This morning I read an interesting article on Securelist regarding a new Trojan called Ice IX that seems to be based on the leaked ZeuS source code.
I’ve googled a little bit and found a post on a well known underground forum where a user with the nickname nvidiag is selling Ice IX (UPDATE Aug 27, 2011: After my blog post the topic on opensc.ws has obviously been deleted):
The core was redesigned and enhanced. It was enhanced bypassing the proactive protection and firewall using driver mode, injects are working more stable on IE and Firefox based browsers.
The main goals were adding protection from detection by trackers, getting higher response, more stealthiness, and longer vitality. The goals were successfully reached.
The features advertised by nvidiag seems to be the same as in ZeuS. But there seems to be one new feature:
The config file now id getting not directly but throw the proxy.php file where you should enter the same key using for crypt data exchange between bot and control panel. If the request for config is created not by bot with the same key the 404 error will be returned. So no way to download and analyze the configuration file.
This is a major advantage if you are creating a big botnets, because the main problem of original Zeus – it is trackers.
So, according to this forum post Ice IX has a function to protect ZeuS Tracker & Co from being able to download the config file. For example, instead of HTTP GET Ice IX will only serve a config file when the clients sends a HTTP POST request
Does this new anti ZeuS Tracker feature makes it impossible to track Ice IX? Well, let’s try this:
–2011-08-25 XX:XX:XX– http://chilloutcaffee.net/photos/zb1/cc/ccc.php
Resolving chilloutcaffee.net… 22.214.171.124
Connecting to chilloutcaffee.net|126.96.36.199|:80… connected.
HTTP request sent, awaiting response…
HTTP/1.1 200 OK
Date: Thu, 25 Aug 2011 XX:XX:XX GMT
Length: 41370 (40K) [text/plain]
Saving to: `ccc.php’
100%[==============>] 41,370 7.80K/s in 5.2s
2011-08-25 XX:XX:XX (7.80 KB/s) – `ccc.php’ saved [41370/41370]
Let’s try to decrypt it…
url_loader (binary download)
entry “AdvancedConfigs” (backup config files)
é voilà – Ice IX config file successfully downloaded and decrypted. You just need to do some wget Kung Fu and you need to have the binary to extract the RC4 key in order to decrypt the Ice IX config file and to construct the correct hash value in the URL used to query the configuration file.
Below is a list of Ice IX botnet controllers I’ve seen so far:
Is Ice IX a new threat? Not really. It has the same functionality as ZeuS, but it tries to evade ZeuS Tracker & Co (but royally fails). I will continue to monitor the situation.
*** Further reading ***