Tag Archive for 'ice ix'

Ice IX – Or Just ZeuS?

This morning I read an interesting article on Securelist regarding a new Trojan called Ice IX that seems to be based on the leaked ZeuS source code.

I’ve googled a little bit and found a post on a well known underground forum where a user with the nickname nvidiag is selling Ice IX (UPDATE Aug 27, 2011: After my blog post the topic on opensc.ws has obviously been deleted):

Ice IX is a new bot form-grabber similar to Zeus , but a big rival to it. It is based on modified Zeus 2 core.
The core was redesigned and enhanced. It was enhanced bypassing the proactive protection and firewall using driver mode, injects are working more stable on IE and Firefox based browsers.
The main goals were adding protection from detection by trackers, getting higher response, more stealthiness, and longer vitality. The goals were successfully reached.

The features advertised by nvidiag seems to be the same as in ZeuS. But there seems to be one new feature:

Protection from Trackers.
The config file now id getting not directly but throw the proxy.php file where you should enter the same key using for crypt data exchange between bot and control panel. If the request for config is created not by bot with the same key the 404 error will be returned. So no way to download and analyze the configuration file.
This is a major advantage if you are creating a big botnets, because the main problem of original Zeus – it is trackers.

So, according to this forum post Ice IX has a function to protect ZeuS Tracker & Co from being able to download the config file. For example, instead of HTTP GET Ice IX will only serve a config file when the clients sends a HTTP POST request

Does this new anti ZeuS Tracker feature makes it impossible to track Ice IX? Well, let’s try this:

$ wget -S –post-data=”id=REDACTED&hash=REDACTED” “chilloutcaffee.net/photos/zb1/cc/ccc.php”
–2011-08-25 XX:XX:XX– http://chilloutcaffee.net/photos/zb1/cc/ccc.php
Resolving chilloutcaffee.net… 123.30.129.251
Connecting to chilloutcaffee.net|123.30.129.251|:80… connected.
HTTP request sent, awaiting response…
HTTP/1.1 200 OK
Date: Thu, 25 Aug 2011 XX:XX:XX GMT
Server: Apache/2
[...]
Length: 41370 (40K) [text/plain]
Saving to: `ccc.php’

100%[==============>] 41,370 7.80K/s in 5.2s

2011-08-25 XX:XX:XX (7.80 KB/s) – `ccc.php’ saved [41370/41370]

Uh?

$ file ccc.php
ccc.php: data

Looks good…

$ md5sum ccc.php
f673999a9de960d5ae0d9d72beaf0433 ccc.php

Let’s try to decrypt it…

Version: 1.0.5.0
url_loader (binary download)
http://chilloutcaffee.net/photos/zb1/cc/bot.exe
url_server (dropzone)
http://chilloutcaffee.net/photos/zb1/gate.php
entry “AdvancedConfigs” (backup config files)
http://chilloutcaffee2.net/photos/zb1/cc/ccc.php

url_wfrules
Nhttp://*odnoklassniki.ru/*
Nhttp://vkontakte.ru/*
S*/login.osmp.ru/*
S*/atl.osmp.ru/*
[...]

é voilà РIce IX config file successfully downloaded and decrypted. You just need to do some wget Kung Fu and you need to have the binary to extract the RC4 key in order to decrypt the Ice IX config file and to construct the correct hash value in the URL used to query the configuration file.

Below is a list of Ice IX botnet controllers I’ve seen so far:

http://frcfir.com/cfg/logo.php
http://ziigmmn.com/logo.php

Is Ice IX a new threat? Not really. It has the same functionality as ZeuS, but it tries to evade ZeuS Tracker & Co (but royally fails). I will continue to monitor the situation.

*** Further reading ***




economics-recluse
Scene
Urgent!