Analysis of the Eleonore exploit pack shellcode
‘Eleonore‘ is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run. Eleonore is purchased by an attacker from an underground website. The attacker then gains access to Internet web servers and installs the exploit by modifying webpages, which are then served to the public. The malware pack also contains functionality for the tracking and management of compromised computers.
Image 1 – Remote attacker purchases the exploit pack, retrieves web pages from Internet servers and installs Eleonore
Eleonore is developed and released as version updates. This blog post focuses on the shellcode exploit from one of the releases, version 1.2. At a high level, the Eleonore shellcode locates kernel32.dll in an exploited process space. It uses the spatially efficient hash lookup to find the absolute address of key Kernel32 APIs:
Image 2 – FindFuncHash routine
With access to these functions, the shellcode creates a file in the temporary files folder (%TEMP%) and calls URLDownloadToFile with a URL that is 0x67 bytes after the shellcode. The shellcode then executes that file.
The exact URL is dependent on bytes included in the exploit payload and is beyond the scope of this analysis. The exploit then decrypts bytes right after the shellcode for another URL and calls URLDownloadToFile for a second time, copying the file from a URL such as the following:
<website domain with Eleonore installation>/path/getexe.php
This URL was obtained by looking at the entire exploit payload from an Eleonore installation – that data is not included in this article. The “getexe.php” file creates a server-side response that returns a file named “load.exe“. The contents of this file are put into a secondary file, decrypted in memory, written back to the file and finally executed.
Image 3 – DecryptBytes routine
The shellcode ends here as “load.exe” begins, with the affected computer now compromised.
Eleonore v1.2 contained numerous exploits and attack code that targets several programs including:
- DirectX 9, affecting certain versions of Windows operating system
- Vulnerability discussed in CVE-2008-0015 and
fixed with Microsoft Security Bulletin MS09-032 - Malware detected as Exploit:JS/CVE-2008-0015 and Exploit:HTML/CVE-2008-0015
- Microsoft Internet Explorer 7 memory corruption
- Vulnerability discussed in CVE-2009-0075 and
fixed with Microsoft Security Bulletin MS09-002 - Malware detected as Exploit:JS/CVE-2009-0075
- Microsoft Internet Explorer ActiveX control “snpvw.Snapshot viewer Control.1”
- Vulnerability discussed in CVE-2008-2463 and
fixed with Microsoft Security Bulletin MS08-041 - Malware detected as Exploit:JS/Objsnapt.E, Exploit:JS/Objsnapt.F and Exploit:HTML/Snavic.gen!D
- Microsoft Internet Explorer 6 MDAC
- Multiple vulnerabilities, discussed in CVE-2004-0549 and CVE-2006-0003, and
fixed with Microsoft Security Bulletin MS04-025 and MS06-014 - Malware detected as TrojanDownloader:VBS.Psyme.X, TrojanDownloader:JS/Adodb (and other names)
- Opera telnet 9.25
- Vulnerability discussed in CVE-2004-0473 and
fixed with an update of the Opera components - Certain versions of Mozilla Firefox
- Multiple vulnerabilities, discussed in CVE-2006-3677 and CVE-2009-2478, and
fixed by updating to a version of Mozilla Firefox newer than 3.5.0 - Certain versions of Adobe Reader
- Multiple vulnerabilities, discussed in CVE-2008-2992, and
fixed by updating to the latest version of Adobe Reader
To protect against Eleonore and other threats, the MMPC recommends maintaining security updates across all products, not only those serviced by Microsoft Windows updates, and using security software with active scanning enabled.
— Nik Livic & Patrick Nolan, MMPC
