Friday, June 3, 2011

A Little Bit About Crypters

What are Crypters?
The term "crypter" is derived from the term "encryption". The purpose of a crypter is to crypt (or encrypt) data, generally speaking, computer programs. The basic goal of a crypter (or any form of encryption) is to take some form of data and encrypt it so that to the normal eye it is incomprehensible and nonsensical, and then give it the ability to be decrypted, and put back into comprehensible and sensible terms.

We do this through a cipher. A cipher is a common term when it comes to code/encryption. We use the cipher to encrypt and decrypt various messages, for example, the cipher might be to shift every letter down one (for example: a would become b, b to c, c to d, and so on).
Nowadays, we do this all the time on computers. Its important that what we put on computers is secure (as I don't want my credit card number to be read by everyone each time I put it in Amazon).

However, nowadays we use a bit more complex ciphers than just shifting each letter down one. We now call our ciphers, algorithms. Algorithms are sort of like mathematical formulas that can be applied to data and encrypt and decrypt it. For example, the algorithm of the shifting cipher I showed you, would simply be to add +1 to each character's value of the alphabet. Of course, in algorithms we mostly deal with numbers, as you can have an infinite amount of numbers, but only 26 in the standard alphabet.

Now crypters go beyond just encrypting random data, we use them to actually encrypt programs - concealing the identity of the program. We do this mostly to pass off viruses as clean/goodware. By encrypting the program, we can avoid detection by the user, and by the antivirus software the user may have in place. Of course, there are other types of crypters, and even other uses of program/application crypters - however that's their most common use.

If you've been on HackForums.net any time, you'll certainly have realized that crypters are a major part of black-hat (malicious) hacking.

How do they work?
Crypters work by crypting (encrypting) the data (bits) of a program. It works by applying an encryption algorithm (basically a cipher of sorts) to the actual code of the program, then reassembling the program into a working form. There are generally two parts to a crypter. There's the GUI with which we interact with, often called the Client. The other part is the stub, this is the part that actually gets the file we put into the GUI and encrypts it, then decrypts it when it comes time.

What's the difference between a crypter, a packer, and a binder?
A crypter encrypts your files, while a packer packs your files with the intention of making them smaller in size and sometimes avoiding scantime detection (you'll learn that later). A binder binds two files together, making something like a picture actually turn out to be the virus.

Learning the Lingo....
Scantime - A ScanTime crypter encrypts the file so antiviruses won't be able to analyze the file before execution, not when executed (when the file is first scanned by the antivirus).
Runtime - A RunTime crypter encrypts the file so that when executed (when it is run by the user), it is decrypted in the memory. This way antiviruses can't analyze the file before and after executed. A RunTime is typically more secure than a ScanTime - generally good crypters are both ScanTime and RunTime.
EOF - EOF stands for End of File. Some malicious files (such as Bifrost, Medusa, or Cybergate) require the end of file data in order to run without being corrupted. If crypters don't preserve this end of file data, the crypted file would become corrupt.
USG - A USG is part of a special type of crypter. It generates a unique version of the stub (hence the name Unique Stub Generator) each time used. The purpose of this is to help FUD crypters.
Stub - The stub is part of the crypter used to encrypt and decrypt the specified encrypted file.
Client - The client is the GUI of the crypter, its what users interact with and upload their file to.
Antis - Antis (anti's) are extra features found on some crypters. They are dedicated to bypassing/preventing a specific thing. For example, an anti-debugger might prevent it from being debugged, and an anti-avira would specifically protect against being detected by the antivirus called "Avira".
File pumper - A file pumper "pumps" your file, meaning it adds more bytes to a file to make it appear larger. The benefit of this is not usually great, however it can be useful, and you might even lose a detection.
FUD - FUD stands for Fully Undetectable. A FUD crypter is completely undetected by all antiviruses. UD stands for Undetected, meaning the crypter is mostly undetectable on most antiviruses. Nobody uses the term D (they just say "detected" or "no longer working") however in theory that would stand for a completely detectable crypter on virtually all antivirus systems.

