Bypassing all anti-virus in the world (Good Bye Detection , Hello Infection)

[Nytro]

[h=2]bypassing all anti-virus in the world (Good Bye Detection , Hello Infection)[/h]Posted by shahin in news, Pen-test Method, reversing

hello to all readers

[h=2]Introduction[/h] as you may read in @abysssec in twitter actually in past a few months we did a cool research on bypassing anti-viruses and got really great result .

Bypassing anti-viruses is not a new topic and it’s still about encrypting / decrypting of a program to being hide from AV eyes. In past it was really, really easy task to do but AV’s getting smarter and bypassing all anti-viruses with some really unique methods that each of them use is not funny and neither easy to do.

before i go feature i like to have a simple glossary for unfamiliar readers.

[h=2]Glossary[/h] Crypter : the program (mostly GUI) will crypt the malware / bot to make it hide from anti-viruses

Stub : the Decryptor of crypted program

FUD : Fully Un Detectable (FUD = no AV detect)

RUNPE : run the PE without headers in memory

USG : unique stub generator. (make unique stubs)

Binder: will join two file will drop in hdd or mem

Pumper: will increase size of tool

EOF : end of file(in crypter it need to preserve)

Cloner : will clone the file (Decryptor like in HDD)

Icon Changer: will change the final exe icon

well there are two also different kind of crypters scan time and run time. The good crypter is run time one because as it name says the scan time crypter is just FUD at scan time and when you run it and after real malware decrypted it will be detect so not that useful. And the real crypter is the runtime one.

[h=2]How it works ?[/h] if we remove all complex technical info for bypassing all 35 anti-virus around the world it works really sample.

it simply encrypt program, decrypt, and then run it in memory. encryption algorithm is not important and sample ideas are enough to make a crypter fud

but some of mostly used alghortims are :

I. RC4

II. AES

III.DES

IV. TEA

V. XOR

VI. CryptoAPI

VII. blowfish

note that there is important part in your job and that is run the malware safely in memory after decrypting it , and this is done by RunPE . the idea of RunPE comes from great PoC by Tan Chew Keong called dynamic forking of win32 exe : SIG^2 G-TEC - Dynamic Forking of Win32 EXE

steps and idea are really sample :

CreateProcess

Find Base address

Virtualalloc

Align sections

Fix thread context

Resume thread

but this is not easy to hide this kind of API chaining from anti-viruses .

so we finished our research by writing a new fud crypter and our crypter is unique and different with public ones .

our crypter is unique and can bypass all 35 exist av right now .

here is list of AV we fully tested our crypters on them .

- Ad-Aware - AhnLab V3 Internet Security - ArcaVir - Avast - Avast 5 - AVG Free - AntiVir (Avira) - BitDefender - BullGuard - VirusBuster Internet Security - Clam Antivirus - COMODO Internet Security - Dr.Web - eTrust-Vet - F-PROT Antivirus - F-Secure Internet Security - G Data - IKARUS Security - Kaspersky Antivirus - McAfee - MS Security Essentials - ESET NOD32 - Norman - Norton Antivirus - Panda Security - A-Squared - Quick Heal Antivirus - Rising Antivirus - Solo Antivirus - Sophos - Trend Micro Internet Security - VBA32 Antivirus - Vexira Antivirus - Webroot Internet Security - Zoner AntiVirus we even tested 10 year ago malware and our crypter can hide them from any anti-virus system .

our crypter comes with some unique features here is some of them

- FUD 0 / 35 detection

- EOF support

- Coded in C/ASM Stub and GUI In C# - Compatible with Win 2k/XP/7 x32 and x64 - Ability of bypassing heuristic and emulators (Kaspersky pro-acvtive defense , Nod32 advanced heuristic , Norton Sonar, Avira heuristic) - Command line support - Unicode support (chines , russian and so on) - Right-to-Left Exploit after crypting you can have .mp3 , doc , pdf , avi or anything as output !!! - inbuilt scanner and scanning with 35 anti-virus after cryptring - advanced file binder with drop in disk and memory - Anti-debug - Anti-sandbox - advanced encryption : Double XOR , RC4, AES256 - Advanced resource storage : unique method here is some screen shot of GUI :

and finally you can see the actual work in a demo here :

http://abysssec.com/files/VampCrypt.rar

as we don’t want harm anyone if you are :

- penetration testing company

- anti virus / IDS company

- any legit company who needs it

” please note that WE DON”T give tool / technology to PERSON . ONLY VERIFIED COMPANY ”

contact : info [at] abysssec.com

and as always you can follow @abysssec in twitter

happy fudding .

Sursa: bypassing all anti-virus in the world (Good Bye Detection , Hello Infection) | Abysssec Security Research

[1337]

Pai asta era si principiul de functionare la cryptere...

[Nytro]

Da, dar asta e ceva mai profesional.

[Patrunjel]

Din subiectul postului se intelege ca ar trece fara probleme de orice av si toate alea. In ceva timp sunt sigur ca se va demostra ca afirmatia e comple falsa. Nu au dat niciun detaliu, doar au postat niste print-screenuri la gui. Nu am treaba cu criptografia, dar ei se bazeaza pe security by obsurity, si nu e decat o problema de timp pana ii vor da de capat (vezi decriptarea convorbirilor prin satelit).

Probabil ei vor sa scoata niste bani din asta (nu ca ar fi rau), dar ca sa zici ca ai facut un mega-crypter e cam mult, si trebuie sa lasi algoritmul ceva timp ca open source sa poata fi atacat din cat mai multe parti de cat mai multi cercetatori, si abea dupa ce ei nu vor reusi sa scoata nimic, sa sustii asta.

Citisem recent undeva ca asa se procedeaza si cu algoritmii de criptare care nu sunt destinati ascunderii chestiilor de av-uri. Tie ca si creator ti se pare bullet-proof, dar de multe ori se intampla sa nu fie asa. Majoritatea algoritmilor de criptare au fost publicati, s-a asteptat o vreme pana a fost sucit pe toate partile, si dupa asta au inceput sa fie utilizati pe scara larga.

[Nytro]

Nu are legatura algoritmul de cryptare, antivirusii detecteaza incarcarea in memorie, sau in functie de alte aspecte unice ale executabilului (mai exact entrypoint-ul stubului, dimensiuni alea sectiunilor sau cine stie ce altceva). Eu pentru crypterul meu de 2 lei foloseam un algoritm stupid: se adauga 65 la fiecare byte. Daca are mai mult de 255, se scade 255. Ceva de genul, nici nu mai stiu exact, si functiona fara nicio problema, ca se modifica TOT in fisierul cryptat, dar nu se modifica NIMIC in stub.

[me.mello]

e super tare, nu vreau sa para cine stie ce...facusem ceva asemanator pentru cineva pe chat doar ca fara stub, are legatura cu un post mai vechi de al meu:) ma bucur ca am gasit un reff despre asta.

[JohnyCNAM]

Ok.Sunt cam nedumerit(chiar nu am habar deloc).

Pentru inceput ce reprezinta stub-ul?

[adonisslanic]

@ionutcristea Crypter and Stub scenario | Crypters - The #1 FUD Crypter site