New IceIX (ZeuS variant) changes its encryption method (again)

(Publication) Google search: [1]

Abstract

“ In our last in-depth report we looked at enhancements of the notorious ZeuS trojan that focus solely on making life harder for automated detection tools and tracking software. We looked at three variants that are based on the leaked source code. The fear is that a proliferation of too many different variant will make life harder to detect and track the various trojans.

One of the variants is called IceIx and on October 13 we noticed the presence of a new in-the-wild IceIx ZeuS variant. We therefore decided to take a brief look. The sample had a size of 169,984 bytes and an MD5 of ed34b46a4524c7d05e45200eaf09f765. It contained exactly the same number of routines at the previous variant, 634. There were minor changes to around 20 of the routines, the rest were unchanged.

As you’ll see below, the changes are minimal, but the result is that all automatic decyrption routines will fail!

Well, it seems that the bad guys continue to “tweak” the encryption algorithm and the arms race continues up until we finally implement some proactive solutions rather than reactive countermeasures.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR869,
   editor = {TrustDefender Labs},
   author = {Andreas Baumhof},
   title = {New IceIX (ZeuS variant) changes its encryption method (again)},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2011},
   howpublished = {\url{http://www.tidos-group.com/blog/?p=447 www.tidos-group.com}},
 }