How do I test if my crypter is undetectable?
The easiest way is to virus scan it on multi-antivirus scanners. This will allow you to scan it to multiple antiviruses, to check whether its truly FUD, or if its just undetected on your own antivirus. This also prevents the risk of data being sent from the antivirus on your computer to the antivirus company (this would immediately un-FUD your crypter). Simply go to http://scanner.novirusthanks.org or http://virustotal.org.
Those are free, online multi-antivirus scanners. Be sure to check the "Do Not Distribute" (or similar) option. This will prevent the website from distributing the results of the scan to the antivirus companies, keeping your crypter FUD.
However, realize that all crypters eventually become detected.

How do antiviruses detect my crypter? How does my crypter prevent this?
An antivirus works by scanning files. An executable file (EXE) is simply made up of lines of instructions, each line called an "offset":
View of Hex Workshop --- Demonstrates the offsets

From there, the antivirus (which has massive databases of these lines that are known to be associated with malicious files) scan through the file submitted to the antivirus and check for matches. Obviously, if there is a match, then the program is flagged as having a virus.

Therefore, our crypter will have to do the following:

Simply put, a crypter needs to take in an infected file, encrypt it, and place it at the bottom of what appears to be a virus-free file called your stub, and then the stub file extracts the encrypted data from itself and decrypts it. Thus it is then  extracted and run. Now, if your stub becomes detected, all files encrypted into this stub will become detected and flagged.


How do I make my crypter FUD?
There are many popular techniques to FUDing a crypter. Of course, your first step is to either acquire a crypter, or develop your own (which is outside the scope of this tutorial).

Our first option will be changing assembly information. To do this, we'd need to change the compilation settings for the EXE. We could change the file version, description, and more. We should also change things like variable names, and method names, those are all things that can be detected by an antivirus. We can also switch around the order a methods are in. Another option we can take is to find a way to accomplish the same task in a different way. For example, in real life, we could walk three feet, but it would really throw someone off if we instead jumped three feet everywhere we went. We can do the same to antiviruses by accomplishing the same task in a different manner.

Also, don't forget simple stuff. Adding junk code to modify the flow can confuse an antivirus. Changing the order of code aspects. Manipulating strings. Renaming the file. Adding or changing the icon.

Basically, just change things up.

The other thing you have to understand is the signatures of antiviruses. These are what they check for in a program, specific telltale signatures left behind by malicious programs. There are specific signatures and broad signatures. 
The key to each is discovery. 

With these specific signatures we simply section off parts of the code. Cut the code in half, scan both halves, see which side the detection is coming from, then split that in half, and so on. Eventually you'll come down to the section being detected (or even just the line being detected) and you can rework it.

If you have a broad detection, it means you have a common flaw. I'd suggest you use the "change it up" method I suggested earlier. Generally, its something specific still setting off this broad detection, and you can narrow it down like mentioned before.


12 comments:

  1. www.htlinfotech.in

    ReplyDelete
  2. This topic is new as well as interesting to study. At first I wasn't able to understand what all is happening but after reading it multiple times I understood the meaning of crypters. Thanks.
    electronic signature software

    ReplyDelete
  3. for your complete fud crypter, botnets, stealers,keyloggers,rat contact me

    e-mail unblock@live.com

    security agent camera hacking, mysql injection, sms and total phone hacking and more, hack tutorials and services available

    ReplyDelete

  4. Aegis Crypter 8.1 PAID STUB|FUD crypter|free fud crypter |
    http://bicombusiness.blogspot.com/2016/01/aegis-crypter-81-paid-stub.html

    ReplyDelete
  5. You could be qualified for a complimentary $1,000 Amazon Gift Card.

    ReplyDelete
  6. I've used AVG protection for many years now, and I'd recommend this product to you all.

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete