International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No.

5 ISSN: 1837-7823

Bypassing Antivirus with Crypters

A.Sankara Narayanan Department of Information Technology Salalah College of Technology, Salalah, Sultanate of Oman Sankar2079@gmail.com Abstract
Whether compromising a system for legitimate or non-legitimate purposes, bypassing anti-virus software is often an integral step in any intrusion exercise. Fortunately for enterprise, antivirus and antimalware software is now commonplace in most organizations. Malware writers usually employ several techniques to evade detection. For the last years, the number of variants detected each day has increased significantly. Traditional approaches such as signature scanning, one of the most common techniques employed by antivirus companies are becoming inefficient for the high amount of samples found in the wild. In order to bypass this kind of filters, malware writers usually obfuscate and transform the code of their creations. This paper will discuss one method of bypassing antivirus using crypters. Many of the tools that attackers wish to implement are constantly being blacklisted, this isn't without reservation. Antivirus manufacturers nowadays implements more and more complex functions and algorithms in order to detect the latest and newest viruses along with their variants. There is however simple methods that can be used to bypass most of these, especially those that doesnt use heuristics and similar techniques at all. Keywords: Crypters, Signature based detection, Heuristics detection

1. Introduction
One of the few solid theoretical results in the study of computer viruses is Frederick B. Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses [1]. The proof relies on infect and spread abilities of computer viruses. While the common, infect and spread abilities of a computer code, which create the replicate ability, are not necessarily contained in malware. Computer virus, in its recent meaning, and malware are overlapping terms, but not synonymous. The difference is between a code with the ability to infect and spread and a code with malicious purpose. The task of today's security software is to protect computers against malware and hacker attacks. This kind of application is generally very complex because it is trying to protect its users against threats of various kinds [20]. The security software use signatures and heuristic to detect known viruses, rootkits and Trojan horses. Malware writers are skilled enough to write malicious software that bypasses these detection techniques. Most of security software vendors implemented their kernel hooks very poorly and their applications were creating another hole into the operating system instead of protecting it.

2. Antivirus Identification Methods 2.1 Signature Based Detection

Traditionally, antivirus software heavily relied upon signatures to identify malware. Signature based detection is the most common method. This can be very effective, to identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces. But cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature based approaches are not effective against new, unknown viruses [21]. As new viruses are being created each day, the signature based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the 18

International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823

dictionary [22]. Signatures are obtained by human experts using reverse engineering. An example of software used in reversed engineering is Interactive Disassembler. Such software does not implement antivirus protection, but facilitates human analysis. Although the signature based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of them or otherwise modify them as a method of disguise, so as to not match virus signatures in the dictionary.

2.2 Heuristics detection

This is effective way to locate unknown threats for the most up to date real time protection. Obviously this sort of scanning and analysis can take some time, which may slow down system performance. The main concern with heuristic detection is that it often increases false positives [5]. False positives are when the antivirus software determines a file is malicious (and quarantines or deletes it) when in reality it is perfectly fine and desired. Because some files may look like viruses but really arent, they are restricted and stopped from working on your computer. Heuristic virus detection is a fancy way of a scanner saying, "I'm guessing that is a virus". Heuristic scanning engines work on the principle that viruses will usually use certain tricks or methods of infecting, and therefore if a program looks like it might be using those tricks; there is a possibility that the program is a virus. The more aggressive heuristic scanner may well detect large numbers of so called "False Positives" i.e. files that are really totally innocent but look like they might alter other files, the less aggressive ones might miss files that really are viruses. In reality heuristics works are quite well for some types of viruses, such as Macro Viruses, but not so well for other types. However, they are a reasonable attempt at providing protection against currently unknown viruses [6]. Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic" and "metamorphic", where the differences between specific variants of the same virus are significantly high. In such cases, there are dedicated statistical analysis based algorithms, implemented in the "real time" protection, which analyses software behaviour. This approach is not absolutely exact and results in higher resource usage on the computer. Since "oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and the resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate [24]. This approach may imply human ingeniousness for the design of the algorithm. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. Due to the existence of the possibility of false positives and false negatives, the identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company.

