In May 2011 the RSA Research Lab blogged about the leak of the Zeus Trojan’s source code. Since the most coveted source code was leaked, one of the predictions security researchers were convinced of was that the exposed code would attract the attention of independent code writers who will explore it and write their own offspring versions of the Old Zeus as they saw fit.
That day was not late to come as a new commercial Trojan, initially introduced to cybercriminals in the Russian-speaking underground, was briefly presented to cybercriminals in late April 2011 (v1.0.0). The coder who wrote the new Trojan, and named it “Ice IX” openly declared that he developed his new Trojan based on the Zeus v2 source code, supposedly ‘perfecting’ whatever flawed functions he believed needed revamping or could make his buyers’ lives easier.
The new Trojan possesses improved Zeus capabilities as well as several additional features that did not exist in the original Zeus. Apparently, the feature considered most valuable by Ice IX’s coder is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Trojan.
Repeatedly stressed by Ice IX’s coder, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals – Zeus and SpyEye trackers. The two main tracker sites are operated by a Swiss-based organization which monitors and reports malicious C&C servers to web users, service providers and law enforcement agencies (ISPs, CERTs and police cyber units).
Ice IX’s coder claims that the evasion mechanism will further allow cybercriminals to host their malware using standard hosting servers (with legitimate service providers), as opposed to having to use cybercrime-themed bulletproof servers. This change is intended to save Ice IX Trojan operators considerable hosting expenses they would otherwise have to pay for hosting on bulletproof infrastructures.
Ice IX, The First Crimeware Based on the Leaked ZeuS Sources
FAIL: Ice IX Boasts of Eluding Tracker Services
Is Ice IX a new threat? Not really. It has the same functionality as ZeuS, but it tries to evade ZeuS Tracker & Co (but royally fails).