Home > Computer > Undetecting Windows Software from Antivirus Using Crypter
Donation Goal
Donate Now Goal amount for this year: 799 USD, Received: 100 USD (13%)
Please donate to help support this website. The funds will be used to purchase owned license of LiteSpeed Web Server Enterprise (2-CPU). It provides superior performance in terms of raw speed, scalability and anti-DDoS capabilities.

Undetecting Windows Software from Antivirus Using Crypter

Posted By Raymond In Category: Computer

Jul
12
2009

I am sure that most of you are running an antivirus software since I shared a lot of promotions and gave out free licenses from time to time. Antivirus are an important software to keep your computer from being infected by virus BUT it shouldn’t be something that you should totally 100% rely on. The current antivirus software is not like antivirus 10 years ago when an antivirus detects it as a virus, it IS a virus.

As for now, when an antivirus detects a software which I downloaded from a a trustworthy source as harmful or malicious, I’d rather trust the source rather than the antivirus. Of course, I would only take it as a warning and then analyze it in ThreatExpert. A lot of antivirus today implements heuristic scanning method which is the main cause of false detection. Heuristic scanning is a method for antivirus to analyze the instructions of a program to determine if it is a virus or not. It is mainly used to check for new undetectable virus or trojan.

When a software gets detected by an antivirus, there are 2 ways to fix it. Either contact the antivirus company about the false detection and wait for weeks to get it fixed or use some private version of crypters for an immediate solution.


Crypters are tools that makes another software undetectable by antivirus. Since crypters has the ability to make a virus or trojan undetetected by antivirus, most of the downloadable public versions of crypters that can be found in search engines are already being detected by antivirus as a threat. Another important rule is not to simply download any crypters that you find because some of them are embedded with malicious code that opens up a backdoor and allows the hacker to get in your computer.

Since I have a private version of a crypter called iCrypt, let me show you how it works. I will use Nirsoft’s MessenPass as a test. MessenPass is a password recovery tool that reveals the passwords of the instant messenger applications. I uploaded MessenPass to NoVirusThanks and 9 antivirus out of 24 found that it is infected. MessenPass is actually a clean tool but because it can dig out password from a computer, some paranoid antivirus company thinks that it is a hack tool.
messenpass as hacktool

Now I launch iCrypt and select mspass.exe to crypt.
select file to crypt

Here are some options to choose. According to the instruction file, if the EOF box is enabled, then I should check the box. As for NTcompression, it is only used when need to bind or attach extra files to mspass.exe. Anti Methods is for enabling Anti sandbox. Meaning when a user tries to run the crypted file in a sandbox program such as sandboxie, it won’t run.
extra options in icrypt

The next page I get to bind up to 6 files. Binding means combining a few files into one so when you run a single file, it actually launches all 6 files.
bind files in icrypt

Finally, I get to make it undetectable by using a custom private stub. As for file clone, it is a must use option as well. Simple select a legitimate program that is not flagged as a virus (I select 7-Zip). I then click the Build button and I get a new file.
custom stub and file clone

Now I scan the new crypted file in NoVirusThanks and NONE of the 24 antivirus detected it as infected.
undetect from false positives

When you buy a private version of iCrypt, you get a unique custom stub which can make a program undetectable by antivirus. A unique stub doesn’t get shared so it will remain undetected for a very long time but not forever. Overtime, some really good antivirus will find out how the crypter works and it gets detected. That’s when the support comes in and provide a new update with new methods to beat the detection.

First iCrypt unique stub I got 3 months ago: 5 out of 24
Second iCrypt unique stub I got 1 month ago: 2 out of 24
Third iCrypt unique stub I got this month: 0 out of 24
Private version of Trojan I got more than a year ago: 6 out of 24
First BCD unique stub but shared among members I got 5 months ago: 13 out of 24
Second BCD unique stub I got 2 months ago: 4 out of 24

Can you now see that an antivirus can’t keep your computer 100% safe? The truth is there are a lot of undetectable virus or trojan lying around the Internet and you won’t even know that it is one. Having a firewall and also always analyze an unknown file in sandbox helps to keep your computer safe.

[ Visit iCrypt ]


Related posts:
  • Multiple Antivirus Software On Windows Computer
  • Test the Effectiveness of Your Antivirus, Firewall and HIPS Software
  • False Positives Is A Common Problem In Todays Antivirus Software
  • Protect Windows from USB Flash Drive Viruses with USB Antivirus Mx One
  • Comprehensive List of Uninstallers or Removal Tools for Antivirus Software
    • LunarWolf

      Good article. Sounds like a way to infect your computer from unknown virus or more like rootkit technology.

    • http://techno-planet.net Ashish

      Thanks for the update.. well i was using both kaspersky and Microsoft security essential (only for testing ). well Microsoft security detected many files as virus but kaspersky gives then clean chit … which one to believe

    • Ron

      Dear Raymonds,

      YES, I am 100% satisfied with you (Raymonds), in the last few days my computer is infected due to some trojan (the system modification due to rootkit activity and also my DNS server is set to unknown ), my antivirus is unable to detect them, as a result i have decided to use some other tool to disinfect them…

      Regards
      Ron

    • Ceyfer

      I’m one of the user of this kind of tool and this Cryptor technology has been there for a long time. Many variants do exist but the private one always do have the best feature compare with public releases.

      Av Vendors are aware of it that’s why they’re keep on improving they’re approach on detection…

      Anyway this one is cool

      thanks

    • DJ

      BRM crypter is much better!
      OMC’s stubs get non FUD very early and im sure like kizar he is blackdooring it!

      With iCrypt, my all stubs got detected before using, but this was not the case with BRM crypter

    • http://www.raymond.cc/ Raymond

      DJ, you’re talking about something that you don’t know. Perhaps you are using the public version of crypter and that’s why it got detected before using. I just scanned my private stub and it still remains FUD.

      When you want to accuse icrypt that has a backdoor or BRM crypter is much better, its best that you prove it and not just talk.

    • Mr On Line

      Well ..

      I can always add the suspicious file to my anti-virus exceptions and i don’t need any additional programs ..

      but thank you for the thought .

    • http://www.azpiping.com Hung

      Thanks for this articles.This will help us to have a way to protect our computer

    • http://www.techarraz.com chinmoy

      antivirus softwares are constantly updated against cryptors.
      Some noobs are talking about antivirus here!!

    • http://www.secumania.net edu19

      nice article although this is very old news. There are several means to undetect an application or script from antivirus softwares and crypting is one of them, probably the easiest and simplest one.

      You dont need a private cryptor, you can still combine different public cryptors and have a very good result. And many malicious people knows about it so one more reason not to trust Antivirus softwares.

      If you want security you must customize your Operating system´s security settings, leting them on their default facilitates things a lot since hackers will mostly try things on the default security settings.

      If you are a Windows user, dont hesitate to use a restricted user account for the trivial things. UAC is a good enhancement but is not perfect and can be boring at times so the best to do is removing your user account from the administrators local group.

      If you think an application is backdoored, monitor its behavior after actually executing it (preferably in a virtual machine, be ware some malware are able to know they are being executed inside a virtual machine.)
      this is the best to do. behavior as in :

      - internet access
      - file system modification
      - system memory modification in real time
      - registry modification

      etc…..

    • DJ

      no ray, i have private version! when i asked him for stub update he mailed them in my email maybe it was email service provide who put them into scan and they got detected!

      btw,
      Rainerstoff crypter is out and its much better xD

      http://hackhound.org/forum/black-market/rainerstoff-gt-fudgtbypass-av-technology!gtavira-nod32-buy-now!/

    • Phil

      Wow Really nice post… This are the kind I like, when you discover unexpected stuff and actually usefull (not meaning to hack anyone but rather it´s pissing off to have to be “excluding from protection” the clean apps) and as well to understand how stuff actually works.

    • ShayneM

      Thebst tool I have found for this is AXCRYPT

      Its free, fast, is an Explorer Extesion and canhandle files and full folders

      Best of all – it decrypts in RAM on the fly AND lauched the correct App – so there will never be the original file on disk for detection

      Example;

      select NIRSOFTS mspass.exe
      right click, encrypt
      you end up with mspass_exe.aax

      then anytime later you just double click this file and it asks for PW and runs

      Same for a DOC file – will launch Word, no ned to decrypt to the originl file

      PERFECT!

    • Gilbert

      raymond,
      can you send me license code and account name for my advance care system v3.3.4….Thanks!

      hope to hear from you soon.

    • sunnyyeung

      Thank you Raymond
      I am hoping there is a trial version or something.
      So I can try that with my .EXE file to test it.

      You can send me the license if don’t mind ^.^

    • preet

      hey wud u guys plz tell me from where i can download this icrypt……………..
      any link…….

    • Liam K.

      Or just add the file to “ignore”. But this is great if you wanted to make a real virus — I can try out SubSeven without having to worry.

    • http://agagh emasrow

      i am poor people pleas help to vest him my famli

    • http://foro.portalhacker.ne Av-jumper

      very cool

    • amroush

      what is the need for this complicated way ?

      More preferred: save or e-mail your target app in a password protected *.rar file

      AV cannot crack the password & so cannot scan inside your archive. When you need to run the exe, just disable AV temporarily

    • http://www.facebook.com/amit.amit.amit.amit.amit Amit

      can anyone suggest some latest fud crypter

    Copyright © 2005-2012 - Raymond.CC Blog