3. Crypters
Early on in the learning of cryptography, one may come across a very basic and easily decoded method of encryption: ASCII shifts or substitution. Substitution is generally taking a block of characters and replacing one character with another. For example: (I LOVE YOU) if you shifted each letter one step forward in the alphabet, this message would become: (J MPWF ZPV). This is the basic information about crypting or cryptography. Hacker will use a crypter, which will add junk code to our server; of course there is lot of crypting methods for this kind of things [24]. Crypter is a program that makes other programs UnDetectable (UD) or FullyUnDetectable (FUD).UD can be detected only by a few antiviruses and FUD cannot be detected by any antivirus. It is used to hide viruses, RATs (Remote Administration Tools), or any Keyloggers from antiviruses, so that they are not detected and deleted by antiviruses. Thus a crypter is a program that allows users to crypt the source code of their program. Generally, antivirus work by splitting source code of application and then search for certain string within source code [25]. 19

International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823

If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system. The aims of crypter are protect the executables, making difficult to analyze it or reverse engineer it. Actually the malwares are basically distributed as executables; public malwares are generally detected by antiviruses, so crypters are used to make them Fully Undetectable (FUD).

3.1 File crypter architecture

The concept of encrypting a file crypting in order to make the crypted file undetectable to antivirus software or to make unpacking the file harder.

Stub

Encrypted File

Figure.1 Memory executing crypter stub

The stub is the core of the program. Its the stubs mission to carry out file decryption in memory and file execution or other custom options a programmer has given the crypter. Programmers reduce the size of the stub in order to reduce the file size of the output file (stub + encrypted file). This will help of the stub go unnoticed, if there is only few bytes difference from the original input file and output file (input file output file = stub size). A stub should be judged on the functionality as well as stability and security [10].

Figure 2: Crypter program execution [10]

Figure 3: Stub program execution [10]

20

International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823

3.2 Crypter automation method

There are usually 2 files, the Crypter and Stub. Most of the crypters have inbuilt stub. So the crypters drag and drop the desired file to drag and drop files here area. After pressing the Crypt Button, it reads the bytes of the selected files and encrypts them. Then, it writes the encrypted bytes to the Stub using EOF (End of File) or Resources and other methods. Then the Stub stores the data and creates the output file with the encrypted bytes in there. When executing, the bytes will be decrypted using the same Cryption method. After decrypting, the bytes will be converted to a file and executed. Some Crypters are Scan time and some crypters are Run time [26].

Figure 4: Undo crypter automation [27]

When the crypter is scan time, the crypted file drops the original virus out. That means, it writes the decrypted bytes to the file. That is named Dropping. The Dropped file (in this case the original virus) will be executed using Shell Execute command or others. These kinds of crypters are GOOD, because when the file is being dropped out, the antivirus catches it. Run time is the decrypted bytes will be executed in Memory that means it uses a RunPE (Run Portable Executable). It injects the bytes into an active process and bypasses the antivirus to catch it up. These kinds of crypters are BAD. When the crypter is Run time, it is also automatically scan time too. If the crypter is scan time, then it is ONLY scan time.

21

International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823

3.3 Work Flow

Figure 5: Fud crypter [28]

The Crypter takes the original binary file of your exe and applies many encryption on it and stores on the end of file(EOF).So a new crypted executable file is created.

Original Exe Crypted Exe (ORIGINAL)001 (CRYPTED)010 The new exe is not detected by antiviruses because its code is scrambled by the crypter. When executed the new .exe file decrypts the binary file into small data pieces at a time and injects them into another already existing process or a new empty one, or it drops the code into multiple chunks in alternative data streams(not scanned by antivirus) then executes it as a .txt or .mp3 file. 1. Download free (e.g: abc) FUD Crypter (abc crypter name obfuscated) 2. Open the FUD Crypter select server file as your Keylogger file or RAT file, then go to Appearance tab check custom icon and select your icon (that included icon pack also) 3. Finally click "Crypt", now you will get a Crypted file which is totally undetectable by antiviruses.

