ZeuS Meets VM – Story so Far

At the beginning of the year we observed shift of malware chosen by criminals. Old Citadel starts losing market pushed out by new versions
of KINS. The threat was important enough to be added to ZeusTracker. After this the game changed, new encryption schema came to play,
confusing researches.

Following this, some AV companies rediscover other, rather stealth branches of KINS and start giving them fancy names confusing us even
more. But who can blame them when there are so many mutations floating around?

We’ll demonstrate methods how to distinguish variants of zeus-like malware, how to determine their version and show some other juicy stuff
that they have in common that we can take advantage of. We start this journey with digging into ZeuS internals showing how important parts
evolved and that there are things that survive all mutations. Along the way we show how to deal with most recent mutations to extract
configurations details. At the end we show that we don’t really need to know what mutation/version we are dealing with to get most the important

The talk will be accompanied with release of tools to parse and print BinStruct, yara signatures to distinguish mutations that we use, tricks
that make analysis faster and last but not least service that can crack most zeus-like malware (zdump).

Print Friendly