But VT reports no hits. Anyone?
https://anubis.iseclab.org/?action=result&task_id=190f19f50694881d4a9ae116c2dd4554e&format=html
Detected Incognito exploit kit v2.0 HTTP GET request
http://urlquery.net/report.php?id=12727
Sucuri say: Site blacklisted, malware not identified
Yea saw that. Found this site compromised too…
http://www.virustotal.com/url-scan/report.html?id=6f5d7f105e9e459e96ca27d012de0130-1324386732
http://www.virustotal.com/file-scan/report.html?id=dd7b1e43d34b809df059853e83e1de12bd57cf6a251460648f42f6f59ab24383-1324390337
https://anubis.iseclab.org/?action=result&task_id=10fbcae6941eb2ea47da17fce5e6b12aa&format=html
Howdy razoreqx,
This has been an ongoing malvertising campaign since May last. The size of the campain found on URLquery scans can be established roughly through these search results: http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=Incognito+exploit+kit+v2.0+HTTP+GET+request
The Incognito v2.0 Exploit Kit uses advanced obfuscation techniques to conceal it's exploits.Quote taken from: -http://stopmalvertising.com/tag/incognito-exploit-kit.html And if you want to read more there is enough of the code exposed to get flagged by the avast Webshield as JS:Jaderun-I[Expl]. This even when you try to get to that site and read the exposé via an online proxy. This is being used to onfuscate: -http://www.doswf.com/tag/swf-encrypt
This is also a nice source to read further on these kinds of attacks: http://esploit.blogspot.com/2011_03_13_archive.html (not blocked) link author ▲ʇ!oldXǝ▲
Here you will see two exploit kits requesting: http://urlquery.net/report.php?id=12399
- Detected Incognito exploit kit v2.0 HTTP GET request
- Detected Blackhole exploit kit v1.2 HTTP GET request
- Detected NA
"So three in the pan 8) - two on your plate ;D "
For the heavy obfuscation used on the XML code go here: -http://jsunpack.jeek.org/?report=784387ad072e3237d4b066d782a53f0d95efd1d6 (only for the security aware user, with NoScript or NotScripts active and run in a sandbox or VM environment)
So more than shady, my friend, right out dark and criminal click fraud driven malware,
polonus
@polonus Thanks for the additional input. As always I really appreciate it!
Hi razoreqx,
There is somewhat more to get the full picture, well this analysis looks revealing: http://wepawet.iseclab.org/view.php?hash=36902b9bf9bf1a397521c545d7c46d65&t=1324394812&type=js
and the redirect to: -http://jdemponedelnik.bij.pl/iframe.php?id=caas12l9e93nsk7b3ish8imk2mm2b18
having unknown_html_RF (exploit kit) see: http://urlquery.net/queued.php?id=12756
also think of the “about:blank” given there, could have been cleansed…
And now we have closed the full circle on this clickfraud scheme…
-http://lemonisland.altervista.org/alert/id/BOFAO817934821 being exploited/infected
all landing at -counter.yadro.ru/hit?t26.6;r ( also see: -http://jsunpack.jeek.org/?report=bec2b7518c6b50ea6db44302c5e03ccb1f82629a )
pol