Tuesday 18 June 2013

FAQ FUD Crypter


What is FUD Crypter and how to use it to Bypass antivirus detection for RATs and viruses?


I have already written about Keyloggers in my previous articles, like Azure AIO Keylogger, Star Tools, Ref Stealer and many other keyloggers previously to hack e-mail account passwords. I have mentioned about antiviruses detecting keyloggers as hacking softwares (viruses) and hence, hacker has to use Crypters to avoid antivirus detection for keyloggers. Here i'll tell you something more about Crypters - hacking software for bypassing antivirus detections.


What is Crypter?


As said above, Crypter is free software used to hide our viruses, keyloggers or any RAT tool from antiviruses so that they are not detected and deleted by antiviruses. Thus, a crypter is a program that allow users to crypt the source code of their program. Generally, antivirus work by splitting source code of application and then search for certain string within source code. If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system.

What does Crypter do?


Crypter simply assigns hidden values to each individual code within source code. Thus, the source code becomes hidden. Hence, our sent crypted trojan and virus bypass antivirus detection and our purpose of hacking them is fulfilled without any AV hindrance. Not only does this crypter hide source code, it will unpack the encryption once the program is executed.

What is FUD?


FUD is acronym for Fully UnDetectable. With increased use of Crypters to bypass antiviruses, AV became more advanced and started including crypter definitions to even detect crypter strings within code. So, use of crypter to hide Ardamax keylogger and RATs became more complicated as nowadays, no publicly available crypter is FUD.

So, if you crypt RATs with publicly available crypters, they are bound to be detected by antiviruses. This is because most FUD crypters remain "FUD" for maximum of one or two days after their public release. To obtain FUD crypters, you have to either search for it in hacking forums or make one (which is somewhat tedius.. I am working on this).


How Does FUD Crypter Work?

The Basic Working Of FUD Crypter is explained below
The Crypter takes the original binary file of you exe and applies many encryption on it and stores on the end of file(EOF).So a new crypted executable file is created.
Original Exe Crypted Exe

001————- 010                            101————-110
100|Original File|000->  Cryptor  ->  010|Original File|110
010————- 111                            110————-010

The new exe is not detected by antiviruses because its code is scrambled by the crypter.When executed the new .exe file decrypts the binary file into small the data small pieces at a time and injects them into another already existing process or a new empty one, OR it drops the code into multiple chunks in alternative data streams(not scanned by most a/v) then executes it as a .txt or .mp3 file.


Why Most FUD Crypters Donot Work?

As a FUD crypter becomes popular it also get the eyes of antivirus companies.The antivirus companies update their software and employ detection mechanism that detect the encryption’s by the crypter.So, most of the popular FUD crypter are easily detected by antiviruses.


Common terms related to crypters:

For understanding and designing crypters, hackers must be aware of certain terms, most of you already know these terms, but as i am writing this tutorial starting from novice level and take it to elite level at the end. So if you know these terms just read them one more time, as that might help you to clear some of your doubts.

1. FUD or UD : 

Fully undetectable(FUD) means that your virus is not detected by any of the existing antiviruses while undetectable(UD) means detectable by few antiviruses. FUD is our only goal and elite hackers always rely on that. 

Note: Crypter will remain FUD until you have openly shared on internet. Public crypters remains FUD up to maximum 2 to 3 days then they become UD. So if you want to use crypter for long time so never publish and share that on internet. Use it anonymously.

2. STUB : 

A stub is a small piece of code which contains certain basic functionality which is used again and again. It is similar to package in Java or simply like header files in C ( which already has certain standard functions defined in it). A stub basically simulates the functionality of existing codes similarly like procedures on remote machines or simply PC's. In crypters, client side server is validated using stubs, so never delete stub file from your crypter. Stubs adds portability to crypter code, so that it can be used on any machine without requiring much procedures and resources on other machines.

