What is Crypter?
Crypter is a software used to hide our viruses, keyloggers or tools from antiviruses so that they are not detected by antiviruses. Thus, a crypter is a program that allow users to crypt the source code of their program. Generally, antivirus work by splitting source code of application and then search for certain string within source code. If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system.
Crypting is not only used for malware or viruses. It can also be used to protect software from reverse engineering, Piracy / theft, and can resolve antivirus conflicts.
WHAT DOES A CRYPTER DO?
A Crypter simply assigns hidden values to each individual code within source code. Thus, the source code becomes hidden. Hence, our sent crypted Trojan and virus bypass antivirus detection and our purpose of hacking them is fulfilled without any AV (Anti Virus) hindrance. Not only does this crypter hide source code, it will unpack the encryption once the program is executed
What does UD and FUD mean?
UD means undetected, so only a few antivirus programs detect it. FUD means fully undetected, so no antivirus detects it
FUD is acronym for Fully UnDetectable.
With increased use of Crypters to bypass antiviruses, AV (Anti Virus) became more advanced and started including crypter definitions to even detect crypter strings within code. So, use of crypter to hide Ardamax keylogger and RATs became more complicated as nowadays, no publicly available crypter is FUD.
So, if you crypt RATs with publicly available crypters, they are bound to be detected by antiviruses. This is because most FUD crypters remain “FUD” for maximum of one or two days after their public release. To obtain FUD crypters, you have to either search for it in hacking forums or make one (which is somewhat tedius.. I am working on this).
Where can I test Whether my Crypter is FUD or not?With increased use of Crypters to bypass antiviruses, AV (Anti Virus) became more advanced and started including crypter definitions to even detect crypter strings within code. So, use of crypter to hide Ardamax keylogger and RATs became more complicated as nowadays, no publicly available crypter is FUD.
So, if you crypt RATs with publicly available crypters, they are bound to be detected by antiviruses. This is because most FUD crypters remain “FUD” for maximum of one or two days after their public release. To obtain FUD crypters, you have to either search for it in hacking forums or make one (which is somewhat tedius.. I am working on this).
To test you crypter encrypt any virus with it and test it on https://www.virustotal.com/ and make sure you check the box Do not distribute the sample
How Does FUD Crypter Work?
The Basic Working Of FUD Crypter is explained below
The Crypter takes the original binary file of you exe and applies many encryption on it and stores on the end of file(EOF).So a new crypted executable file is created.
Original Exe Crypted Exe
(ORIGINAL)001———— (CRYPTED)010
001————- 010 101————-110
100|Original File|000-> Cryptor -> 010|Original File|110
010————- 111 110————-010
The new exe is not detected by antiviruses because its code is scrambled by the crypter.When executed the new .exe file decrypts the binary file into small the data small pieces at a time and injects them into another already existing process or a new empty one, OR it drops the code into multiple chunks in alternative data streams(not scanned by most a/v) then executes it as a .txt or .mp3 file.100|Original File|000-> Cryptor -> 010|Original File|110
010————- 111 110————-010
HOW CAN I MANUALLY DISTINGUISH BETWEEN THE ORIGINAL AND ENCRYPTED FILE?
An important point to note is that though a Crypter hides the code of a file but it cannot hide the size of a file. Thus, if the size of the file we want to crypt is 10kb and the size of the file with which we want to crypt our file is 100kb then the total size of the crypted file would be 100kb+10kb ie… 110kb.
But this difference would be helpful only when you know the size of the original file.
By S0ft Hcks!
#MR:47{XYBER SHEIKH}
#MR:47{XYBER SHEIKH}
No comments:
Post a Comment