New Trojan Ice IX Written Over Zeus’ Ruins

Written on August 24, 2011 by RSA FraudAction Research Labs

Comments (One)

In May 2011 the RSA Research Lab blogged about the leak of the Zeus Trojan’s source code. Since the most coveted source code was leaked, one of the predictions security researchers were convinced of was that the exposed code would attract the attention of independent code writers who will explore it and write their own offspring versions of the Old Zeus as they saw fit.

That day was not late to come as a new commercial Trojan, initially introduced to cybercriminals in the Russian-speaking underground, was briefly presented to cybercriminals in late April 2011 (v1.0.0). The coder who wrote the new Trojan, and named it “Ice IX” openly declared that he developed his new Trojan based on the Zeus v2 source code, supposedly ‘perfecting’ whatever flawed functions he believed needed revamping or could make his buyers’ lives easier.

The new Trojan possesses improved Zeus capabilities as well as several additional features that did not exist in the original Zeus. Apparently, the feature considered most valuable by Ice IX’s coder is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Trojan.

Repeatedly stressed by Ice IX’s coder, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals – Zeus and SpyEye trackers. The two main tracker sites are operated by a Swiss-based organization which monitors and reports malicious C&C servers to web users, service providers and law enforcement agencies (ISPs, CERTs and police cyber units).

Ice IX’s coder claims that the evasion mechanism will further allow cybercriminals to host their malware using standard hosting servers (with legitimate service providers), as opposed to having to use cybercrime-themed bulletproof servers. This change is intended to save Ice IX Trojan operators considerable hosting expenses they would otherwise have to pay for hosting on bulletproof infrastructures.

Extracts from the original text posted by Ice IX’s coder in a Russian forum were translated by RSA:

Ice 9 is a new private Form Grabber-bot based on Zeus, but a serious rival to it. Built on a modified Zeus core, the core was re-worked and improved. The bypassing of firewalls and other proactive defenses was perfected. Moreover, the injection mechanism has been improved, allowing much more stability for the injections. The main purpose of this Trojan was to counteract trackers, raising the conversion rate and the bots’ TTL, as compared to its predecessor. These features were successfully implemented as we constantly work to further improve the code. Main Functions

  • Keylogging
  • HTTP and HTTPS Form Grabbing, injecting its own code into IE and into IE-based browsers         (Maxton, AOL, etc..), as well as Mozilla FireFox.
  • .sol Cookie Grabbing and scraping info from saved forms
  • FTP client credentials grabbing: FlashFXP, Total Commander, WsFTP 12, FileZilla 3, FAR         Manager 1, 2, WinSCP 4.2, FTP Commander, CoreFTP, SmartFTP
  • Windows Mail, Live Mail, Outlook grabbing
  • Socks with backconnect possibility
  • Real-Time screenshots, plus the option to automate taking screenshots while the bot browses         to preset URLs
  • Grabs certificates from “MY” storage space and clears storage (certificates marked as “Non-        Exportable” cannot be exported correctly). Once cleared, all new certificates will be sent to         the bot master’s C&C server.
  • Upload specific files from the infected machine or perform searches on local disks enabling         wildcards.
  • TCP protocol traffic sniffer
  • Elaborate set of commands to control the infected PCs 
Advantages

  • Protected from trackers[1]
  • Host your botnet with conventional hosting, not needing bulletproof servers, which will save         you loads of money.
  • Better bot conversion rate[2], frequent version upgrades and tech support
  • Developing more modules and features may be negotiated per the client’s request.

 Licensing and Prices for Version 1.0.5

Trojan with hardcoded C&C server: $600. You get the Bot + the Builder that generates the configuration file.

Open Trojan with unlimited Builder license: $1,800

 

Note that resembling SpyEye’s humble beginning, Ice IX is also offered for a lower price than what one would have paid for a complete Zeus kit or a SpyEye kit (the latter still being sold for an approximate $4,000 USD today). According to earlier posts about Ice IX an open license to the first version v1.0.0 was sold for $1,500. The more recent version (v1.0.5) now goes for $1,800. An option exists for buyers to only get a basic package for $600.

Ice IX’s Control Panel

Although Ice IX was written with Zeus code to help it along, its administration panel still has a long way to come in terms of GUI look and feel. Images of the basic-looking panel are brought herein in Figure 1 and Figure 2. The minimalistic look of the panel is not suggestive of its functionality – in ways of controlling the botnet it is as capable as the Zeus control panel.

More to Come

In a spec sheet for Ice IX posted on the pages of an English-speaking forum, the Trojan’s coder gave potential buyers a glimpse into what he plans to include in the coming upgrade, once again resembling SpyEye’s early days:

  • HTML/ JavaScript injections that will work on the Firefox internet browser
  • A function that will block the SpyEye Trojan on Ice IX-infected PCs (which sounds like the “Kill Zeus” feature added to SpyEye when it was being developed).
  • Much like Zeus – Ice IX will also encrypt the bot’s communication with the C&C server, only this time using a different encryption algorithm.

Cybercrime Vendor Review

As it goes with almost every underground forum, some vendors are considered “Verified”; the verified status is attributed to those who ‘deliver’ on their offerings. Many times a vendor’s offer can get ‘verified’ if another high ranking member (or the forum’s administrator) evaluates the service and is persuaded of its validity and quality. Other fraudsters are naturally more inclined to do business and buy from Verified vendors.

After the posting of the new commercial Trojan, another vendor selling HTML injections offered his stamp of approval of the Ice IX Trojan. The injection vendor had apparently kept his expert opinion focused on Ice IX’s injection mechanism and posted his observations:  

  • JavaScript files are easily injected, and you can’t say that about Zeus 
  • CSS files are successfully injected – it appears that Ice IX supports the use of Cascading Style Sheets in the process of integrating injected content into the original website’s look and feel. This improvement steps-up the appearance of injected content and web page replicas. 
  • The order of data_before, data_after, data_inject blocks plays no role. The Trojan understands them in any block order. When referring to “data_before”/ “data_after” blocks, the fraudster is speaking of the delimitations that must be specified to a web injection.  For example:

        Data_before when a login set requires username, password and secret question, the “to “data_before” is all  three sets

        Data_inject: The additional data that the fraudster would like to inject into the page

        Data_after :  The lower limit field of the data the Trojan looks for

In the Zeus Trojan’s injection mechanism, these three blocks had to come in a specific order. Using Ice IX, the order no longer matters; the Trojan “understands” what it has to locate and inject. This means that the new injections are more fail-tolerant than the way they were used in Zeus.

Other changes applied to the code also aim to facilitate ease of functionality, rendering Ice IX more “tolerant” in a sense, where the use of wildcards in URL names does not slow page loading and case-sensitive search terms could be incorporated into the data fields searched by the Trojan.

No comments or reviews of any other aspect of the Trojan were provided. RSA is following Ice IX and will report with further information about this newcomer as it becomes available.

Figure 1: ICE 9 Trojan’s Administration Panel

Figure 2: ICE 9 Trojan’s Database Bot-Search Options

 

 

[1] By “Trackers” the coder refers to Zeus tracker and SpyEye tracker – Swiss-based Anti malware organizations.

[2] “Bot conversion rate” is calculated by looking at the number of bots infected versus the number of bots to have subsequently communicated with the C&C server.

Be Sociable, Share!

One Response to “New Trojan Ice IX Written Over Zeus’ Ruins”

  1. j ellis says:
    February 3, 2012 at 6:34 pm

    novice here compared to you guys. am wondering if i have been hacked, few times it seems like it.
    is there a scan i can run to see re the ICEIX TROJAN? thanx so very much

Leave a Reply