The Anti-virus Times

Monday, June 25, 2018

Does the word "crypter" bring up any associations for you?

You've most likely never encountered the word while surfing the World Wide Web, unless, of course, you’re a regular on virus-makers' forums, an information security researcher, or a devoted Anti-virus Times reader.

You’ve probably realised that the word "crypter" is somehow related to cryptography, which stems from the Greek kryptos, meaning "hidden secret". So it appears that the term is related to something that conceals data. But what kind of data are we talking about? Let's figure that out.

Naturally, any Trojan unleashed into the wild will eventually come under the spotlight of anti-virus developers and get analysed. The Trojan's signatures will make their way into virus databases and thus deprive the malware of its key advantage—the ability to remain undetected.

Of course, this situation suits neither the virus makers, who receive substantial income by selling their "works", nor their clients, who want to infect as many computers as they can and quickly recoup the money they invested in the malware. Indeed, no one can create a new, complex, and expensive malicious program from scratch in just a few days, and keep doing that over and over again!

And here crypters come to the rescue of cybercriminals. Disguising malicious programs so that anti-viruses can't detect them is a crypter’s principal task.

To accomplish their work, crypters can encrypt certain code fragments, supply malware with routines that can prevent Trojans from being launched in a sandbox or lured into a "honey pot", and obfuscate the code to complicate its reverse engineering.

As a result, a high-quality crypter will output a "clean" build that won't immediately be detected by the majority of today’s most popular anti-viruses. On the screenshot above you can see "1/37". This means that the resulting build was detected only by one anti-virus out of 37 it was tested against.

Encrypted malware builds lose their relevance quickly: their average lifespan usually doesn't exceed 10 days, after which time their definitions appear in anti-virus databases. But the procedure can be repeated over and over again—and that's the beauty of crypters! Most active Trojan makers and distributors come up with new encrypted builds every day. Customers usually pay to have their builds encrypted, however, they may get a free "cleaning" as a bonus.

But how can customers be sure that their build won't be detected?

We already mentioned that popular rogue mining applications are often bundled with a subscription to a paid virus scanner. And this doesn't mean that virus makers care about their customers' security—the subscription enables them to verify that anti-viruses aren’t detecting their builds. And if they do, a crypter can be applied to the code once again.