Author Topic: Looks shady to me.  (Read 3620 times)

0 Members and 1 Guest are viewing this topic.

razoreqx

  • Guest
« Last Edit: December 20, 2011, 02:03:42 PM by razoreqx »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37641
  • F-Secure user
Re: Looks shady to me.
« Reply #1 on: December 20, 2011, 03:18:55 PM »
Sucuri say:  Site blacklisted, malware not identified


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33974
  • malware fighter
Re: Looks shady to me.
« Reply #3 on: December 20, 2011, 04:18:37 PM »
Howdy razoreqx,

This has been an ongoing malvertising campaign since May last. The size of the campain found on URLquery scans can be established roughly through these search results: http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=Incognito+exploit+kit+v2.0+HTTP+GET+request

Quote
The Incognito v2.0 Exploit Kit uses advanced obfuscation techniques to conceal it's exploits.
Quote taken from: -http://stopmalvertising.com/tag/incognito-exploit-kit.html
And if you want to read more there is enough of the code exposed to get flagged by the avast Webshield as JS:Jaderun-I[Expl]. This even when you try to get to that site and read the exposé via an online proxy. This is being used to onfuscate: -http://www.doswf.com/tag/swf-encrypt

This is also a nice source to read further on these kinds of attacks: http://esploit.blogspot.com/2011_03_13_archive.html (not blocked) link author ▲ʇ!oldXǝ▲

Here you will see two exploit kits requesting: http://urlquery.net/report.php?id=12399
- Detected Incognito exploit kit v2.0 HTTP GET request
- Detected Blackhole exploit kit v1.2 HTTP GET request
- Detected NA

"So three in the pan  8) - two on your plate  ;D "

For the heavy obfuscation used on the  XML code go here: -http://jsunpack.jeek.org/?report=784387ad072e3237d4b066d782a53f0d95efd1d6 (only for the security aware user, with NoScript or NotScripts active and run in a sandbox or VM environment)

So more than shady, my friend, right out dark and criminal click fraud driven malware,

polonus
« Last Edit: December 20, 2011, 07:16:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

razoreqx

  • Guest
Re: Looks shady to me.
« Reply #4 on: December 20, 2011, 04:32:32 PM »
@polonus Thanks for the additional input.  As always I really appreciate it!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33974
  • malware fighter
Re: Looks shady to me.
« Reply #5 on: December 20, 2011, 04:44:04 PM »
Hi razoreqx,

There is somewhat more to get the full picture, well this analysis looks revealing: http://wepawet.iseclab.org/view.php?hash=36902b9bf9bf1a397521c545d7c46d65&t=1324394812&type=js
and the redirect to: -http://jdemponedelnik.bij.pl/iframe.php?id=caas12l9e93nsk7b3ish8imk2mm2b18
having unknown_html_RF (exploit kit) see: http://urlquery.net/queued.php?id=12756
also think of the "about:blank" given there, could have been cleansed...

And now we have closed the full circle on this clickfraud scheme...
-http://lemonisland.altervista.org/alert/id/BOFAO817934821 being exploited/infected
all landing at -counter.yadro.ru/hit?t26.6;r ( also see: -http://jsunpack.jeek.org/?report=bec2b7518c6b50ea6db44302c5e03ccb1f82629a )

pol

« Last Edit: December 20, 2011, 07:15:40 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!