Eleonore Exploits pack

[SysAdMini]

Recently I have found an article about Eleonore Exploits pack at Mipistus blog.

http://translate.google.com/translate?hl=es&sl=es&tl=en&u=http%3A%2F%2Fmipistus.blogspot.com%2F2009%2F08%2Feleonore-exploits-pack-nueva-crimeware.html

Today our members have submitted 2 active urls of Eleonore kits. So we have some examples for analysis.

Eleonore Exploits pack version 1.3B

Code: [Select]

eleonorepack2.cn/myexp/http://wepawet.cs.ucsb.edu/view.php?hash=efa4970c78fe314dea9506d9d0de5f6e&t=1253017276&type=js

Eleonore Exploits pack version 1.1

Code: [Select]

pupok789.co.cc/eleon/http://wepawet.cs.ucsb.edu/view.php?hash=48c4e49997b14c15f1dc479ae464e5f4&type=js

control panels can be found at <path>/stat.php

[h4h4h4h4]

Great, thanks for sharing.  I noticed a pattern in the download schema for the exploits/binaries.


eleonorepack2.cn/myexp/pdf.php?spl=pdf_ie2\
eleonorepack2.cn/myexp/index.php?spl=4\
eleonorepack2.cn/myexp/pdf.php?spl=pdf_ie2
eleonorepack2.cn/myexp/index.php?spl=2
eleonorepack2.cn/myexp/index.php?spl=3
eleonorepack2.cn/myexp/index.php?spl=4
eleonorepack2.cn/myexp/index.php?spl=5
eleonorepack2.cn/myexp/getexe.php?spl=IE_DownExec
eleonorepack2.cn/myexp/getexe.php?spl=DirectX_DS
eleonorepack2.cn/myexp/getexe.php?spl=MS09-002
eleonorepack2.cn/myexp/getexe.php?spl=Spreadsheet
pupok789.co.cc/eleon/getexe.php?spl=mdac

I made a quick and dirty snort sig if anyone wants to use it.  I will be testing it out for false-positives and let u guys know how it works out.  Feel free to add to it and modify it.

********

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Eleonore Exploit pack - Generic download"; flow:established,to_server;pcre:"/GET\s\/.*\.php\?spl\=.*/i"; classtype:trojan-activity; sid:9000095; rev:1; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3354.0;)

*******

[WIEx]

control panels can be found at <path>/stat.php

default access in control panel:
login - root
password - passkey

[SysAdMini]

Code: [Select]

smsphonesymb02.cn/index.php
smsphonesymb02.cn/stat.php
This host has an impressive history.
http://www.malwaredomainlist.com/mdl.php?inactive=on&sort=Date&search=91.213.126.90&colsearch=All&ascordesc=DESC&quantity=50&page=0

[Malware-Web-Threats]

Code: [Select]

privet3.cn/myexp/
privet3.cn/myexp/index.php
privet3.cn/myexp/1.jsc
privet3.cn/myexp/pdf.php
privet3.cn/myexp/getexe.php
privet3.cn/myexp/stat.php
privet3.cn/myexp2/
privet3.cn/myexp2/index.php
privet3.cn/myexp2/1.jsc
privet3.cn/myexp2/pdf.php
privet3.cn/myexp2/getexe.php
privet3.cn/myexp2/stat.php

http://wepawet.iseclab.org/view.php?hash=521ae56933bc96b17ab7582aa9e1e24f&t=1253787580&type=js
http://wepawet.iseclab.org/view.php?hash=a9ce1a6443cc7f3e75ae648aff48e79f&t=1253787365&type=js
http://anubis.iseclab.org/?action=result&task_id=1dac1851614241b54cdec4371bbc06551

http://www.virustotal.com/analisis/8a1218da6bdb03427a9bf48a8f8015b47e1ce0ea7564c3609453a0f712a68811-1253736289 - Trojan.Crypt.ZPACK (Tibs) - 14/41 (34.15%)

HTTP Conversations:   
 
From ANUBIS:1038 to 216.155.153.212:80 - [216.155.153.212] 
Request: GET /htqqahr.gif 
Response: 200 "OK" 

[Malware-Web-Threats]

Code: [Select]

tissot333.cn/eleonore/index.php
tissot333.cn/eleonore/pdf.php
tissot333.cn/eleonore/load.exe
http://wepawet.iseclab.org/view.php?type=js&hash=9428b2efccff2a021e76a9ec4571f044&t=1253842817
http://anubis.iseclab.org/?action=result&task_id=11f6eeab4ab6422041d7c71b4bf5e9b8b
http://www.virustotal.com/analisis/9377d57f29fb5a8091a5cc37049cf7dad38783b7dfe48c5a472afc1e056932af-1253804775 - 23/41 (56.10%)

HTTP Conversations:   
 
