Zeus v2 (Ice-IX) tested

Discussion in 'malware problems & news' started by CloneRanger, Aug 30, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    This is an updated/improved version of Zeus, with "supposed" firewall bypassing code in it.

    So i wanted to see how this nasty circumvented my Firewall, or tried to, amongst other things. I found a suitable infected www & DL'd it to my desktop, after disabling my AV & setting ProcessGuard to allow New/Changed Apps etc, & enabling ShadowDefender.

    I allowed All the following

    1.gif

    3.gif

    4.gif

    5.gif

    It tried to modify All these !

    bl.gif

    More ....
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I noticed that info.exe had Completely disappeared from my desktop & was nowhere to be found ! I "presume" it had just morphed into zeocifi.exe & then Banjo Sting ?

    A bit later i went back to the same www & this time i found the file had been renamed.

    cont.gif

    Once again it tried to modify All these !

    mod.gif

    Later on today with a "bit" more time, i redid the tests with both nasties, but this time changed the Modify FF settings in PG to Allow. This time i saw constant FF CPU @ around 33% & 1 x svchost entry @ around 30%. After about 5 mins everything got really sluggish, with CPU hitting 100% & then it instantly rebooted to the BIOS PW prompt. Not having time to continue there & then i switched off until much later on today.

    I noticed NO outbound firewall activity, or dodgy ins/outs via WireShark either, on ANY test ? Due to my using ShadowDefender i was unable to verify if Anything might have been different after a "normal" reboot !

    To me, a True FW Bypass would look something like this

    bp.gif

    From the above & what i saw, it "seems" as if this Bypass is NOT a True one, but just uses other Apps to inject code into & piggy back out. This technique as such isn't new, even if the code in (Ice-IX) "might" be more accomplished than before. In my tests, it "appears" not to be All that !

    Be nice if others could see how it fares on theirs ;)
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thanks for the info.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Hungry Man

    Pleasure :thumb:
     
    Last edited by a moderator: Aug 31, 2011
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, seems straightforward to me. It will modify legit processes in memory and then will get outbound access through them.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    As I guessed, got many prompts of memory modification but I could not trace any outbound at all. Does it ever connect out. I doubt. o_O

    1.png 2.png
    3.png 4.png
    5.png
     
  7. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    My understanding of Zeus was that it injected into existing processes to connect out and 'bypass' firewalls. I don't think they need to develop any new bypass technique when the existing ones work so well :)

    The alerts are interesting here. Could somebody test it with Spyshelter and Online Armor to see what their alerts look like?
     
  8. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Some more info:

     
  9. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Where did you get this quote? It is a translation from an Ice IX’s coder
     
  10. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
  11. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yeah, how strange ? Not much use then :D So much for ALL the hoo ha about it's "supposed" new tricks :p Unless we missed something/s ?

    Thanks for testing :thumb:

    @ Scoobs72

    Thanks for the info :)
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Only thing that I noticed it also injects code into the browser if it was already running, so that,s easy way for outbound access. However it did not launch the browser itself.
     
  14. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    It probably won't do anything until you launch a https session, at which point it goes into 'grabbing' mode. The outbound communication to the c&c server is RC4 encrypted http posts, which probably happens via the browser, hence 'bypassing' the firewall.
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Same here, but i still didn't see ANY dodgy outbound IP's ?

    Agreed ;)

    Aha, maybe that's why ?

    Virustotal Result from round about the time i tested it = 19/44 (43.2%)
     
Loading...
Thread Status:
Not open for further replies.