Ice IX Description
Ice IX is a bot developed from the leaked source code of ZeuS 220.127.116.11. The supposed author of the threat didn't hold back when advertising the malware on underground hacker forums. The threat is described as vastly superior to ZeuS thanks to having significant enhancements and modifications written to the code. Three main areas of improvement have been mentioned specifically. Apparently, Ice IX is far better at bypassing firewalls, avoiding being caught by proactive protection solutions while also remaining undetected by trackers. The last point most likely refers to the ZeuS tracker that hampered cybercriminals at the time. Two versions of Ice IX were offered for sale - a $600 one that had a hardwired Command-and-Control (C2, C&C) URL built into it and a $1800 version without the hardcoded URL.
When infosec researchers took a closer look at Ice IX's code, however, they discovered that the so-called enhancements were minor modifications that changed the structure or behavior of the threat barely, when compared to the original code of ZeuS 18.104.22.168. First, the author of Ice IX simply brought back a section of code that was commented out in the leaked ZeuS code. This code was responsible for finding and processing email credentials. Another difference was that a single launch argument - '-i' was no longer supported due to the creator of Ice IX removing the section of the code responsible for processing this key. In the original ZeuS, this argument displayed a window with information about the threat. Another 'major' enhancement is the substitution of the special characters used to define the behavior of ZeuS when the targeted user visits certain websites. In Ice IX the original characters '!', '@', '-', and '^' are simply replaced with the letters 'N', 'S', 'C' and 'B.'
Arguably, the biggest change was observed in the way data from the Registry was being read due to the API function RegOpenKeyEx being removed from the function responsible for this process. At the time, some anti-malware solutions may have been fooled by the changes resulting in decreased detection of the threat. As for avoiding detection from trackers, the researchers couldn't find conclusive evidence that it exists in the first place. At most, they surmised that the creator of Ice IX may have been referring to the new method of downloading the configuration file of the threat. While ZeuS used a hardcoded URL, Ice IX employed a specific POST that must include the parameters id=&hash=. As a whole, the process was made to include several additional steps, but, by leaving the same encryption algorithm that was observed in ZeuS (the RC4 algorithm), it fails to produce any meaningful results.