How to Make a Crypter to Evade Anti-viruses | Lucideus Research

This Crypter helps a user to evade antivirus making your payload FUD (Fully Undetectable). Basic encoding is used to change the signature of the payload. The code returns to original form only on the runtime making it tough for the anti-virus software to raise any flag. Also, it remains dormant at the time of dynamic analysis.

1. Bypass heuristic dynamic analysis and sandboxed environment
2. Make a C++ template that adds decoding routine along with the encoded payload
3. To create an encoder that can encode shellcode and exe file directly

A simple xor operation is used in python script to encode the payload. Antiviruses fail to detect this tool as the static analysis of the code will not be flagged by the antiviruses since they maintain a database of known malware code and they match the suspicious file with their database. Encoding is done in this tool changes from the form of original payload which makes the bypass of static analysis of antivirus easy.

As every day passes, developers are improving the antiviruses constantly. Antiviruses performs static analysis over the targeted file, but that is not the end. They then perform dynamic analysis, which includes running that file in the sandboxed environment and then it monitors the behavior of the running processes.

To bypass the sandboxed environment, it used a sleep function because no antivirus spends more than 1-2 seconds on a single file. Sleep will cause a delay in the decryption routine and if antiviruses wait for the delay it will make the pc really slow. Sleep has been obsolete now so to bypass that we have to find new measures.

Meterpreter payload was generated and passed through our encoder. And, a C++ template was build using the encoded payload. When the .exe file generated from compiling the C++ template was scanned on Virustotal, it had the score 1/67.

Now, antiviruses will detect our C++ template too because we haven’t used any randomization which will make our code static. To create a polymorphic template, we will introduce the addition of random junk data (junk data that is valid instruction and free of null bytes so that it does not cause suspicion). There is only one con of adding junk data that is the size. Imagine a scenario in which you have storage limitation, this technique will a major setback.

Decoder routine is written in C++ and VBS. C++ file is passed the encoded routine and then, a function pointer is overloaded to invoke the decoded payload. VBS makes the execution of payload invisible. The C++ template requires two things, the encoded payload and the length of the original payload.

To generate shellcode a.k.a payload we use the objdump utility shipped with the Linux distros. It allows generating opcodes for a .exe file with -d option.



* Using a data set consisting of 120,000 data points, researchers from OPSWAT recently released an informative overview of the antivirus market, answering an important question - which is the most popular antivirus vendor?

* According to their findings, that's avast! Free Antivirus, followed by Microsoft Security Essentials and ESET NOD32 Antivirus.

Detailed market share statistics:
Avast - 19% worldwide market share
Microsoft - 13.2% worldwide market share
ESET - 11.1% worldwide market share
Symantec - 10.3% worldwide market share
AVG -  10.1% worldwide market share
Avira - 9.6% worldwide market share
Kaspersky - 6.7% worldwide market share
McAfee - 4.9% worldwide market share
Panda - 2.9% worldwide market share
Trend Micro - 2.8% worldwide market share
Other - 11.1% worldwide market share

To design a more complex encoding and decoding routine. Since antivirus software keeps updating, there is always need for a new encoding method. A tool must be updated at regular intervals to be a step ahead. Also, to find new methods to bypass the sandbox. Our decryption routine must remain dormant in the sandbox. Introduce new code to unhook the dll injected by antiviruses to monitor the payload.

                                                                                    POC Video


No comments:

Powered by Blogger.