Ice – IX, the Zeus banking trojan succesor ?

As expected, the leaked Zeus banking trojan source pushed its development further. For who does not know a banking trojan is a piece of malware specialized in stealing the online banking credentials, sniffing the traffic, hooking the main Windows dll functions imported by the browsers as wininet.dll or injecting fake forms in legit web pages.

Ice IX is a banking trojan derived from Zeus with a major improvement added : the config file is now retrieved from the server via proxy.php file using the encryption key as a request parameter. The same encryption key is used to encrypt the data transferred between bot and Command and control server. Not using the encryption key above mentioned lead to a 404 error and configuration file can not be accessed and analyzed, this way the trackers — a major problem of Zeus, are avoided. As advertised on one of the forums, the main features are:

Main functionality:

* Key logging (with ability to get screenshots of mouse pointer zone)
* Grabbing of http and https forms and injects (standartd format of injects for Zeus) in Explorer and Mozilla Firefox (also all wininet.dll and nspr4.dll based browsers: AOL, Maxton…)
* Grabbing cookies, .sol files, saved form data
* Grabbing FTP clients: FlashFXP, Total Commander, WsFTP 12, FileZilla 3, FAR Manager 1,2, WinSCP 4.2, FTP Commander, CoreFTP, SmartFTP
* Grabbing Windows Mail, Live Mail, Outlook
* Socks 5 with back connect
* Screenshots in real-time, you can say what URL to be screened
* Getting certificates from “My� store and clearing it. After clearing new imported certificate will be saved to server
* Searching files on logical disks by mask or loading an exact file
* TCP traffic sniffer
* Wide range of command to control an infected PC (download and execute arbitrary file, setting home page, enable/disable injects, kamikaze etc…like in Zeus

Main advantages:

* Protection from Trackers.
The config file now id getting not directly but throw the proxy.php file where you should enter the same key using for crypt data exchange between bot and control panel. If the request for config is created not by bot with the same key the 404 error will be returned. So no way to download and analyze the configuration file.
This is a major advantage if you are creating a big botnets, because the main problem of original Zeus – it is trackers.
* Higher response and longer vitality. It is cheaper to create the botnet.
* Updates and support. All updated for 1.x.x version are free for customers
* A possibility to develop custom solutions.

The selling price is around $1600.

At time of writing this, a sample of Ice IX banking trojan can be found at:

This sample creates 2 folders with random names in %current user%\Application Data folder, containing trojan files also with random names like:

Kehiisy containing vuziaqu.exe, the main trojan body, MD 5: C4EB3205BE23CEDEF75DA91590886C69

Utzie containing a file, miqicei.ced but as I said the name of the file or the extension are different from install to install perhaps trying to avoid antivirus detection based on file signature.

Also this sample of Ice banking trojan injects code in legitimate cmd.exe process and create a registry value each time with a different name and different data:

“Yxyxhi=A4E5E5B506FFBB311770628C3E00EDFBC53CE37572E46D1A57946767B66B249E6423AD6216031F2D3194019BD8FA016BC8CC0054EB9CC34929C3032F8554FE7B2EBBDF62CF9392C4BBEAA62680A1405BFF190FFEE06714E2F7A909F7C1E5BF100F6A5FBEE61949CD6C27EA23171A3009E933CBF0” in key HKEY_CURRENT_USER\software\Microsoft\Vyimfo 

or another:

“Uxybu=1BD2662DAABB42138C40ED2E1650C16AEF9DF97B830A6AC76BF751DF39D449E00F78240661D50EDC8B4038A457313E0D9AC2EC58524B1D35E97EB7563431DFA302ABD51D1CA414B9F403A151BFB05B2FD3FFE23C68E9715D0DC9A2736AC05F953A10DCABB7A264647B59AEE2D25419589EF43EA0” in key HKEY_CURRENT_USER\software\Microsoft\Boty 

To avoid computer infections with this banking trojans is recommended to always update: your antivirus software, your browser, browser plugins and your operating system.

Keep safe !

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *