{
	"id": "dfa85db3-fa85-4f60-bb66-8c2920eebf0a",
	"created_at": "2026-04-06T00:10:56.916213Z",
	"updated_at": "2026-04-10T03:31:18.95399Z",
	"deleted_at": null,
	"sha1_hash": "21c777928cdaea9a22bfbd5dedbe41d303640fe1",
	"title": "Ice IX: not cool at all",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 425079,
	"plain_text": "Ice IX: not cool at all\r\nBy Dmitry Tarakanov\r\nPublished: 2011-09-14 · Archived: 2026-04-05 17:47:21 UTC\r\nMy colleague Jorge Mieres recently found a C\u0026C server of a botnet based on a malicious program called Ice IX.\r\nAs announced on several user forums, Ice IX is a bot created using the source code of ZeuS 2.0.8.9, which became\r\npublicly available in May. The author of the new bot says the program includes substantial enhancements, which\r\nshould be interesting to those cybercriminals who steal money from users with the help of banking Trojans.\r\nFigure 1. Description of the bot\r\nAs you can see in the screenshot, the description of the new program focuses on the enhancements allegedly\r\nintroduced into the ZeuS original code. These included bypassing firewalls, bypassing proactive protection\r\nprovided by security products, and protection from detection by trackers. The latter obviously refers to the ZeuS\r\nTracker https://zeustracker.abuse.ch, which has been making cybercriminals’ life difficult. The program’s author\r\ncharged $600 for a version of the bot with a hardwired URL that the bot must connect to after infection (i.e., the\r\nC\u0026C address), and $1800 for a version without a hard-coded C\u0026C address.\r\nUnfortunately, we were unable to obtain a sample of the enhanced Ice IX version – possibly, because nobody had\r\npurchased it. Most likely, this version included a mechanism that was similar to that implemented in ZeuS\r\nbeginning with version 2.1. Here is how it worked in ZeuS: the bot included a key that was used in combination\r\nwith the current date to generate 1020 domain names each day. The bot searched through this entire list, trying to\r\nfind its C\u0026C server.\r\nAt the same time, someone has apparently tested the base version of the bot kit. These samples were analyzed for\r\ndifferences from the original ZeuS samples used as the basis for the Ice IX bot.\r\nI must confess, I had expected more. The author advertized the programs as something special, and in addition,\r\nthere was a comment in the thread that the author deserved credit for bypassing proactive detection, since it was\r\nan important improvement, concluding that this was no doubt a completely new bot, much better than ZeuS… In\r\nfact, however, it was all a bunch of lies. There were no major improvements compared to ZeuS 2.0.8.9 – the\r\nversion which became publicly available.\r\nHere are the differences I was able to identify:\r\n1) ZeuS can find the user’s email credentials saved on the infected system. The bot sends any data found to the\r\nbotnet operator, giving the cybercriminal access to the victim’s mailboxes. However, the code section responsible\r\nfor finding and processing email credentials was commented out in the original ZeuS source code. The author of\r\nhttps://securelist.com/ice-ix-not-cool-at-all/29111/\r\nPage 1 of 5\n\nIce IX simply removed the comment marks from this code, so the modules that were not included in ZeuS 2.0.8.9\r\nsamples were present in his bot.\r\n2). The ZeuS 2.0.8.9 bot can be launched with the following arguments: -f, -n, -v, -i. I won’t go into the discussion\r\nof what each of them means. Let me just mention the key –i: if ZeuS 2.0.8.9 sample is launched with this key, a\r\nwindow with some information about the bot will be displayed:\r\nFigure 2. ZeuS 2.0.8.9 information window\r\nThe author of Ice IX simply removed the fragment processing this key from the code. Consequently, Ice IX\r\nsample does not support this argument.\r\n3) A modified function that is associated with reading data from the registry has been identified. There is a small\r\nchance that this could prove that “enhancement” introduced in order to bypass proactive protection provided by\r\nsecurity products. However, it could also be merely the consequence of compiler optimization – the result of\r\ncompiling the bot’s code might have been slightly different from that for the original ZeuS code due to the\r\nchanges, albeit small, introduced into Ice IX. In the ZeuS 2.0.8.9 code, the function that reads data from the\r\nregistry includes all the API functions required for this task, i.e., RegOpenKeyEx, RegQueryValueEx and\r\nRegCloseKey:\r\nFigure 3. The function in ZeuS which reads data from the registry\r\nWhen a value needed to be read from the registry, it was done as follows:\r\nFigure 3a. Calling the function which reads from the registry in ZeuS\r\nhttps://securelist.com/ice-ix-not-cool-at-all/29111/\r\nPage 2 of 5\n\nIn the Ice IX sample, there are some changes in the places where the function is called. The API function\r\nRegOpenKeyEx was removed from the function that reads registry data:\r\nFigure 4. The function in Ice IX that reads data from registry\r\nAs a result, whenever a value needed to be read from the registry, the API function RegOpenKeyEx was called\r\nfirst to open the registry key (e.g., HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE) before calling the\r\nactual registry read function:\r\nFigure 4a. Calling the function to read from registry in Ice IX\r\nI admit that some antivirus products may possibly detect ZeuS based on the presence of the above registry read\r\nfunction. It is quite probable that this essential function is present in all ZeuS samples regardless of version; it is\r\nalso possible that its code uniquely identifies this entire malware family. Why not, after all? In this case,\r\nmodifying this function (e.g., removing RegOpenKeyEx) would help to prevent the detection which depends on it.