FUD Crypter Analyses and Example

FUD Crypter Analyses and Example

What is FUD?

FUD; FUD is acronym for Fully UnDetectable. With increased use of FUD type crypters to bypass antiviruses, AV (Anti Virus) became more advanced and started including FUD definitions to even detect crypter strings within code. So, use of crypter to hide Ardamax keylogger and RATs became more complicated as nowadays, no publicly available crypter is FUD.

Malwaredoc’s FUD Crypter

So, if you FUD crypt RATs with publicly available supposedly FUD crypters, they are bound to be detected by antiviruses. This is because most FUD crypters remain “FUD” for maximum of one or two days after their public release. To obtain FUD crypters, you have to either search for it in hacking forums or make one (which is somewhat tedius.. I am working on this).

fud

Types of FUD Malware Attacks

Thus, a crypter is a program that allow users to crypt the source code of their program. Generally, antivirus work by splitting source code of application and then search for certain string within source code. If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system.

FUD Crypters have increased 500% in 2014

As I already mentioned that as the crypter becomes popular it doesnot remain FUD. So the only FUD crypter available are those made by indivuals and they can be found by spending a little time on google by searching. It will not make profit to anybody if I share FUD crypter here used by me as it will not remain FUD for long as some noobs will surely scan it with virustoal.So,its better you search your own and keep it to yourself.

WHAT DOES A CRYPTER DO?

A Crypter simply assigns hidden values to each individual code within source code. Thus, the source code becomes hidden. Hence, our sent crypted trojan and virus bypass antivirus detection and our purpose of hacking them is fulfilled without any AV (Anti Virus) hindrance. Not only does this fud crypter hide source code, it will unpack the encryption once the program is executed.

How Does FUD Crypter Work?

The Basic Working Of FUD Crypter is explained below

fud

Basic FUD Attack Setup

The Crypter takes the original binary file of you exe and applies many encryption on it and stores on the end of file(EOF).So a new crypted executable file is created. This file is what we consider FUD, fully undetectable.

Original Exe Crypted Exe
(ORIGINAL)001————- (CRYPTED)010

The new exe is not detected by antiviruses because its code is scrambled by the crypter.When executed the new .exe file decrypts the binary file into small the data small pieces at a time and injects them into another already existing process or a new empty one, OR it drops the code into multiple chunks in alternative data streams(not scanned by most a/v) then executes it as a .txt or .mp3 file.

HOW CAN WE MANUALLY DISTINGUISH BETWEEN THE ORIGINAL AND ENCRYPTED FILE?

An important point to note is that though a FUD Crypter hides the code of a file but it cannot hide the size of a file. Thus, if the size of the file we want to crypt is 10kb and the size of the file with which we want to crypt our file is 100kb then the total size of the crypted file would be 100kb+10kb ie… 110kb.

But this difference would be helpful only when you know the size of the original file.

Now coming back to FUD..

Where can I test Whether my Crypter is FUD or not?

To test you crypter encrypt any virus with it and test it on http://scanner.novirusthanks.org and make sure you check the box  Do not distribute the sample

Note:-Do not test your crypter on http://virustotal.com as it distributes the samples and your crypter will not remain FUD if you scan with virustotal.

 

Note:- This information is for educational purpose only so that you can know about various kinds of encryption techniques. the author or http://malwaredoc.com is not responsible for any kind of misuse of this information. We aim only to create awareness so that people can protect themselves from getting hacked and save themselves in this unsafe world of hacking.

Leave a Reply

comment-avatar

*