Sunday, August 28, 2011

Meet Ice IX, Son Of ZeuS

Earlier this year the online banking malware ZeuS trojan's source code was leaked. One of the predictions made by security researchers at the time was that the leaked code would be used by independent malware developers, who would explore it and develop their own hybridized versions of ZeuS, adding custom features and advancements to it.

A new trojan was briefly presented to cybercriminals in the Russian-speaking underground in late April 2011 (as v1.0.0). The developer who wrote the new trojan, and named it "Ice IX", openly declared that he developed his new trojan based on the ZeuS v2 source code, and in doing so allegedly perfecting flaws and bugs he believed needed fixing to improve the product's value to its cybercriminal customers.

What's in a name: the meaning of "Ice IX"
The naming of Ice IX is quite interesting; there are a number of sources from which the developer could have been inspired to name the new trojan Ice IX. I've listed these in order from "most likely" to "least likely" to have been the inspiration.

  1. Ice 9 is a fictional computer virus from the film "The Recruit" (2003). The malware, named Ice-9 in tribute to Kurt Vonnegut's ice-nine (see item no. 8 below), would erase hard drives and travel through power sources which are not protected; possibly erasing data from every computer on Earth.
  2. Ice 9 is an album by Russian rock band Smyslovye Gallyutsinatsii, two songs from which won the Russian Golden Gramophone award twice. The band is also known under a much shorter name "Glyuki", a slang term, which means basically the same as the long name: glitches in your brain. More:
  3. ICE is a well known cyberpunk reference to "Intrusion Countermeasures Electronics" - software which works to prevent intruders/hackers/cyberpunks getting access to sensitive data. It is "visible" in cyberspace as actual walls of ice, stone, or metal. Black ICE refers to ICE that are capable of killing the intruder if deemed necessary or appropriate; some forms of black ICE may be artificially-intelligent.  More:
  4. In cryptography, ICE (Information Concealment Engine) is a block cipher published by Kwan in 1997. The ICE algorithm is not subject to patents, and the source code is in the public domain. More:
  5. The term ICE, referencing the cyberpunk usage, has been adopted by some real-world security software manufacturers: BlackICE, security software made by IBM Internet Security Systems. Black Ice Defender, security software made by Network ICE. Network ICE, a security software company. 
  6. On April 28, 2009, the Information and Communications Enhancement Act, or ICE Act for short, was introduced to the United States Senate by Senator Tom Carper to make changes to the handling of information security by the federal government, including the establishment of the National Office for Cyberspace. More:
  7. Ice IX is a form of solid water stable at temperatures below 140 K and pressures between 200 and 400 MPa. It has a tetragonal crystal lattice and a density of 1.16 g/cm³, 26% higher than ordinary ice. It is formed by cooling ice III from 208 K to 165 K (rapidly—to avoid forming ice II). Its structure is identical to ice III other than being proton-ordered. More:
  8. Ice-nine is a fictional material conceived by writer Kurt Vonnegut in his 1963 novel "Cat's Cradle". It is different from, and does not have the same properties as, the real-world ice polymorph Ice IX; existing, for example, as a stable solid at room temperature and regular atmospheric pressure. More:
  9. Ice 9 is a song by Joe Satriani from his album Surfing with the Alien.
  10. Ice Nine is a first-person shooter game for the Game Boy Advance console. More:
  11. A substance called Ice 9 is referred to in the Nintendo DS game "999: Nine Hours, Nine Persons, Nine Doors". It seems to be a reference to Vonnegut's ice-nine substance, and not to the real thing. More:,_Nine_Persons,_Nine_Doors
  12. Ice Nine is the name of a new screenplay which is currently in development by New York production company Whiskey Outpost. More:
Wow, bet you never knew there was so many references to ICE and ICE 9 in the world right? !! So ... back onto the Malware form of Ice IX...

Tracker Evasion
The new feature considered most valuable by Ice IX's developer is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Ice IX trojan. Repeatedly stressed by Ice IX's developer, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals - ZeuS and SpyEye trackers. The two main tracker sites, "ZeuS tracker" and "SpyEye tracker" are operated by a Swiss-based organization which monitors and reports malicious C&C (Command and Control) servers to web users, service providers, CERTs and law enforcement agencies. Ice IX's developer claims that the evasion mechanism means the malware can be hosted on standard (legitimate) hosting servers, as opposed to having to use so called "bulletproof" servers which are expensive and typically operate specifically to service cybercrime-based customers.

A Better Injection Mechanism
The injection mechanism refers to how the malware is able to "inject" code and data into the webpage of an online banking site while the user is actually using the site in order to alter the function of the page. Typically ZeuS has had problems when injecting into javascript and also had difficulty maintaining original look and feel of a page when CSS was used. Ice IX seems to have overcome some of these issues, giving the malware a much better success rate.

