At the beginning of the year we observed shift of malware chosen by criminals. Old Citadel starts losing market pushed out by new versions of KINS. The threat was important enough to be added to ZeusTracker. After this the game changed, new encryption schema came to play, confusing researches.

Following this, some AV companies rediscover other, rather stealth branches of KINS and start giving them fancy names confusing us even more. But who can blame them when there are so many mutations floating around?

We’ll demonstrate methods how to distinguish variants of ZeuS-like malware, how to determine their version and show some other juicy stuff that they have in common that we can take advantage of. We start this journey with digging into ZeuS internals showing how important parts evolved and that there are things that survive all mutations. Along the way we show how to deal with most recent mutations to extract configurations details. At the end we show that we don’t really need to know what mutation/version we are dealing with to get most the important pieces.

The talk will be accompanied with release of tools to parse and print BinStruct, yara signatures to distinguish mutations that we use, tricks that make analysis faster and last but not least service that can crack most zeus-like malware (zdump).