Ice IX

The Ice IX is a Trojan botnet and a minor update of the Keylogger Zeus. Besides changing and removing features and functions for obfuscation, the Ice IX exhibits the same dangers to users as its predecessor Trojan, such as recording keystrokes and collecting passwords. Windows users with active and up-to-date security solutions should detect and remove the Ice IX automatically, after which they should change any leaked passwords.

When a Botnet Upgrade is Just Another Scheme

It shouldn't shock readers to learn that criminals specializing in hawking Black Hat software aren't always upfront, even with their fellow lawbreakers. An 'update' to the Keylogger Zeus, one of the more well-known Trojan botnets, amusingly proves itself as nothing more than a con game for any users buying it to hijack bank accounts. While the Ice IX isn't a one-to-one clone of that old Trojan, all of its supposedly-massive updates are trivial tweaks to freeware.

The Ice IX's basis is the 2.0.8.9 version of Keylogger Zeus – AKA, the build whose code is available for free on the dark Web. Both Trojans use 'botnets,' or networks composed of infected systems, and leverage financially-motivated attacks of various kinds. Features that malware experts recommend watching for during infections include keylogging (recording keyboard typing), exfiltration of login and security information form answers, and downloading additional threats, such as file-locker Trojans.

The Ice IX's advertisements market it as an update that solves many of the old Keylogger Zeus's problems, such as bot trackers. In reality, malware experts narrow down the Ice IX's updates to a very few, almost insignificant changes:

• Altering configuration file availability to require pseudo-customized POST requests
• Re-enabling a previously-disabled e-mail account credentials-collecting feature
• Modifying the structure of a Registry-reading function
• Removing a startup debug option
• Changing some command characters in the configuration file

Ultimately, very little about the Ice IX significantly challenges tracking efforts from the cyber-security industry or their heuristics for identifying the bots. Contrast with its advertising makes it apparent that the Ice IX is a con, tricking other criminals into paying for an 'upgrade' to Trojan freeware that has nothing worth paying for in its changes.

The Proper Thawing of Robber Trojans

While the Ice IX is a tactic to those who take the dark Web's marketing at face value, it's not a neutered or harmless version of Keylogger Zeus. Like other spin-offs, such as the Gameover Zeus and the Silent Night, it's a capable collector of information and may help attackers breach bank accounts, among other possibilities. As malware experts find with many botnets, the use of a rental system also heightens the potential for unpredictable distribution methods for the Trojan bots.

Users can monitor account histories, especially, for their banks, for any suspicious activity that might lead back to a banking Trojan or spyware infection. Besides collecting credentials related to logins and account security, the Ice IX also may drop other threats with various symptoms and attacks. The presence of file-locking Trojans that can encrypt and block files like documents is a previously-known possibility in some versions of Keylogger Zeus. Secure backups are, as always, integral for guaranteeing that any data is recoverable.

Since this threat's obfuscation is minor exceptionally, Windows users can protect themselves with most security solutions that already deal with Keylogger Zeus. Having anti-malware services active at the time of an attack should block the installation exploit and remove the Ice IX.

The Ice IX is a data collector, just like its father, but one whose victims also include its so-called partners and affiliates. There's danger in trafficking in threatening software, not only for the intended victims but for everyone involving themselves in such a business transaction.