Marketing the Malware
Extracts from the original text posted by Ice IX's developer in a Russian forum, translated to English:

Ice 9 is a new private Form Grabber-bot based on ZeuS, but a serious rival to it. Built on a modified ZeuS core, the core was re-worked and improved. The bypassing of firewalls and other proactive defenses was perfected. Moreover, the injection mechanism has been improved, allowing much more stability for the injections. The main purpose of this trojan was to counteract trackers, raising the conversion rate and the bots' TTL (time to live), as compared to its predecessor. These features were successfully implemented as we constantly work to further improve the code.

Main Functions

  • Keylogging
  • HTTP and HTTPS Form Grabbing, injecting its own code into IE and into IE-based browsers (Maxton, AOL, etc..), as well as Mozilla FireFox.
  • .sol Cookie Grabbing and scraping info from saved forms
  • FTP client credentials grabbing: FlashFXP, Total Commander, WsFTP 12, FileZilla 3, FAR Manager 1, 2, WinSCP 4.2, FTP Commander, CoreFTP, SmartFTP
  • Windows Mail, Live Mail, Outlook grabbing
  • Socks with backconnect possibility
  • Real-Time screenshots, plus the option to automate taking screenshots while the bot browses to preset URLs
  • Grabs certificates from MY storage space and clears storage (certificates marked as “Non-Exportable” cannot be exported correctly). Once cleared, all new certificates will be sent to the bot master's C&C server.
  • Upload specific files from the infected machine or perform searches on local disks enabling wildcards.
  • TCP protocol traffic sniffer
  • Elaborate set of commands to control the infected PCs 
  • Protected from trackers¹
  • Host your botnet with conventional hosting, not needing bulletproof servers, which will save you loads of money.
  • Better bot conversion rate², frequent version upgrades and tech support.
  • Developing more modules and features may be negotiated per the client’s request.
¹ By trackers, the developer means the ZeuS tracker and SpyEye tracker: Swiss-based Anti malware organizations.
² Bot conversion rate is the ratio of the number of bots which actually communicate with the C&C server divided by the total number of bots infected.

Licensing and Prices for Version 1.0.5

  • BASIC LICENSE: Trojan with hardcoded C&C server: $600. You get the Bot + the Builder that generates the configuration file.
  • COMPLETE LICENSE: Open Trojan with unlimited Builder license: $1,800 

Ice IX is offered at a lower price than what one would have paid for a comparative ZeuS kit or a SpyEye kit (SpyEye is still being sold for an approximate $4,000 USD today). According to earlier posts about Ice IX an open license to the first version v1.0.0 was sold for $1,500.

Upcoming Enhancements
In an English-speaking online forum, the trojan's developer gives potential buyers a glimpse into what will be included in the next upgrade:

  • HTML & JavaScript injections that will work on the Firefox browser.
  • A function that will block the SpyEye trojan on Ice IX-infected PCs (this sounds exactly like the 'Kill ZeuS' feature of SpyEye).
  • As with ZeuS, Ice IX will encrypt communication with the C&C server, using a different encryption algorithm to ZeuS.
Review of Ice IX by another Cybercrime Vendor
After the posting of Ice IX, another vendor selling HTML injections offered his stamp of approval of the Ice IX trojan. The new Ice IX buyer had some opinions on the injection mechanism of Ice IX:
  • JavaScript files are easily injected, and you can’t say that about ZeuS 
  • CSS files are successfully injected; it appears that Ice IX supports the use of Cascading Style Sheets in the process of integrating injected content into the original website's look and feel. This improvement steps-up the appearance of injected content and web page replicas. 
  • The order of data_before, data_after, data_inject blocks plays no role. The trojan understands them in any block order. When referring to data_before / data_after blocks, the fraudster is speaking of the delimitations that must be specified to a web injection.  For example:
    • Data_before: When a login set requires username, password and secret question, the data_before is all three sets
    • Data_inject: The additional data that the fraudster would like to inject into the page
    • Data_after: The lower limit field of the data the trojan looks for
In the ZeuS trojan's injection mechanism, these three blocks had to come in a specific order. Using Ice IX, the order no longer matters; the trojan understands what it has to locate and inject. This means that the new injections are more fail-tolerant than the way they were used in ZeuS. Other changes applied to the code also aim to facilitate ease of functionality, rendering Ice IX more tolerant in a sense, where the use of wildcards in URL names does not slow page loading and case-sensitive search terms could be incorporated into the data fields searched by the trojan.

So we can expect that from now on, more new banking malware will be based on ZeuS (and SpyEye) code. New malware developers, hoping to profit from cybercrime, will attempt to create their own new alternatives based on this source with the addition of incremental improvements over the older versions.

Follow @dodgy_coder

Subscribe to posts via RSS