4. Conclusion
This paper presents attack pattern called bypassing antivirus using crypter, which shows that common implementations of kernel mode hooks are not secure. This attack represents serious threat because many security software vendors base their security features on hooking. The general purpose of this text is to educate the reader about crypters, so they can help protect themselves against them, and try and to prevent them from doing any further damage. This paper thus aims to raise level of consciousness about the security of the security product. 22

International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823

References
[1] David M.Chess, Steve R. White. An undetectable computer virus, IBM Thomas J. Wtason research center hawthorne, U.S. Lupin. Bypassing antivirus detection: Netcat, the grey corner, 2010. Amit malik. Bypassing antivirus using code injection technique, securityxploded, 2010. Tacking back netcat, Fully undetected crypter, team5150, 2009. http://team5150.com/~random/apps/netcat/Taking_Back_Netcat.pdf. Taylor Thomas. Heuristic antivirus detection, toptenreviews, 2010. Andrew J Lee, Frederic Bonory. Virus-Specific antivirus products, claymania creations, 2001 Build your own executable crypter, megapanzer. http://www.megapanzer.com/wpcontent/uploads/Build_your_own_executable_crypter.pdf. How to cover your tracks, freeworld. http://freeworld.thc.org/papers/COVER-1.TXT. Fast and furious reverse engineering, titan.reversinglabs.com, 2009. http://www.blackhat.com/presentations/bh-usa-09/VUKSAN/BHUSA09-Vuksan-FastFuriousPAPER.pdf. Shawn. The crypter blueprint, Xinfiltrate-crypter.net, 2005. Gunter ollmann. Serial variant evasion tactics, Techniques used to automatically bypass antivirus technologies, white paper, damballa, 2009. Lakshman Nataraj, Gregorie Jacob, B.S. Manjunath. Detecting packed executables based on raw binary data, Vision research lab, 2010. Crypting guide, hackfacebooknow. http://hackfacebooknow.com/wp-content/cryptingguide.pdf. Carlos fragoso mariscal. Facing the dark side of the internet, 1st Spanish network operators group meeting, 2009. Tomislav pericin. Reversing software compressions, reversing lab, 2011. http://reversinglabs.com/download/Recon%20-%20Reversing%20software%20 compressions.pdf. Nicolas brulez. Turbo unpacking, global research and analysis team, Kaspersky lab, 2011. Network box technical paper, the network box antivirus solution, network box limited, 2005. http://www.cuispa.org/docs/ac_NBUSA_AntiVirus.pdf. Defence in depth, an information security blog, 2009. http://www.defenceindepth.net/2009/12/bypassing-anti-virus.html. Antivirus software work, antivirus world, 2008. http://www.antivirusworld.com/articles/antivirus.php. KHOBE-8.0 earthquake for windows desktop security software, matousec, 2010. http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-securitysoftware.php. Anti virus software, computer supports. http://computer-supports.com/anti-virus-software/ 23

[2] [3] [4]

[5] [6] [7]

[8] [9]

[10] [11]

[12]

[13] [14]

[15]

[16] [17]

[18]

[19] [20]

[21]

International Journal of Computational Intelligence and Information Security, May 2012 Vol. 3, No. 5 ISSN: 1837-7823

[22] [23]

Quick and easy guide to antivirus, cyber laws. http://cyber.laws.com/anti-virus. Antivirus, ab4unet blogspot, 2012. http://ab4unet.blogspot.com/2012/04/antivirus. html. Cryptography very basic guide, blog learn hacking, 2010. http://blog.learn-hacking.in/2010/11/cryptography-very-basics-this-guide-is.html. AIO fud crypter bypass antivirus detection , wildhacker, 2012. http://www.wildhacker.com/2012/02/aio-fud-crypter-2012-free-download.html. Shadow net aka. Ultimate guide on crypters, leethackers. http://www.scribd.com/doc/55421189/Ultimate-Guide-on-Crypters. Undo crypters, softpedia. http://www.softpedia.com/progScreenshots/UnDo-Crypter-Screenshot76281.html. Star crypter. http://www.starcrypter.com/screenshots.

[24] [25]

[26]

[27]

[28]

Author Profile
A.Sankara Narayanan is presently working as a Technical Support in Department of Information Technology at Salalah College of Technology, Salalah, Sultanate of Oman. He has 9 years of Networking/System experience and 4 years of Information Security experience. He has published 6 international journals. His research interests include ethical hacking, computer forensics, malware and information Security.

24