Recently, I’ve taken an interest in writing my own crypter… It’s been very hard due to the lack of “good tutorials.” I would ask you to post sources of materials or courses for us to study.
What i notice is that the crypters only work for some time… So my question is, why?
if the contents are encrypted, how antivirus are able to catch them?
My guess is some sort of sandboxing analysis or heuristics that catch them… but since the code is run in memory, can we really evade AVs?
Thanks for any answers. Im kinda new in the malware programming…
why?antivirus are able to catch them well it’s sample because it’s get scan by various AV companies and that make the crypter UD, many crypter authors will provide frequent updates to the crypter software, in the form of stub files. These contain the latest methods or algorithms used to augment the malware passed through to it, in an attempt to stay ahead of Anti-Virus companies detecting their methods, for example virustotal.com will send every file you scan to AV companies, if you want to stay (FUD) for long time, then you will need an AV scanner that not distribute the samples.
It’s going to take some knowledge of programming. If you want to PM me what you’ve been trying along with the source code of what you’re trying to crypt, I can try to assist. Essentially you just need to not make it so obvious for AV’s. This includes not using known libraries that might be flagged (go look at the what the library is calling and use that instead), encode the original source code several times along with some sort of way to unpack it (maybe even making the unpacking part a separate stage all together so the packed version and unpacking rules don’t get put in the same file), change variable names around to be something that looks like it’s doing something else, etc. I wouldn’t say that I’m extremely experienced in this, but I have been able to take a few well-known viruses and making them FUD just by playing around with the original source code a bit.
Actually there is a part that is not encrypted, otherwise the program cannot run. This is usually named stub and AV can either just add a signature that matches that stub as well as analyse the use of certain system calls that are required in order to be able to decrypt and run the .text segment. Furthermore, some techniques to run the decrypted code (to give control back to the original program) are commonly used by virus and therefore are well-known to AV SW.
You can take a look to:
To check the basics: What is that stub about? or what syscalls are required and why? These posts are GNU/Linux oriented but the concepts are the same for all OSes… You just have to use different syscalls and deal with different file formats.