While taking a break from malicious PDFs, I decided it would be a good idea to start breaking down some of these well-known exploit kits. I have seen a couple good write ups on how the kits are spreading and becoming successful, but not too much in how they could aid us, the researchers. There was a few cases where researchers identified ways to “attack” the web interfaces of these exploit kits, but they didn’t seem to dive too much further then pointing out the flaws. Over the past day or so I have been messing around with Eleonore and wanted to share my thoughts on it.
When you read through some of these hacker forums you tend to come across the authors of these kits. I still remember seeing the first version of SpyEye released and how I watched it slowly start competing with Zues until it took over. I can’t say I was lucky enough to see that with some of these other kits, but a couple quick searches can lead you to a decent source of information of when it came to be. I chose Eleonore initially because the codebase was small, it was PHP and it wasn’t encrypted.
I have a couple different versions of Eleonore, but it is unclear as to the integrity of each version. 1.2 appears to be the real thing, but finding 1.4 tends to get a little weird as some have modded 1.3 and called it 1.4 and others have just slapped a 1.4 on an older version. In any case, the code seems to stay relatively the same with the addition of some new exploit methods. After unraring the 1.2 copy I had, I was presented with a folder structure like this: