A very nice paper about eleonore exploit pack by Evilcry
/*##############################################*/
Hi,
Today we will see how works Eleonore Exploit Pack directly from an infected website.
Essentially Eleonore Exploit Pack is a collection of Exploits and Data Statistics Collectors, this is the ‘marketing’ presentation of the exploit pack:
*---------------------------------------------------------------* Hello! I present new actual russian exploits pack "Eleonore Exp v1.2" Exploits on pack: > MDAC > MS009-02 > Telnet - Opera > Font tags - FireFox > PDF collab.getIcon > PDF Util.Printf > PDF collab.collectEmailInfo > DirectX DirectShow > Spreadsheet installs on traffic: > on usa: 5-15% > on mix: 10-25% [size=1]* Piercing indicates approximate, may vary and depends directly on the type and quality of traffic. size] Price: > Eleonore Exp Pack 1.2 = 700$ > Cleans cryptor on AV = 50$ > Rebild on another domain = 50$ * PACK is binding on domain. > Eleonore Exp Pack 1.2 with not binding domain(free on domain) = 1500$ *---------------------------------------------------------------*
Here you can read a discussion where there is the direct author of this pack
Eleonore Exp. Pack exists two versions of Eleonore Exploit Pack:
1. Eleonore Exp v1.1
2. Eleonore Exp v1.2
3. Eleonore Exp v1.3B
The last version (1.3B) presents new exploits, connectivity and optimization improvements in the intelligence process for obtaining data statistics related to zombies (countries, navegadote, OS, etc.).
By watching the URL we can immediately extract a list of most interesting links:
1. http://*****.cn/sv/x.x 2. http://*****.cn/sv/Client2.jar 3. http://*****.cn/sv/pdf.php 4. http://*****.cn/sv/?spl=2&br=MSIE&vers=7.0 5. http://*****.cn/sv/load.php?spl=ActiveX_pack 6. http://*****.cn/sv/stat.php
As you can see all is contained int /sv/ directory, now let’s check for example load.php link,
when accessing this link is downloaded an executable called load.exe with
MD5: 50AC484D4775B783D70D87A21BBFAA36
That submitted to the various online AV scanners results to be free from infections, we have 4 sections:
.text 0x1000 0x48B0 0x4A00 7.39 5135f06000479a5b2e378caa2c4fd8a9
.rdata 0x6000 0x26D 0x400 3.07 8492531c69aab5794ba61207842ba4d6
.data 0x7000 0x2AA7 0x2C00 6.71 092b8e63ebe1ac83d571aba964e041d1
.rsrc 0xA000 0x46C 0x600 4.07 aceb78467d14ed7c7023da0ff5fc59ef
and this is the Import Table list
kernel32.dll: SetFilePointer, HeapUnlock, VerifyVersionInfoA, GetLongPathNameA, _lclose, GetEnvironmentStringsW, HeapDestroy, GetLocaleInfoW, HeapAlloc, GetFileType, HeapCreate, WaitForSingleObjectEx, lstrcmpiA, SetCalendarInfoA, HeapFree, lstrcatW, ExitProcess, SetLastError, VirtualProtect, GetFullPathNameA, SetUnhandledExceptionFilter, lstrcpyW, GlobalFindAtomA
Application presents a Number of Hidden (Packing) Layers of 3.
This is a quick list of operations performed by load.exe
First Thread
71a370df RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\P arameters)
71a37cc4 RegOpenKeyExA (Protocol_Catalog9)
71a3737e RegOpenKeyExA (0000000B)
71a3724d RegOpenKeyExA (Catalog_Entries)
Second Thread
401129 CreateFileA(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A.t mp)
401561 LoadLibraryA(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A. tmp)=602c0000
Creates 2A.tmp
602c4955 LoadLibraryA(kernel32.dll)=7c800000
602c4cbb LoadLibraryA(ntdll.dll)=7c910000
602c4d13 LoadLibraryA(ws2_32.dll)=71a30000
602c4e52 LoadLibraryA(advapi32.dll)=77f40000
76d2563d GetVersionExA()
76d258ef CreateFileA(\\.\Ip)
Performs an access to IP Device
76d25bc2 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Link age)
76d25bdc RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Para meters\)
76d25bf3 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Para meters\Interfaces)
76d25c0d RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Para meters)
opens the most important registry entries about Networking
602c4f3a LoadLibraryA(iphlpapi.dll)=76d20000
5b19ef89 GetCurrentProcessId()=2436
5b18b1ba IsDebuggerPresent()
746b26aa GetVersionExA()
746b30a7 RegOpenKeyExA (HKLM\SOFTWARE\M*cro$oft\CTF\Compatibility\load.ex e)
746b30a7 RegOpenKeyExA (HKLM\SOFTWARE\M*cro$oft\CTF\SystemShared\)
Checks the presence of a debugger and register itself in Compatibility and SystemShared entries
746b245b CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-854245398-1229272821-725345
543-1003)
Creates a list mutex, presumibly linked to keyboard ( keystroke logger)
746b30a7 RegOpenKeyExA (HKCU\Keyboard Layout\Toggle)
746b260a RegOpenKeyExA (HKLM\SOFTWARE\M*cro$oft\CTF\)
Will act as a keylogger
775220b0 LoadLibraryA(CLBCATQ.DLL)=76f90000
775228a1 LoadLibraryA(CLBCATQ.DLL)=76f90000
CLBCATQ.DLL its a COM Service DLL
602c214f CreateProcessA((null),svchost.exe,0,(null))
7c81628b WaitForSingleObject(6d8,64)
77b14cd7 LoadLibraryA(VERSION.dll)=77bd0000
7c818e2c LoadLibraryA(advapi32.dll)=77f40000
10001e25 LoadLibraryA(psapi.dll)=76bb0000
10001e66 GetCurrentProcessId()=2436
76bb183b ReadProcessMemory(h=6e0)
76bb185a ReadProcessMemory(h=6e0)
76bb1878 ReadProcessMemory(h=6e0)
76bb17bb ReadProcessMemory(h=6e0)
WriteProcessMemory=1 BufLen=23 BytesWritten:23
This mean that load.exe is going to infect svchost.exe surely to enstablish a channel
with malicious sites.
602c15c7 Copy(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A.tmp->C:\WINDOWS\system32\helh.oso)
7c82fa88 WriteFile(h=700)
The content of 2A.tmp is copied into \WINDOWS\system32\helh.oso
602c298f RegOpenKeyExA (HKCR\idid)
602c2d4d RegCreateKeyExA (HKCR\idid,(null))
602c2d92 RegSetValueExA (url0)
602c2c3b RegOpenKeyExA (HKCR\idid)
76d22bd0 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Para meters\Interfaces\{D1D028D3-3E11-436A-8FD8-8A4993A911A5})
602c267d gethostbyname(602c8760)
infection of svchost.exe is done and application attempt to access some URLs, that can be
revealed with a network sniff
* papaanarhia.cn
* papaanarhia.cn.localdomain
Now let’s reverse helh.oso.
By disassembling it emerges a DLL with the following entries:
* DllMain
* DllEntryPoint
* DllEntryPoint
* dxdll
* vtfeb
* ruagpi
* vlecvja
interesting strings:
libgcj_s.dll
Jv_RegisterClasses
‘GET /%s HTTP/1.1’
‘User-Agent: Opera\9.63’,
‘Host: %s’,0Dh,0AhBackdoor.Win32.Bredavi.aig
so load.exe acts like a malicious backdoor trojan that runs in the background and allows remote access to the compromised system. Interesting to note that the domain used is the same of
* Backdoor.Win32.Bredavi.aig
* Trojan.Win32.Sasfis.qri
helh.oso downloads and/or requests other files from Internet, from the following URLs
* http://bookheads.cn/dib-file.exe * anonym.to - free dereferer service * anonym.to - free dereferer service
Now let’s check /sv/x.x
function fokusp(Lomka,kolma) { return eval('Lom'+'ka.rep'+'lace('+'/KOHb55544 3233/g'+',kolma)'); }
/sv/stat.php
is the login page where user is asked to insert username and password
/sv/pdf.php
downloads GDGCavPJwlrd.pdf a malicious pdf
Regards,
Evilcry