ICE IX, new banking trojan, build on Zeus v2 code, evades trackers.

Discussion in 'malware problems & news' started by Baserk, Aug 29, 2011.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    ICE IX, new banking trojan, build on Zeus v2 code, tries to evade trackers.

    From Internetsecuritydb.com, an interesting article on a new banking trojan, build on Zeus v2 code but enhanced to the degree that it can't be tracked as current Zeus and SpyEye versions (example link) and therefore doesn't require expensive bulletproof hosting (e.g. hosting providers that simply don't give a damn when told they're hosting malware C&C servers).
    It's apparantly, due to serious Zeus code debugging, also less prone to javascript injection errors and css errors; when victims are doing online banking on an infected computer, there is less chance that either the banking webpage 'looks off' or injected javascript doesn't work as it should (from the trojan/attacker pov oc).
    The article writer also lists a 12 point list for possible origins of the trojan naming convention.

    "...A new trojan was briefly presented to cybercriminals in the Russian-speaking underground in late April 2011 (as v1.0.0). The developer who wrote the new trojan, and named it "Ice IX", openly declared that he developed his new trojan based on the ZeuS v2 source code, and in doing so allegedly perfecting flaws and bugs he believed needed fixing to improve the product's value to its cybercriminal customers.
    ...
    Extracts from the original text posted by Ice IX's developer in a Russian forum, translated to English:
    'Ice 9 is a new private Form Grabber-bot based on ZeuS, but a serious rival to it. Built on a modified ZeuS core, the core was re-worked and improved. The bypassing of firewalls and other proactive defenses was perfected. Moreover, the injection mechanism has been improved, allowing much more stability for the injections. The main purpose of this trojan was to counteract trackers, raising the conversion rate and the bots' TTL (time to live), as compared to its predecessor. These features were successfully implemented as we constantly work to further improve the code.'
    ...
    1 - Ice 9 is a fictional computer virus from the film "The Recruit" (2003). The malware, named Ice-9 in tribute to Kurt Vonnegut's ice-nine (see item no. 8 below), would erase hard drives and travel through power sources which are not protected; possibly erasing data from every computer on Earth.
    8 - Ice-nine is a fictional material conceived by writer Kurt Vonnegut in his 1963 novel "Cat's Cradle". It is different from, and does not have the same properties as, the real-world ice polymorph Ice IX; existing, for example, as a stable solid at room temperature and regular atmospheric pressure..."
    link

    My bet is, the coder actually read the book. ;)

    -edit; And an article on which above linked page seems based on, with some trojan screenshots; RSA blog link
     
    Last edited: Aug 30, 2011
  2. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Re: ICE IX, new banking trojan, build on Zeus v2 code, tries to evade trackers.

    The Swiss Zeus & Spyeye trackers ain't that impressed as I've just read;

    "So, according to this forum post Ice IX has a function to protect ZeuS Tracker & Co from being able to download the config file. For example, instead of HTTP GET Ice IX will only serve a config file when the clients sends a HTTP POST request
    Does this new anti ZeuS Tracker feature makes it impossible to track Ice IX?
    ...
    Is Ice IX a new threat? Not really. It has the same functionality as ZeuS, but it tries to evade ZeuS Tracker & Co (but royally fails). I will continue to monitor the situation."
    Abuse.ch blog link

    So, contrary to my first post, it really isn't 'below radar'.
    I'll change the thread title accordingly.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
Loading...
Thread Status:
Not open for further replies.