Howdy razoreqx,
This has been an ongoing malvertising campaign since May last. The size of the campain found on URLquery scans can be established roughly through these search results:
http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=Incognito+exploit+kit+v2.0+HTTP+GET+requestThe Incognito v2.0 Exploit Kit uses advanced obfuscation techniques to conceal it's exploits.
Quote taken from: -http://stopmalvertising.com/tag/incognito-exploit-kit.html
And if you want to read more there is enough of the code exposed to get flagged by the avast Webshield as JS:Jaderun-I[Expl]. This even when you try to get to that site and read the exposé via an online proxy. This is being used to onfuscate: -http://www.doswf.com/tag/swf-encrypt
This is also a nice source to read further on these kinds of attacks:
http://esploit.blogspot.com/2011_03_13_archive.html (not blocked) link author ▲ʇ!oldXǝ▲
Here you will see two exploit kits requesting:
http://urlquery.net/report.php?id=12399- Detected Incognito exploit kit v2.0 HTTP GET request
- Detected Blackhole exploit kit v1.2 HTTP GET request
- Detected NA
"So three in the pan
- two on your plate
"
For the heavy obfuscation used on the XML code go here: -http://jsunpack.jeek.org/?report=784387ad072e3237d4b066d782a53f0d95efd1d6 (only for the security aware user, with NoScript or NotScripts active and run in a sandbox or VM environment)
So more than shady, my friend, right out dark and criminal click fraud driven malware,
polonus
