What are Crypters?
The term "crypter" is derived from the term "encryption". The purpose of a crypter is to crypt (or encrypt) data, generally speaking, computer programs. The basic goal of a crypter (or any form of encryption) is to take some form of data and encrypt it so that to the normal eye it is incomprehensible and nonsensical, and then give it the ability to be decrypted, and put back into comprehensible and sensible terms.
We do this through a cipher. A cipher is a common term when it comes to code/encryption. We use the cipher to encrypt and decrypt various messages, for example, the cipher might be to shift every letter down one (for example: a would become b, b to c, c to d, and so on).
Nowadays, we do this all the time on computers. Its important that what we put on computers is secure (as I don't want my credit card number to be read by everyone each time I put it in Amazon).
However, nowadays we use a bit more complex ciphers than just shifting each letter down one. We now call our ciphers, algorithms. Algorithms are sort of like mathematical formulas that can be applied to data and encrypt and decrypt it. For example, the algorithm of the shifting cipher I showed you, would simply be to add +1 to each character's value of the alphabet. Of course, in algorithms we mostly deal with numbers, as you can have an infinite amount of numbers, but only 26 in the standard alphabet.
Now crypters go beyond just encrypting random data, we use them to actually encrypt programs - concealing the identity of the program. We do this mostly to pass off viruses as clean/goodware. By encrypting the program, we can avoid detection by the user, and by the antivirus software the user may have in place. Of course, there are other types of crypters, and even other uses of program/application crypters - however that's their most common use.
If you've been on HackForums.net any time, you'll certainly have realized that crypters are a major part of black-hat (malicious) hacking.
How do they work?
Crypters work by crypting (encrypting) the data (bits) of a program. It works by applying an encryption algorithm (basically a cipher of sorts) to the actual code of the program, then reassembling the program into a working form. There are generally two parts to a crypter. There's the GUI with which we interact with, often called the Client. The other part is the stub, this is the part that actually gets the file we put into the GUI and encrypts it, then decrypts it when it comes time.
What's the difference between a crypter, a packer, and a binder?
A crypter encrypts your files, while a packer packs your files with the intention of making them smaller in size and sometimes avoiding scantime detection (you'll learn that later). A binder binds two files together, making something like a picture actually turn out to be the virus.
Learning the Lingo....
Scantime - A ScanTime crypter encrypts the file so antiviruses won't be able to analyze the file before execution, not when executed (when the file is first scanned by the antivirus).
Runtime - A RunTime crypter encrypts the file so that when executed (when it is run by the user), it is decrypted in the memory. This way antiviruses can't analyze the file before and after executed. A RunTime is typically more secure than a ScanTime - generally good crypters are both ScanTime and RunTime.
EOF - EOF stands for End of File. Some malicious files (such as Bifrost, Medusa, or Cybergate) require the end of file data in order to run without being corrupted. If crypters don't preserve this end of file data, the crypted file would become corrupt.
USG - A USG is part of a special type of crypter. It generates a unique version of the stub (hence the name Unique Stub Generator) each time used. The purpose of this is to help FUD crypters.
Stub - The stub is part of the crypter used to encrypt and decrypt the specified encrypted file.
Client - The client is the GUI of the crypter, its what users interact with and upload their file to.
Antis - Antis (anti's) are extra features found on some crypters. They are dedicated to bypassing/preventing a specific thing. For example, an anti-debugger might prevent it from being debugged, and an anti-avira would specifically protect against being detected by the antivirus called "Avira".
File pumper - A file pumper "pumps" your file, meaning it adds more bytes to a file to make it appear larger. The benefit of this is not usually great, however it can be useful, and you might even lose a detection.
FUD - FUD stands for Fully Undetectable. A FUD crypter is completely undetected by all antiviruses. UD stands for Undetected, meaning the crypter is mostly undetectable on most antiviruses. Nobody uses the term D (they just say "detected" or "no longer working") however in theory that would stand for a completely detectable crypter on virtually all antivirus systems.
How do I test if my crypter is undetectable?
The easiest way is to virus scan it on multi-antivirus scanners. This will allow you to scan it to multiple antiviruses, to check whether its truly FUD, or if its just undetected on your own antivirus. This also prevents the risk of data being sent from the antivirus on your computer to the antivirus company (this would immediately un-FUD your crypter). Simply go to http://scanner.novirusthanks.org or http://virustotal.org.
Those are free, online multi-antivirus scanners. Be sure to check the "Do Not Distribute" (or similar) option. This will prevent the website from distributing the results of the scan to the antivirus companies, keeping your crypter FUD.
However, realize that all crypters eventually become detected.
How do antiviruses detect my crypter? How does my crypter prevent this?
An antivirus works by scanning files. An executable file (EXE) is simply made up of lines of instructions, each line called an "offset":