Zeus v2 (Ice-IX) tested

This is an updated/improved version of Zeus, with "supposed" firewall bypassing code in it.

So i wanted to see how this nasty circumvented my Firewall, or tried to, amongst other things. I found a suitable infected www & DL'd it to my desktop, after disabling my AV & setting ProcessGuard to allow New/Changed Apps etc, & enabling ShadowDefender.

I allowed All the following









It tried to modify All these !



More ....

 

I noticed that info.exe had Completely disappeared from my desktop & was nowhere to be found ! I "presume" it had just morphed into zeocifi.exe & then Banjo Sting ?

A bit later i went back to the same www & this time i found the file had been renamed.



Once again it tried to modify All these !



Later on today with a "bit" more time, i redid the tests with both nasties, but this time changed the Modify FF settings in PG to Allow. This time i saw constant FF CPU @ around 33% & 1 x svchost entry @ around 30%. After about 5 mins everything got really sluggish, with CPU hitting 100% & then it instantly rebooted to the BIOS PW prompt. Not having time to continue there & then i switched off until much later on today.

I noticed NO outbound firewall activity, or dodgy ins/outs via WireShark either, on ANY test ? Due to my using ShadowDefender i was unable to verify if Anything might have been different after a "normal" reboot !

To me, a True FW Bypass would look something like this



From the above & what i saw, it "seems" as if this Bypass is NOT a True one, but just uses other Apps to inject code into & piggy back out. This technique as such isn't new, even if the code in (Ice-IX) "might" be more accomplished than before. In my tests, it "appears" not to be All that !

Be nice if others could see how it fares on theirs

 

Thanks for the info.

 

@ Hungry Man

Pleasure

 

Hi, seems straightforward to me. It will modify legit processes in memory and then will get outbound access through them.

 

As I guessed, got many prompts of memory modification but I could not trace any outbound at all. Does it ever connect out. I doubt.

 

My understanding of Zeus was that it injected into existing processes to connect out and 'bypass' firewalls. I don't think they need to develop any new bypass technique when the existing ones work so well

The alerts are interesting here. Could somebody test it with Spyshelter and Online Armor to see what their alerts look like?

 

Some more info:

 

Where did you get this quote? It is a translation from an Ice IX’s coder

 

I did a bit of googling and if I recall correctly it came from an RSA blog.

Edit: yes, here it is:
http://blogs.rsa.com/rsafarl/new-trojan-ice-ix-written-over-zeus-ruins/

It is indeed from the coder

 

Thanks for quick reply Scoobs72

Gerard

 

Yeah, how strange ? Not much use then So much for ALL the hoo ha about it's "supposed" new tricks Unless we missed something/s ?

Thanks for testing

@ Scoobs72

Thanks for the info

 

Only thing that I noticed it also injects code into the browser if it was already running, so that,s easy way for outbound access. However it did not launch the browser itself.

 

It probably won't do anything until you launch a https session, at which point it goes into 'grabbing' mode. The outbound communication to the c&c server is RC4 encrypted http posts, which probably happens via the browser, hence 'bypassing' the firewall.

 

Same here, but i still didn't see ANY dodgy outbound IP's ?

Agreed

Aha, maybe that's why ?

Virustotal Result from round about the time i tested it = 19/44 (43.2%)