From ANUBIS:1039 to 91.212.220.203:80 - [tissot333.cn] 
Request: GET /333/robo.php?r=1 
Response: 302 "Found" 
Request: GET /333/tasks/AC 
Response: 200 "OK" 

[Malware-Web-Threats]

Code: [Select]

herosima1yet00g.cn/myexp/
herosima1yet00g.cn/myexp/pdf.php
herosima1yet00g.cn/myexp/dx_ds.gif
herosima1yet00g.cn/myexp/pdf.php
herosima1yet00g.cn/myexp/getexe.php
herosima1yet00g.cn/myexp/stat.php
herosima1yet00g.cn/myexp2/
herosima1yet00g.cn/myexp2/pdf.php
herosima1yet00g.cn/myexp2/dx_ds.gif
herosima1yet00g.cn/myexp2/pdf.php
herosima1yet00g.cn/myexp2/getexe.php
herosima1yet00g.cn/myexp2/stat.php
http://wepawet.iseclab.org/view.php?hash=317c742d2b25ed801f4fa9ff97194819&t=1253852597&type=js
http://www.virustotal.com/analisis/8a1218da6bdb03427a9bf48a8f8015b47e1ce0ea7564c3609453a0f712a68811-1253810081 - - Trojan.Crypt.ZPACK (Tibs) - 15/41 (36.59%)

http://anubis.iseclab.org/?action=result&task_id=1219bccb49d171864a1d0e9f4655f8000
http://www.threatexpert.com/report.aspx?md5=df2cf3c5209b76dce33596331a96026a

hxxp://216.155.153.212/htqqahr.gif
hxxp://174.139.241.2/htqqahr.gif
hxxp://209.31.180.144/htqqahr.gif
hxxp://98.126.32.194/htqqahr.gif

[Malware-Web-Threats]

Code: [Select]

stallvars-5.cn/stats-juan/
stallvars-5.cn/stats-juan/pdf.php
stallvars-5.cn/stats-juan/getexe.php
stallvars-5.cn/stats-juan/stat.php
stallvars-6.cn/stats-juan/
stallvars-6.cn/stats-juan/pdf.php
stallvars-6.cn/stats-juan/getexe.php
stallvars-6.cn/stats-juan/stat.php
http://wepawet.iseclab.org/view.php?hash=6e7cfb55197eac08b6c4fdf3852e0419&t=1255030850&type=js
http://wepawet.iseclab.org/view.php?hash=1f13ac69513048abaa1564fab5752e13&t=1255030862&type=js

Code: [Select]

sumyho.cn/counter/go.php?sid=1
sumyho.cn/inc/index.php
sumyho.cn/inc/pdf.php
sumyho.cn/inc/getexe.php
sumyho.cn/inc/stat.php
http://wepawet.iseclab.org/view.php?hash=506e399e8142d26ab9c1452f151c14a1&t=1253840333&type=js

[Malware-Web-Threats]

a few other

Code: [Select]

