Tuesday, October 25, 2011

What is a crypter ? What is a FUD Crypter ?

You can have access to my previous Hack tips  here.
WHAT IS A CRYPTER?

A Crypter is a software used to hide our viruses, keyloggers or any RAT tool from antiviruses so that they are not detected and deleted by antiviruses. Thus, a crypter is a program that allow users to crypt the source code of their program. Generally, antivirus work by splitting source code of application and then search for certain string within source code. If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system.

WHAT DOES A CRYPTER DO?

A Crypter simply assigns hidden values to each individual code within source code. Thus, the source code becomes hidden. Hence, our sent crypted trojan and virus bypass antivirus detection and our purpose of hacking them is fulfilled without any AV (Anti Virus) hindrance. Not only does this crypter hide source code, it will unpack the encryption once the program is executed.


What is FUD?

FUD is acronym for Fully UnDetectable. With increased use of Crypters to bypass antiviruses, AV (Anti Virus) became more advanced and started including crypter definitions to even detect crypter strings within code. So, use of crypter to hide Ardamax keylogger and RATs became more complicated as nowadays, no publicly available crypter is FUD.
So, if you crypt RATs with publicly available crypters, they are bound to be detected by antiviruses. This is because most FUD crypters remain “FUD” for maximum of one or two days after their public release. To obtain FUD crypters, you have to either search for it in hacking forums or make one

How Does FUD Crypter Work?

The Crypter takes the original binary file of your exe and applies many encryption on it and stores on the end of file(EOF).So a new crypted executable file is created.

Original Exe Crypted Exe (ORIGINAL)001————- (CRYPTED)010

The new exe is not detected by antiviruses because its code is scrambled by the crypter.When executed the new .exe file decrypts the binary file into small the data small pieces at a time and injects them into another already existing process or a new empty one, OR it drops the code into multiple chunks in alternative data streams(not scanned by most a/v) then executes it as a .txt or .mp3 file.

CAN WE MANUALLY DISTINGUISH BETWEEN THE ORIGINAL AND ENCRYPTED FILE?

An important point to note is that though a Crypter hides the code of a file but it cannot hide the size of a file. Thus, if the size of the file we want to crypt is 10kb and the size of the file with which we want to crypt our file is 100kb then the total size of the crypted file would be 100kb+10kb ie… 110kb.
But this difference would be helpful only when you know the size of the original file.

Where can I test Whether my Crypter is FUD or not?

To test you crypter encrypt any virus with it and test it on http://scanner.novirusthanks.org and make sure you check the box Do not distribute the sample Note:-Do not test your crypter on http://virustotal.com as it distributes the samples and your crypter will not remain FUD if you scan with virustotal.




Note : For Educational purposes only.
Source : LearnHacking
If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged

No comments:
Write comments