Revisiting the Eleonore Exploit Kit

begood · May 27, 2010

Not long after I launched this blog, I wrote about the damage wrought by the Eleonore Exploit Kit, an increasingly prevalent commercial hacking tool that makes it easy for criminals to booby-trap Web sites with malicious software. That post generated tremendous public interest because it offered a peek at the statistics page that normally only the criminals operating these kits get to see. I’m revisiting this topic again because I managed to have a look at another live Eleonore exploit pack panel, and the data seem to reinforce a previous observation: Today’s attackers care less about the browser you use and more about whether your third-party browser add-ons and plugins are out-of-date and exploitable.

Hacked and malicious sites retrofitted with kits like Eleonore have become more common of late: In a report issued this week, Web security firm Zscaler found that roughly 5 percent of the browser exploits they identified during the first quarter of this year were tied to hacked or malicious sites that criminals had outfitted with some version of Eleonore.

Like most exploit kits, Eleonore is designed to invisibly probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software. The hacker’s end of the kit is a Web-based interface that features detailed stats on the percentage of visitors to the booby-trapped site(s) that are successfully attacked, and which software vulnerabilities were most successful in leading to the installation of the hacker’s malware.

This particular Eleonore kit — which is currently stitched into several live adult Web sites — comes with at least a half-dozen browser exploits, including three that target Internet Explorer flaws, two that attack Java bugs, and one that targets a range of Adobe PDF Reader vulnerabilities. According to this kit’s stats page, the malicious adult sites manage to infect roughly every one in ten visitors.

As we can see from the landing page pictured above, Windows XP users represent by far the largest group of users hitting these poisoned porn sites.

Once again, Eleonore shows just how heavily Java flaws are now being used to infect computers (the above graphic shows the number of successful malware installations or “loads” per exploit). The last time I reviewed a working Eleonore admin panel, we saw that Java flaws were the second most reliable exploits. This time around, Java was the biggest source infections. In the Eleonore kit I wrote about earlier this year, some 34 percent of the systems that were successfully exploited were attacked via a Java flaw. In this installation, four out of every ten victims who were hacked were compromised because of they were running an outdated version of Java.

Nearly one-third of all successful attacks from this Eleonore kit leveraged flaws in older versions of Adobe’s PDF Reader. People often scoff when I recommend an alternative to Adobe for displaying PDFs, saying that criminals can just as easily target security vulnerabilities in those applications, which ship far fewer security updates than Adobe. That may be true, but I haven’t seen much evidence that hackers are going after flaws in non-Adobe PDF readers at any appreciable or comparable level. Incidentally, if you use the free PDF reader from Foxit, an Adobe alternative I’ve often recommended, you should know that Foxit recently shipped a new version — v. 3.31 — that includes security improvements.

I also found this time around similar percentages of exploit victims among those surfing with different versions of Internet Explorer. With this Eleonore kit, more than one-third of those who visited the exploit site with IE6 were loaded with malicious software. The Eleonore admin panel reported that more than 12 percent of IE7 users and 20 percent of IE8 surfers visited and subsequently were infected with malware. The prevalence of IE users among the victims may be due in part to the fact that half of the exploits used by this particular kit target IE security holes.

Annoyingly, this Eleonore admin page doesn’t resolve one of the open questions I heard most frequently after my last story on Eleonore: Where are all the Firefox victims? I still don’t have a decent answer to that puzzle, but I do have a couple of guesses. For one thing, unlike the last Eleonore kit I examined, this one does not include an exploit specifically for Firefox. It’s also possible that these kits are detecting Firefox visitors as users of some other browser (the report indicates, for example, that 15 percent of Google Chrome users browsing with version 4.1 were successfully attacked). Whatever the reason, it seems highly unlikely that all of the nearly 5,600 Firefox users who visited the exploit sites detailed here escaped unscathed.

Anyway, below are the stats, which start with those of Chrome and Firefox visitors: