MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

6.10.10

Eleonore Exploit Pack. New version

Without functional alternatives to renew in the package, a new version of crimeware Eleonore Exploit Pack. This is the version 1.4.4mod.


Acces panel of Eleonore Exploit Pack 1.4.4mod

While this version of crimeware is positioned as part of a set of alternatives whose number is constantly increasing due to the large range that currently exists in the area of crime, isn't very viable option for criminals. And indeed, this particular version, parearía not have more important features that are not in previous versions.

Advertising package in underground forum

As shown in the image, incorporating a total of 16 exploits that have a high percentage of successful exploitation globally. However, although this particular version is no cause for alarm or research for security professionals, criminal activities generated by Eleonore Exploits Pack manifest daily, being the most used version 1.3.

Related information
State of the art in Eleonore Exploit Pack II
State of the art in Eleonore Exploit Pack
Eleonore Exploits Pack. New Crimeware In-the-Wild
Nueva versión de Eleonore Exploits Pack In-the-Wild
Black Hole Exploits Kit. Another crimeware in addition to criminal supply
Prices of Russian crimeware. Part 2

Ver más

1.10.10

Phoenix Exploit’s Kit v2.3 Inside

PEK (Phoenix Exploit's Kit) has become one of the most used by those who flood the Internet every day with different types of malicious code. Currently, a large amount of malware is distributed through this crimeware, which is also widely used for collecting information relevant to a botmaster.

Earlier we mentioned how it looks inside version 2.1 and at the same time we said that from the standpoint of design, different versions of PEK are practically very similar, with the typical dark background, the phoenix in the lower right corner and facing your authentication system trivial at first glance, but nevertheless performs a check under the SHA1 algorithm.

This time, it's version 2.3 of PEK, the final and stable so far (there is a preliminary version 2.4 known as the 2.3r). However, despite no visible differences appear, this version also upgrade a number of "details" in your code, incorporates a number of exploits which currently represent the highest success rate.

Simple statistics
Displays information about the general data tones to the recorded information with PEK.

Advanced statistics
Displays detailed information about operating systems and browsers violated.

Countries statistics
Shows statistics of the countries where the zombies.

Referer data
List the websites of direct reference.

The list shows the version used for this article is very long, but is complete on the following link: PEK v2.3 Referers List.

Upload module
Updates the malware that spreads.

Exploits that incorporates the default for this version are:
Their "sale" began in early July 2010 at a cost of $ 2200. An interesting detail is what the sentence is shown with the logo: "CONCORDIA, INTEGRITAS, INDUSTRIA…" three Latin words which are closely related to a famous German family. His translation is harmony, integrity and diligence.

Regarding the spread executable binary, in this case, it's a variant of the trojan generated with the private constructor SpyEye:
In the White paper called Phoenix Exploit's Kit In the mythology of a criminal enterprise can obtain more information on the different versions of this crimeware.

Related information

Phoenix Exploit’s Kit v2.1 Inside
State of the art in Phoenix Exploit's Kit [White paper]

Campaign infection through Phoenix Exploit's Pack
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Phoenix Exploit’s Kit. Otra alternativa para el control de botnets


Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Ver más