• Eleonore is One Ugly Mistress

    by  • June 23, 2011 • Uncategorized

    While taking a break from malicious PDFs, I decided it would be a good idea to start breaking down some of these well-known exploit kits. I have seen a couple good write ups on how the kits are spreading and becoming successful, but not too much in how they could aid us, the researchers. There was a few cases where researchers identified ways to “attack” the web interfaces of these exploit kits, but they didn’t seem to dive too much further then pointing out the flaws. Over the past day or so I have been messing around with Eleonore and wanted to share my thoughts on it.

    When you read through some of these hacker forums you tend to come across the authors of these kits. I still remember seeing the first version of SpyEye released and how I watched it slowly start competing with Zues until it took over. I can’t say I was lucky enough to see that with some of these other kits, but a couple quick searches can lead you to a decent source of information of when it came to be. I chose Eleonore initially because the codebase was small, it was PHP and it wasn’t encrypted.

    I have a couple different versions of Eleonore, but it is unclear as to the integrity of each version. 1.2 appears to be the real thing, but finding 1.4 tends to get a little weird as some have modded 1.3 and called it 1.4 and others have just slapped a 1.4 on an older version. In any case, the code seems to stay relatively the same with the addition of some new exploit methods. After unraring the 1.2 copy I had, I was presented with a folder structure like this:

    Stat.php

    This file appears to be the only administrator interface within the exploit pack. There is not much to it and like the rest of the pack, it is a bit messy. Authentication is checked through hardcoded values in the configuration file and the whole page basically just lists the statistics from the victims. This information is pretty basic and includes browser types, browser versions, referers and countries. 

    Conclusions

    Despite being ugly and difficult to work on, the eleonore exploit kit apparently gets the job done. I have read several posts detailing high infection rates, so poor backend code quality doesn’t seem to influence the success of the kit that much. This plays to our advantage as security researchers and reverse engineers, but personally has me wondering when someone is going to step up and push out some quality kit. More attention to detail could yeild higher infection rates, more persistant abilities to run campaigns and reuse of code throughout the underground. When attackers start going this route, I think we will truly have some problems, but until then we are lucky to deal with stuff like this.