Anatomy of the Eleonore Exploit Kit

LIMASSOL, CYPRUS–When an unknown attacker compromised three domains belonging to the U.S. Bureau of Engraving and Printing last month, it became big news, mainly for the brazenness of the attack against a federal Web site. The bigger news, however, turned out to be that the attack involved the use of the Eleonore exploit kit, a sophisticated and well-developed toolkit for attackers.

LIMASSOL, CYPRUS–When an unknown attacker compromised three domains belonging to the U.S. Bureau of Engraving and Printing last month, it became big news, mainly for the brazenness of the attack against a federal Web site. The bigger news, however, turned out to be that the attack involved the use of the Eleonore exploit kit, a sophisticated and well-developed toolkit for attackers.

In a talk at the Kaspersky Lab Security Analyst Summit here Thursday, Kurt Baumgartner, an independent security researcher, gave a detailed analysis of the Eleonore exploit pack, which he has been tracking for some time now. The kit hit the market just about a year ago and has been selling steadily ever since, for a price that has now reached about $2,000, he said.

The Eleonore kit has gone through several iterations since its debut in June 2009, beginning with a fairly basic version 1.0 that sold for around $560. The kit now includes exploits for some vulnerabilities on Windows 7, including at least one for 64-bit Windows 7, Baumgartner said. However, the Eleonore kit isn’t necessarily the most original attack toolkit on the Web right now.

“These are usually not zero-days. Usually the exploits are from milw0rm,” Baumgartner said. “You’re not getting a lot of creativity for your money.”

What you are getting, he said, is a ready-made attack tool that can be used to exploit a number of existing flaws. The Eleonore kit has an interesting business model that limits the ways in which customers can use the tool. The current version includes a URL-binding feature that ensures that each customer can only use the tool on one site. In order to use it on other URLs, customers have to pay $50 for each additional URL.

The creator of the Eleonore kit, who goes by the handle “exmanoize,” likely is selling one new copy of the kit each week, along with about another 20 or so licenses for extra URLs. Baumgartner said that there also are about 15 other sites that come online each week that are serving exploits using the kit, but those are either using older versions or stolen copies of the code.

Following the current trend in the security underground, Baumgartner said that the most prevalent exploits used by the Eleonore customers are Adobe PDF attacks, with Flash exploits following close behind.

Suggested articles