Incognito: an unethical, Web-based application also known as an exploit kit. Incognito is represented as MaaS (Malware as a Service) as it is located in the cloud and provides services for underground communities.  There are two versions of the software in the wild: Incognito and Incognito 2.0. Version 2.0 started to be advertised at the beginning of February 2011.  Rental for this pack was/is $200 per week or 15% from traffic routed to this exploit kit.  Though scripts stay the same most of the time and the set of exploits is relatively small (Java and Adobe are still the most-used ones), the owners of this exploit kit apply new multi-layered obfuscation techniques on a regular basis.  The Incognito exploit kit can be recognized based on typical url-path patterns (top-level domains and hostnames may vary):

*.org/QQkFBwQHBwQDDA0BEkcJBQcEAwcCBAEMBg==
*.ru/in.php?a=QQkFBwQEAAADBgAGEkcJBQcEAQMMAAUFBw==
*.vv.cc/out.php?a=QQkFBg0DAQUBDQYAEkcJBQYNAwEFAgcHBw==

Users of this exploit kit are working in cooperation with fake AV affiliate programs - such as "BestAV partnerka",  which results in the upload of fake AV onto a "customer's" environment - and other PPI affiliate programs.

Advertisement of Incognito version 2 on underground forums:

Exploit Kit - Incognito 2.0 rent
Good Day,  comrades!
For those of you who worked, are working or will work with our exploit kit,  we release next(second version).
At the beginning we did not advertise it,  also we are not going to advertise it in forums now!
So what has been changed? ALL! Starting with exploits,  finishing with design!
I'm not going to shout,  that this exploit kit is superb and there is no better! Everyone understands,  that no one will release a product into a wild which has no analog.

Though this exploit kit is very good and produces very good results!
I'm not going to show mega-results,  there are different types of traffic,  therefore results will be different! So it needs to be tested!

Rent: from $200 per week, all installed on my server, domain change and cleaning(obfuscation) is regular.
Rent: 15% of traffic, all installed on my server, domain change and cleaning(obfuscation) is regular.

For big clients we can develop additional features and in general we are flexible )))

More information over ICQ
ICQ: xxxxxxxxxx
Jabber: xxx@xxxxxx.org

Obfuscated source code of the Incognito exploit kit:

List of exploits used in the Incognito exploit kit:

CVE-2010-1885   HCP
CVE-2010-1423   Java Deployment Toolkit insufficient argument validation
CVE-2010-0886   Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842   Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2009-0927   Adobe Reader Collab GetIcon
CVE-2008-2992   Adobe Reader util.printf
CVE-2007-5659/2008-0655 Adobe Reader CollectEmailInfo
CVE-2006-4704   Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
CVE-2004-0549   ShowModalDialog method and modifying the location to execute code