Escolar Documentos
Profissional Documentos
Cultura Documentos
5 ISSN: 1837-7823
1. Introduction
One of the few solid theoretical results in the study of computer viruses is Frederick B. Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses [1]. The proof relies on infect and spread abilities of computer viruses. While the common, infect and spread abilities of a computer code, which create the replicate ability, are not necessarily contained in malware. Computer virus, in its recent meaning, and malware are overlapping terms, but not synonymous. The difference is between a code with the ability to infect and spread and a code with malicious purpose. The task of today's security software is to protect computers against malware and hacker attacks. This kind of application is generally very complex because it is trying to protect its users against threats of various kinds [20]. The security software use signatures and heuristic to detect known viruses, rootkits and Trojan horses. Malware writers are skilled enough to write malicious software that bypasses these detection techniques. Most of security software vendors implemented their kernel hooks very poorly and their applications were creating another hole into the operating system instead of protecting it.
International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823
dictionary [22]. Signatures are obtained by human experts using reverse engineering. An example of software used in reversed engineering is Interactive Disassembler. Such software does not implement antivirus protection, but facilitates human analysis. Although the signature based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of them or otherwise modify them as a method of disguise, so as to not match virus signatures in the dictionary.
3. Crypters
Early on in the learning of cryptography, one may come across a very basic and easily decoded method of encryption: ASCII shifts or substitution. Substitution is generally taking a block of characters and replacing one character with another. For example: (I LOVE YOU) if you shifted each letter one step forward in the alphabet, this message would become: (J MPWF ZPV). This is the basic information about crypting or cryptography. Hacker will use a crypter, which will add junk code to our server; of course there is lot of crypting methods for this kind of things [24]. Crypter is a program that makes other programs UnDetectable (UD) or FullyUnDetectable (FUD).UD can be detected only by a few antiviruses and FUD cannot be detected by any antivirus. It is used to hide viruses, RATs (Remote Administration Tools), or any Keyloggers from antiviruses, so that they are not detected and deleted by antiviruses. Thus a crypter is a program that allows users to crypt the source code of their program. Generally, antivirus work by splitting source code of application and then search for certain string within source code [25]. 19
International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823
If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system. The aims of crypter are protect the executables, making difficult to analyze it or reverse engineer it. Actually the malwares are basically distributed as executables; public malwares are generally detected by antiviruses, so crypters are used to make them Fully Undetectable (FUD).
Stub
Encrypted File
The stub is the core of the program. Its the stubs mission to carry out file decryption in memory and file execution or other custom options a programmer has given the crypter. Programmers reduce the size of the stub in order to reduce the file size of the output file (stub + encrypted file). This will help of the stub go unnoticed, if there is only few bytes difference from the original input file and output file (input file output file = stub size). A stub should be judged on the functionality as well as stability and security [10].
20
International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823
When the crypter is scan time, the crypted file drops the original virus out. That means, it writes the decrypted bytes to the file. That is named Dropping. The Dropped file (in this case the original virus) will be executed using Shell Execute command or others. These kinds of crypters are GOOD, because when the file is being dropped out, the antivirus catches it. Run time is the decrypted bytes will be executed in Memory that means it uses a RunPE (Run Portable Executable). It injects the bytes into an active process and bypasses the antivirus to catch it up. These kinds of crypters are BAD. When the crypter is Run time, it is also automatically scan time too. If the crypter is scan time, then it is ONLY scan time.
21
International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823
The Crypter takes the original binary file of your exe and applies many encryption on it and stores on the end of file(EOF).So a new crypted executable file is created.
Original Exe Crypted Exe (ORIGINAL)001 (CRYPTED)010 The new exe is not detected by antiviruses because its code is scrambled by the crypter. When executed the new .exe file decrypts the binary file into small data pieces at a time and injects them into another already existing process or a new empty one, or it drops the code into multiple chunks in alternative data streams(not scanned by antivirus) then executes it as a .txt or .mp3 file. 1. Download free (e.g: abc) FUD Crypter (abc crypter name obfuscated) 2. Open the FUD Crypter select server file as your Keylogger file or RAT file, then go to Appearance tab check custom icon and select your icon (that included icon pack also) 3. Finally click "Crypt", now you will get a Crypted file which is totally undetectable by antiviruses.