\r\nI didn’t test all antivirus products on Ice IX samples, so I cannot say whether any product would fail to detect\r\nthem because of this change. I only scanned the sample with KIS 2012 using old antivirus databases dating back\r\nto June, when nothing was known as yet about Ice IX. As the bot was runnung, KIS 2012 detected dangerous\r\nactivity and blocked the program’s execution. No wonder: given the long history and extensive functionality of\r\nZeuS, there are quite a few criteria based on which KIS/KAV can detect this malware family’s malicious code.\r\nNow, let’s move on to the significant changes that distinguish Ice IX from ZeuS 2.0.8.9 at least to some extent.\r\n3) In the ZeuS configuration file, there is a section called “Web Filters” in which the botnet operator defines how\r\nthe bot should respond when the user visits certain websites. This is done using special characters “!”, “@”, “-“,\r\n“^” are used.\r\nhttps://securelist.com/ice-ix-not-cool-at-all/29111/\r\nPage 3 of 5\n\nLet’s look at the way in which the “@” character is used. It is placed before the URL (e.g., @*/login.osmp.ru/*) to\r\ntell the bot to make screenshots when the user visits any addresses matching the mask specified every time that the\r\nuser left -clicks the mouse, and then to send the screenshots to the cybercriminal. This is a mechanism that allows\r\nthe cybercriminal to reconstruct the data entered by the user on the website using the virtual keyboard. Other\r\nsymbols also define specific actions to be performed by the bot. All that the author of Ice IX did was to assign\r\ndifferent characters to the same functions: the letters “N”, “S”, “C” and “B” have replaced “!”, “@”, “-” and “^”,\r\nrespectively.\r\n4) The last distinguishing feature is a slightly modified method used by the bot to download the configuration file.\r\nIn its code, ZeuS includes a hard-coded URL of a configuration file that anyone can download, e.g.,\r\nhttp://www.example.com/files/config.bin. The author of Ice IX makes the point that it is this availability of\r\nconfiguration files that is at the root of all problems with trackers. So how does he address this issue? Here is his\r\nsolution. You can no longer simply download the configuration file from a URL. Instead, you must send a\r\nspecially formed POST request to a certain address (which is actually a URL hardcoded into the bot in the same\r\nlocation as in ZeuS 2.0.8.9). The request must include a pair of parameters: “id=\u0026hash=”, for example:\r\nid=TEST_WIN_XP_B5DF77116522DF69\u0026hash=DC0D2CAB39D49FC3D5E467501A2682C5\r\nid is the bot’s identifier calculated using the same algorithm as in ZeuS 2.0.8.9. It is used for the bot’s direct\r\ncommunication with the C\u0026C.\r\nThe identifier is the computer’s name with a unique 16-digit hexadecimal number added to it. From the C\u0026C\r\nviewpoint, both the computer name and the 16-digit number can be arbitrary. This identifier is encrypted using the\r\nRC4 algorithm (which ZeuS uses all the time to encrypt data) in combination with an S-box that is also hardcoded\r\ninto the bot. The MD5 checksum is calculated for the encrypted data and sent as a hash variable. Since the bot\r\nidentifier can be arbitrary (at the most it needs to meet the COMPUTERNAME_16CHARSHEXNUMBER\r\nformat), the only data needed to obtain the configuration file is the S-box – it is needed to encrypt the bot\r\nidentifier. But wait a minute. The configuration file is also encrypted using the same RC4 algorithm with the same\r\nS-box. Without the S-box, the configuration file is useless, a meaningless sequence of bytes. The really valuable\r\nstuff is inside the file.\r\nSo in the end it all comes down to this:\r\nBot What is needed to obtain useful data from the configuration file\r\nIce IX S-box\r\nZeuS S-box\r\nThe question is: what is it that is supposed to make trackers’ life more difficult? And the obvious answer is\r\n“virtually nothing”. It might perhaps take an extra half hour to run a sample, make a dump, and identify the\r\nchanges made to known code. And that only is one is going to do the analysis and mass-download different bots’\r\nconfiguration files. However, there is an easier way: getting the parameters of the POST request from an infected\r\ncomputer’s traffic, which is a matter of a few minutes. With all the hype, you wouldn’t believe it!\r\nhttps://securelist.com/ice-ix-not-cool-at-all/29111/\r\nPage 4 of 5\n\nThere is a saying about sports that can be applied to this situation: It takes one athlete with a 9-meter jump to win\r\nthe Olympics not 9 athletes with 1-meter jumps. Same here: it doesn’t matter how many times and on how many\r\nvalues are encrypted using the same algorithm and the same key – with the same source data, more iterations of\r\nencryption will not result in a significantly stronger encryption algorithm. But apparently, this is not what the\r\ncybercriminal was after, and this entire business is fraud, plain and simple. Somebody decided to make some easy\r\nmoney by selling supposedly enhanced malware with functionality that is already publicly available.\r\nSource: https://securelist.com/ice-ix-not-cool-at-all/29111/\r\nhttps://securelist.com/ice-ix-not-cool-at-all/29111/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securelist.com/ice-ix-not-cool-at-all/29111/"
	],
	"report_names": [
		"29111"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434256,
	"ts_updated_at": 1775791878,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21c777928cdaea9a22bfbd5dedbe41d303640fe1.pdf",
		"text": "https://archive.orkl.eu/21c777928cdaea9a22bfbd5dedbe41d303640fe1.txt",
		"img": "https://archive.orkl.eu/21c777928cdaea9a22bfbd5dedbe41d303640fe1.jpg"
	}
}