Example:

Suppose you are writing a code that converts bytes to bits, so we know formula or method for converting bytes to bits will remain same and it will be independent of machine. So our stub (or method stub or procedure) will contain something like this:

BEGIN 
totalBits = calculateBits(inputBytes)
Compute totalBits = inputBytes * 8END

Now what we will pass is only number of bytes to this stub. And it will return the resulting bits. Similarly, we include some common machine independent checks and functions in our stub, and in main code we only passes linkage and inputs to these stubs, which in return provides suitable results.

Note: Most of times it happens, suppose you downloaded some keylogger and you complain to provider its not working, only reason for that is stub. Also always kept in your mind, if you are downloading any keylogger or crypter  always check stub is present in it. If not, don't download it, its just a piece of waste and for sure hacker is spreading his virus using that. I recommend that never download any hacking tool on your real machine, always use virtual machine or sandbox to test hack tools.

3. USV: 

Unique stub version or simply USV is a part of crypter that generates a unique version of stub which differentiates it from its previous stub, thus makes it more undetectable against antiviruses. For detecting this antivirus companies has to reverse engineer your crypter stub, that is not that easy to do, so it will remain undetectable for long time. This consist of one most important component USG ( unique stub generation) which is the actual part of crypter that encrypts and decrypts the original file means its the heart of your algorithm and i will recommend never write this part in stub, rather include this part in main code. Why i am saying this, stub is part of code which is shared with victim, so it will become public and hence your Crypter will not remain FUD for much long time.



Different types of crypters:

1. External Stub based crypters : 

This category consists of public crypters (those you have downloaded till date :P (noobish one's) and you complains to provider that its detectable by antiviruses. That really foolish complaint, if crypter is public then it can never remain FUD. So don't ever complain to me also after my next article for such noobish things. Ahahah.. i got deviated for real thing.

External Stub based crypters are those crypters in which most of the functionality of the crypter depends of external stub, if your delete that stub file, your crypter is useless. :P Most antivirus only do that. These type of crypters contains two files one is client.exe and other is stub.exe . Stub contains the main procedures and client contains the global functions that call those procedures.

2. Internal or Inbuilt stub based crypters:

 The crypters that contains only one exe file (i.e client) fall under this category. This client file has inbuilt stub in it. You can separate stub and client part here too using RCE (reverse code engineering) but it is not recommended.

Note: External or Internal stub doesn't make much difference as antivirus detects files on the basis of strings related to offsets. Whenever you reverse engineer any application or program, the program execution flow will gonna remain the same but offsets may change. USV will come into picture at this point. If you include your encryption algorithm separately then it will be more harder for antivirus to detect your crypter.

3. Run time crypters:

 Run time crypters are those crypters which remain undetected in memory during their execution. We are looking for these type of crypters only. :P These can any of the two above.

4. Scan time crypters: 

Those crypters which will remain undetected while encrypting the files but will become detectable when resultant file is generated. :P Fking one's that wastes all effort we have put. This really annoys everything is working fine and at last you get your file being detected by noob antiviruses.

Happy Information..!!!
Share this post
  • Share to Facebook
  • Share to Twitter
  • Share to Google+
  • Share to Stumble Upon
  • Share to Evernote
  • Share to Blogger
  • Share to Email
  • Share to Yahoo Messenger
  • More...

2 comments

  1. Really good article and reading this solved my many doudts. Thank you so much

    ReplyDelete
  2. Thank you for this topic, gave me a wider understanding of the concepts of crypters. Have you checked out Soft Crypter yet? http://www.softcrypter.com - FUD results lasts above 2 weeks! +

    ReplyDelete

:) :-) :)) =)) :( :-( :(( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ :-$ (b) (f) x-) (k) (h) (c) cheer

 
© HaCkErZ-PoSiTiVe
Designed by VINOD
Back to top
© HaCkErZ-PoSiTiVe - About | Privacy | Contact | Sitemap