188.165.65.173/2/1.jsc
188.165.65.173/2/getexe.php
188.165.65.173/2/index.php
188.165.65.173/2/pdf.php?spl=pdf_ie2
188.165.65.173/2/stat.php
dazinfo.com/e/getexe.php
dazinfo.com/e/index.php
dazinfo.com/e/pdf.php?spl=pdf_ie2
dazinfo.com/e/stat.php
dom0cn.cn/arend_13/index.php?spl=2
dom0cn.cn/arend_13/load.php?spl=pdf_exp
dom0cn.cn/arend_13/pdf.php?spl=pdf_all
dom0cn.cn/arend_13/stat.php
dom0cn.cn/arend_13xm/index.php?spl=2
dom0cn.cn/arend_13xm/load.php?spl=pdf_exp
dom0cn.cn/arend_13xm/pdf.php?spl=pdf_all
dom0cn.cn/arend_13xm/stat.php
dom0cn.cn/arend_xx/index.php?spl=2
dom0cn.cn/arend_xx/load.php?spl=pdf_exp
dom0cn.cn/arend_xx/pdf.php?spl=pdf_all
dom0cn.cn/arend_xx/stat.php
dom1cn.cn/arend_13/index.php?spl=2
dom1cn.cn/arend_13/load.php?spl=pdf_exp
dom1cn.cn/arend_13/pdf.php?spl=pdf_all
dom1cn.cn/arend_13/stat.php
dom1cn.cn/arend_13xm/index.php?spl=2
dom1cn.cn/arend_13xm/load.php?spl=pdf_exp
dom1cn.cn/arend_13xm/pdf.php?spl=pdf_all
dom1cn.cn/arend_13xm/stat.php
dom1cn.cn/arend_xx/index.php?spl=2
dom1cn.cn/arend_xx/load.php?spl=pdf_exp
dom1cn.cn/arend_xx/pdf.php?spl=pdf_all
dom1cn.cn/arend_xx/stat.php
dom2cn.cn/arend_13/index.php?spl=2
dom2cn.cn/arend_13/load.php?spl=pdf_exp
dom2cn.cn/arend_13/pdf.php?spl=pdf_all
dom2cn.cn/arend_13/stat.php
dom2cn.cn/arend_13xm/index.php?spl=2
dom2cn.cn/arend_13xm/load.php?spl=pdf_exp
dom2cn.cn/arend_13xm/pdf.php?spl=pdf_all
dom2cn.cn/arend_13xm/stat.php
dom2cn.cn/arend_xx/index.php?spl=2
dom2cn.cn/arend_xx/load.php?spl=pdf_exp
dom2cn.cn/arend_xx/pdf.php?spl=pdf_all
dom2cn.cn/arend_xx/stat.php
domx2.cn/13b/index.php
domx2.cn/13b/load.php?spl=ActiveX_pack
domx2.cn/13b/pdf.php
domx2.cn/13b/stat.php
dox0.cn/arend_13/index.php?spl=2
dox0.cn/arend_13/load.php?spl=pdf_exp
dox0.cn/arend_13/pdf.php?spl=pdf_all
dox0.cn/arend_13/stat.php
dox0.cn/arend_13xm/index.php?spl=2
dox0.cn/arend_13xm/load.php?spl=pdf_exp
dox0.cn/arend_13xm/pdf.php?spl=pdf_all
dox0.cn/arend_13xm/stat.php
dox0.cn/arend_xx/index.php?spl=2
dox0.cn/arend_xx/load.php?spl=pdf_exp
dox0.cn/arend_xx/pdf.php?spl=pdf_all
dox0.cn/arend_xx/stat.php
dox1.cn/arend_13/index.php?spl=2
dox1.cn/arend_13/load.php?spl=pdf_exp
dox1.cn/arend_13/pdf.php?spl=pdf_all
dox1.cn/arend_13/stat.php
dox1.cn/arend_13xm/index.php?spl=2
dox1.cn/arend_13xm/load.php?spl=pdf_exp
dox1.cn/arend_13xm/pdf.php?spl=pdf_all
dox1.cn/arend_13xm/stat.php
dox1.cn/arend_xx/index.php?spl=2
dox1.cn/arend_xx/load.php?spl=pdf_exp
dox1.cn/arend_xx/pdf.php?spl=pdf_all
dox1.cn/arend_xx/stat.php
dox2.cn/arend_13/index.php?spl=2
dox2.cn/arend_13/load.php?spl=pdf_exp
dox2.cn/arend_13/pdf.php?spl=pdf_all
dox2.cn/arend_13/stat.php
dox2.cn/arend_13xm/index.php?spl=2
dox2.cn/arend_13xm/load.php?spl=pdf_exp
dox2.cn/arend_13xm/pdf.php?spl=pdf_all
dox2.cn/arend_13xm/stat.php
dox2.cn/arend_xx/index.php?spl=2
dox2.cn/arend_xx/load.php?spl=pdf_exp
dox2.cn/arend_xx/pdf.php?spl=pdf_all
dox2.cn/arend_xx/stat.php
dox3.cn/arend_13/index.php?spl=2
dox3.cn/arend_13/load.php?spl=pdf_exp
dox3.cn/arend_13/pdf.php?spl=pdf_all
dox3.cn/arend_13/stat.php
dox3.cn/arend_13xm/index.php?spl=2
dox3.cn/arend_13xm/load.php?spl=pdf_exp
dox3.cn/arend_13xm/pdf.php?spl=pdf_all
dox3.cn/arend_13xm/stat.php
dox3.cn/arend_xx/index.php?spl=2
dox3.cn/arend_xx/load.php?spl=pdf_exp
dox3.cn/arend_xx/pdf.php?spl=pdf_all
dox3.cn/arend_xx/stat.php
haphoptool.ru/master/getexe.php
haphoptool.ru/master/index.php
haphoptool.ru/master/pdf.php
haphoptool.ru/master/stat.php
mioanalitic.in/getexe.php
mioanalitic.in/index.php
mioanalitic.in/load.php
mioanalitic.in/pdf.php?spl=pdf_ie2
mioanalitic.in/stat.php
mioanalitic.in/x.j
virtualeanalitic.in/getexe.php
virtualeanalitic.in/index.php
virtualeanalitic.in/load.php
virtualeanalitic.in/pdf.php?spl=pdf_ie2
virtualeanalitic.in/stat.php
virtualeanalitic.in/x.j
vredrikupop.com/getexe.php
vredrikupop.com/index.php
vredrikupop.com/load.php
vredrikupop.com/pdf.php?spl=pdf_ie2
vredrikupop.com/stat.php
vredrikupop.com/x.j