Your browser is obsolete!

The page may not load correctly.

Evil Kitchen

Темная кухня

Other issues in this category (11)
  • add to favourites
    Add to Bookmarks

Cyber arms race

Read: 60 Comments: 3 Rating: 5

Does the word "crypter" bring up any associations for you?

You've most likely never encountered the word while surfing the World Wide Web, unless, of course, you’re a regular on virus-makers' forums, an information security researcher, or a devoted Anti-virus Times reader.

You’ve probably realised that the word "crypter" is somehow related to cryptography, which stems from the Greek kryptos, meaning "hidden secret". So it appears that the term is related to something that conceals data. But what kind of data are we talking about? Let's figure that out.

Naturally, any Trojan unleashed into the wild will eventually come under the spotlight of anti-virus developers and get analysed. The Trojan's signatures will make their way into virus databases and thus deprive the malware of its key advantage—the ability to remain undetected.

Of course, this situation suits neither the virus makers, who receive substantial income by selling their "works", nor their clients, who want to infect as many computers as they can and quickly recoup the money they invested in the malware. Indeed, no one can create a new, complex, and expensive malicious program from scratch in just a few days, and keep doing that over and over again!

And here crypters come to the rescue of cybercriminals. Disguising malicious programs so that anti-viruses can't detect them is a crypter’s principal task.

To accomplish their work, crypters can encrypt certain code fragments, supply malware with routines that can prevent Trojans from being launched in a sandbox or lured into a "honey pot", and obfuscate the code to complicate its reverse engineering.

As a result, a high-quality crypter will output a "clean" build that won't immediately be detected by the majority of today’s most popular anti-viruses. On the screenshot above you can see "1/37". This means that the resulting build was detected only by one anti-virus out of 37 it was tested against.

Encrypted malware builds lose their relevance quickly: their average lifespan usually doesn't exceed 10 days, after which time their definitions appear in anti-virus databases. But the procedure can be repeated over and over again—and that's the beauty of crypters! Most active Trojan makers and distributors come up with new encrypted builds every day. Customers usually pay to have their builds encrypted, however, they may get a free "cleaning" as a bonus.

But how can customers be sure that their build won't be detected?

We already mentioned that popular rogue mining applications are often bundled with a subscription to a paid virus scanner. And this doesn't mean that virus makers care about their customers' security—the subscription enables them to verify that anti-viruses aren’t detecting their builds. And if they do, a crypter can be applied to the code once again.

#cybercrime #malware #mining

Dr.Web recommends

In the course of its evolution, the cybercrime world gives rise to new ways of making money with malware and other illegal schemes and techniques. This evolution is also affected by advances in the anti-virus industry. In turn, anti-viruses perfect their tools to stay ahead of threat actors.

Statistics show that a conventional anti-virus using only signature-based scanning can expose and disarm no more than 30% of the daily influx of malware. But are things really that bad? In reality, no they aren't because nowadays signature-based detection is supplemented by an entire array of other technologies. A modern anti-virus doesn't merely scan files but also monitors application activity and exposes even the slightest deviations from common behaviour patterns and thus can even neutralise malware that uses the most sophisticated techniques to conceal itself.

We worked on Dr.Web for Windows 11.5 for more than a year, and the new version incorporates state-of-the-art threat neutralisation techniques and technologies that enable Dr.Web to disarm threats before they gain a foothold in the system.

If you haven't chosen Dr.Web to be your anti-virus yet, take advantage of the free three-month trial to learn what version 11.5 can do for you!

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments