http://www.virustotal.com/file-scan/report.html?id=3a3b07e20dda5a3a5f0219d60e4e79d018d2772a45344e1854639507299567ac-1324384874 (http://www.virustotal.com/file-scan/report.html?id=3a3b07e20dda5a3a5f0219d60e4e79d018d2772a45344e1854639507299567ac-1324384874)
https://anubis.iseclab.org/?action=result&task_id=190f19f50694881d4a9ae116c2dd4554e&format=html
(https://anubis.iseclab.org/?action=result&task_id=190f19f50694881d4a9ae116c2dd4554e&format=html)
Detected Incognito exploit kit v2.0 HTTP GET request
http://urlquery.net/report.php?id=12727 (http://urlquery.net/report.php?id=12727)
-
Sucuri say: Site blacklisted, malware not identified
-
Yea saw that. Found this site compromised too..
http://www.virustotal.com/url-scan/report.html?id=6f5d7f105e9e459e96ca27d012de0130-1324386732 (http://www.virustotal.com/url-scan/report.html?id=6f5d7f105e9e459e96ca27d012de0130-1324386732)
http://www.virustotal.com/file-scan/report.html?id=dd7b1e43d34b809df059853e83e1de12bd57cf6a251460648f42f6f59ab24383-1324390337 (http://www.virustotal.com/file-scan/report.html?id=dd7b1e43d34b809df059853e83e1de12bd57cf6a251460648f42f6f59ab24383-1324390337)
https://anubis.iseclab.org/?action=result&task_id=10fbcae6941eb2ea47da17fce5e6b12aa&format=html (https://anubis.iseclab.org/?action=result&task_id=10fbcae6941eb2ea47da17fce5e6b12aa&format=html)
-
Howdy razoreqx,
This has been an ongoing malvertising campaign since May last. The size of the campain found on URLquery scans can be established roughly through these search results: http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=Incognito+exploit+kit+v2.0+HTTP+GET+request
The Incognito v2.0 Exploit Kit uses advanced obfuscation techniques to conceal it's exploits.
Quote taken from: -http://stopmalvertising.com/tag/incognito-exploit-kit.html
And if you want to read more there is enough of the code exposed to get flagged by the avast Webshield as JS:Jaderun-I[Expl]. This even when you try to get to that site and read the exposé via an online proxy. This is being used to onfuscate: -http://www.doswf.com/tag/swf-encrypt
This is also a nice source to read further on these kinds of attacks: http://esploit.blogspot.com/2011_03_13_archive.html (not blocked) link author ▲ʇ!oldXǝ▲
Here you will see two exploit kits requesting: http://urlquery.net/report.php?id=12399
- Detected Incognito exploit kit v2.0 HTTP GET request
- Detected Blackhole exploit kit v1.2 HTTP GET request
- Detected NA
"So three in the pan 8) - two on your plate ;D "
For the heavy obfuscation used on the XML code go here: -http://jsunpack.jeek.org/?report=784387ad072e3237d4b066d782a53f0d95efd1d6 (only for the security aware user, with NoScript or NotScripts active and run in a sandbox or VM environment)
So more than shady, my friend, right out dark and criminal click fraud driven malware,
polonus
-
@polonus Thanks for the additional input. As always I really appreciate it!
-
Hi razoreqx,
There is somewhat more to get the full picture, well this analysis looks revealing: http://wepawet.iseclab.org/view.php?hash=36902b9bf9bf1a397521c545d7c46d65&t=1324394812&type=js
and the redirect to: -http://jdemponedelnik.bij.pl/iframe.php?id=caas12l9e93nsk7b3ish8imk2mm2b18
having unknown_html_RF (exploit kit) see: http://urlquery.net/queued.php?id=12756
also think of the "about:blank" given there, could have been cleansed...
And now we have closed the full circle on this clickfraud scheme...
-http://lemonisland.altervista.org/alert/id/BOFAO817934821 being exploited/infected
all landing at -counter.yadro.ru/hit?t26.6;r ( also see: -http://jsunpack.jeek.org/?report=bec2b7518c6b50ea6db44302c5e03ccb1f82629a )
pol