Eleonore exploit kit targets browser vulnerabilities and plug-in holes that have been patched by vendors.
A standard, but widely used exploit kit known as “Eleonore,” attempts to exploit dozens of commonly known vulnerabilities, looking to prey on users who fail to install the latest patches and who likely don’t have the most up to date antivirus software.
Former Washington Post security blogger Brian Krebs took a dive into the browser exploit kit last week to reveal the holes being targeted by the kit. In addition to Adobe Reader holes, the kit targets Internet Explorer vulnerabilities and a Java bug, Krebs said.
While the numbers are just a snapshot, those provided by the kit seem to show a high success rate from Google Chrome users. Of 211 uses of Google Chrome 3.0 visiting the malicious site hosting the exploit kit, 27 or 12.8% were successfully infected by the kit. The kit targets a number of known vulnerabilities in earlier versions of Firefox, though it’s success rate is fairly low.
Not surprisingly, Internet Explorer users were where the kit was most successful. Of over 3,500 users of IE 6, 30% or more than 1,050 were successfully targeted. Even users of IE 8, Microsoft’s latest browser fell victim. Of more than 6,800 IE 8 users visiting to the malicious site, 11.6% or about 800 were successfully victimized.
Just from observing some of these stats, it’s clear that some of the most successful exploits target vulnerabilities that were patched quite some time ago.
As Brian explains, these kits are not new, yet they have proliferated in recent years as black hat hackers have improved their automation features and made them a fairly cheap investment for anyone wanting to get into the cybercriminal business.
While Krebs found Eleonore proliferating on porn websites, users who are disciplined enough to browse only to trusted websites are still not immune to this kind of toolkit-driven attack. All it takes is a simple website vulnerability and successful code-injection to create an attack webpage that scan’s visitor’s systems for holes to exploit.
Kris Lamb of IBM’s ISS X-Force security research team told me last summer that researchers had been tracking an increasing number of trusted websites hosting malicious webpages. In the X-Force 2009 mid-year report Lamb said a site hosting the toolkit can deliver all the exploits at once to a victim or select specific exploits based on a person’s referring URL, browser cookies or geographic location. Many other security vendors, including Symantec, McAfee, Sophos and others have released reports showing a similar rise in malicious webpages targeting application layer holes.