bypassing all anti-virus in the world (Good Bye Detection , Hello Infection)

hello to all readers

Introduction

as  you may read in @abysssec in twitter  actually in past a few months we did a cool research on bypassing anti-viruses and got really great result .

Bypassing anti-viruses is not a new topic and it’s still about encrypting / decrypting  of a program to being hide from AV eyes. In past it was really, really easy task to do but AV’s getting smarter and bypassing all anti-viruses with some really unique methods that each of them use is not funny and neither easy to do.

before i go feature i like to have a simple glossary for unfamiliar readers.

Glossary

Crypter : the program (mostly GUI) will crypt the malware / bot to make it hide from anti-viruses

Stub : the Decryptor of crypted program

FUD : Fully Un Detectable (FUD = no AV detect)

RUNPE : run the PE without headers in memory

USG : unique stub generator. (make unique stubs)

Binder: will join two file will drop in hdd or mem

Pumper: will increase size of tool

EOF  : end of file(in crypter it need to preserve)

Cloner : will clone the file (Decryptor like in HDD)

Icon Changer: will change the final exe icon

well there are two also different kind of crypters scan time and run time. The good crypter is run time one because as it name says the scan time crypter is just FUD at scan time and when you run it and after real malware decrypted  it will be detect  so not that useful. And the real crypter is the runtime one.

How it works ?

if we remove all complex technical info for bypassing all 35 anti-virus around the world it works really sample.

 

it simply encrypt  program, decrypt, and  then run it in memory. encryption algorithm is not important and sample ideas are enough to make a crypter fud

but some of mostly used alghortims are :

I. RC4
II. AES
III.DES
IV. TEA
V. XOR
VI. CryptoAPI
VII. blowfish
note that there is important part in your job and that is run the malware safely in memory after decrypting it , and this is done by RunPE . the idea of RunPE comes from great PoC by Tan Chew Keong called dynamic forking of win32 exe : http://www.security.org.sg/code/loadexe.html

steps and idea are really sample :

CreateProcess

Find Base address

Virtualalloc

Align sections

Fix thread context

Resume thread

but this is not easy to hide this kind of API chaining from anti-viruses .

so we finished our research by writing a new fud crypter and our crypter is unique and different with public ones .

our crypter is unique and can bypass all 35 exist av right now .

here is list of AV we fully tested our crypters on them .

 - Ad-Aware
 - AhnLab V3 Internet Security
 - ArcaVir
 - Avast
 - Avast 5
 - AVG Free
 - AntiVir (Avira)
 - BitDefender
 - BullGuard
 - VirusBuster Internet Security
 - Clam Antivirus
 - COMODO Internet Security
 - Dr.Web
 - eTrust-Vet
 - F-PROT Antivirus
 - F-Secure Internet Security
 - G Data
 - IKARUS Security
 - Kaspersky Antivirus
 - McAfee
 - MS Security Essentials
 - ESET NOD32
 - Norman
 - Norton Antivirus
 - Panda Security
 - A-Squared
 - Quick Heal Antivirus
 - Rising Antivirus
 - Solo Antivirus
 - Sophos
 - Trend Micro Internet Security
 - VBA32 Antivirus
 - Vexira Antivirus
 - Webroot Internet Security
 - Zoner AntiVirus

we even tested 10 year ago malware and our crypter can hide them from any anti-virus system .

our crypter comes with some unique features here is some of them

 

 - FUD 0 / 35 detection
 - EOF support
 - Coded in C/ASM Stub and GUI In C#
 - Compatible with Win 2k/XP/7 x32 and x64
 - Ability of bypassing heuristic and emulators (Kaspersky pro-acvtive defense , Nod32 advanced heuristic , Norton Sonar, Avira heuristic)
 - Command line support
 - Unicode support (chines , russian and so on)
 - Right-to-Left Exploit after crypting you can have .mp3 , doc , pdf , avi or anything as output !!!
 - inbuilt scanner and scanning with 35 anti-virus after cryptring
 - advanced file binder with drop in disk and memory
 - Anti-debug
 - Anti-sandbox
 - advanced encryption : Double XOR , RC4, AES256
 - Advanced resource storage : unique method

here is some screen shot of GUI :

 

 

 

 

 

 

and finally you can see the actual work in a demo here :

http://abysssec.com/files/VampCrypt.rar

as we don’t want harm anyone if you are :

- penetration testing company

- anti virus / IDS company

- any legit company who needs it


update 2012 : do not send request anymore this project will not be shared / support any more .

contact : info [at] abysssec.com

and as always you can follow @abysssec in twitter

happy fudding .

Categories


Get Adobe Flash player