4. Conclusion
This paper presents attack pattern called bypassing antivirus using crypter, which shows that common implementations of kernel mode hooks are not secure. This attack represents serious threat because many security software vendors base their security features on hooking. The general purpose of this text is to educate the reader about crypters, so they can help protect themselves against them, and try and to prevent them from doing any further damage. This paper thus aims to raise level of consciousness about the security of the security product. 22
International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823
References
[1] David M.Chess, Steve R. White. An undetectable computer virus, IBM Thomas J. Wtason research center hawthorne, U.S. Lupin. Bypassing antivirus detection: Netcat, the grey corner, 2010. Amit malik. Bypassing antivirus using code injection technique, securityxploded, 2010. Tacking back netcat, Fully undetected crypter, team5150, 2009. http://team5150.com/~random/apps/netcat/Taking_Back_Netcat.pdf. Taylor Thomas. Heuristic antivirus detection, toptenreviews, 2010. Andrew J Lee, Frederic Bonory. Virus-Specific antivirus products, claymania creations, 2001 Build your own executable crypter, megapanzer. http://www.megapanzer.com/wpcontent/uploads/Build_your_own_executable_crypter.pdf. How to cover your tracks, freeworld. http://freeworld.thc.org/papers/COVER-1.TXT. Fast and furious reverse engineering, titan.reversinglabs.com, 2009. http://www.blackhat.com/presentations/bh-usa-09/VUKSAN/BHUSA09-Vuksan-FastFuriousPAPER.pdf. Shawn. The crypter blueprint, Xinfiltrate-crypter.net, 2005. Gunter ollmann. Serial variant evasion tactics, Techniques used to automatically bypass antivirus technologies, white paper, damballa, 2009. Lakshman Nataraj, Gregorie Jacob, B.S. Manjunath. Detecting packed executables based on raw binary data, Vision research lab, 2010. Crypting guide, hackfacebooknow. http://hackfacebooknow.com/wp-content/cryptingguide.pdf. Carlos fragoso mariscal. Facing the dark side of the internet, 1st Spanish network operators group meeting, 2009. Tomislav pericin. Reversing software compressions, reversing lab, 2011. http://reversinglabs.com/download/Recon%20-%20Reversing%20software%20 compressions.pdf. Nicolas brulez. Turbo unpacking, global research and analysis team, Kaspersky lab, 2011. Network box technical paper, the network box antivirus solution, network box limited, 2005. http://www.cuispa.org/docs/ac_NBUSA_AntiVirus.pdf. Defence in depth, an information security blog, 2009. http://www.defenceindepth.net/2009/12/bypassing-anti-virus.html. Antivirus software work, antivirus world, 2008. http://www.antivirusworld.com/articles/antivirus.php. KHOBE-8.0 earthquake for windows desktop security software, matousec, 2010. http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-securitysoftware.php. Anti virus software, computer supports. http://computer-supports.com/anti-virus-software/ 23
[8] [9]
[10] [11]
[12]
[13] [14]
[15]
[16] [17]
[18]
[19] [20]
[21]
International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823
[22] [23]
Quick and easy guide to antivirus, cyber laws. http://cyber.laws.com/anti-virus. Antivirus, ab4unet blogspot, 2012. http://ab4unet.blogspot.com/2012/04/antivirus. html. Cryptography very basic guide, blog learn hacking, 2010. http://blog.learn-hacking.in/2010/11/cryptography-very-basics-this-guide-is.html. AIO fud crypter bypass antivirus detection , wildhacker, 2012. http://www.wildhacker.com/2012/02/aio-fud-crypter-2012-free-download.html. Shadow net aka. Ultimate guide on crypters, leethackers. http://www.scribd.com/doc/55421189/Ultimate-Guide-on-Crypters. Undo crypters, softpedia. http://www.softpedia.com/progScreenshots/UnDo-Crypter-Screenshot76281.html. Star crypter. http://www.starcrypter.com/screenshots.
[24] [25]
[26]
[27]
[28]
Author Profile
A.Sankara Narayanan is presently working as a Technical Support in Department of Information Technology at Salalah College of Technology, Salalah, Sultanate of Oman. He has 9 years of Networking/System experience and 4 years of Information Security experience. He has published 6 international journals. His research interests include ethical hacking, computer forensics, malware and information Security.
24