Adventures of the White Rabbit

well, i'm taking a 5 min break from studying to think about my plans for the next release of codeCrypter.

The main weakness of the last release, which allowed a signature to be put on it, was that it used a static stub at entry point and another static stub for the decryption routine.

The second weakness was that the decryption stub was always placed in the same location in the last section of the file.

Finally, it used fixed parameters in the Linear Congential Random Number Generator (LCG) algorithm I used to perform the "encryption".

Now on the other side of things, I have not had any time to get further on my other project CodeMutator, but it had come a fair long way in development, and is capable of mutating stubs...

So the next release of codeCrypter is going to incorporate codeMutator for the purpose of making the stub different every time the packer is used.

The location of the decryption stub will be random in the last section, and random data will be filled in the space made for the stub, rather than leaving zeros (which allows AV to find the stub).

Finally, the user will be able to provide their own parameters for the LCG.

Now...back to revision...

See Ya!

well, as requested, here's a jotti scan of the file.

AntiVir
Found Backdoor-Server/HakDef.EE backdoor
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found BackDoor.Generic2.LSP
BitDefender
Found MemScan:Backdoor.HacDef.BR
ClamAV
Found nothing
Dr.Web
Found BackDoor.HackDef.164
F-Prot Antivirus
Found nothing
Fortinet
Found W32/HaKDef.EE-bdr
Kaspersky Anti-Virus
Found Backdoor.Win32.HakDef.ee
NOD32
Found a variant of Win32/HacDef
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found BackDoor.HackDef.164

Bit of an improvement, but that might just be a factor of time.

Back on 28/12/2005 I released a public version of a crypter called CodeCrypter on the site www.governmentsecurity.org.

The purpose of the release was to demonstrate how ineffective AV are at detecting malware. I also released the source code to the tool there.

Now, over 3 months later, I thought I'd check that all the AV vendors are detecting it... the results are very disappointing.

Using the service Virus Total, here's the results of crypting a rootkit called "hxdef". This is the most popular rootkit used by hackers (www.hxdef.org).

Scan of hxdef packed with codecrypter 0.31, including resource packing at 1 March 2006:

Antivirus Version Update Result
AntiVir 6.33.1.53 03.01.2006 no virus found
Avast 4.6.695.0 03.01.2006 no virus found
AVG 718 03.01.2006 no virus found
Avira 6.33.1.53 03.01.2006 no virus found
BitDefender 7.2 03.01.2006 MemScan:Backdoor.HacDef.BR
CAT-QuickHeal 8.00 03.01.2006 (Suspicious) - DNAScan
ClamAV devel-20060126 03.01.2006 no virus found
DrWeb 4.33 03.01.2006 no virus found
eTrust-InoculateIT 23.71.90 03.01.2006 no virus found
eTrust-Vet 12.4.2100 03.01.2006 no virus found
Ewido 3.5 03.01.2006 no virus found
Fortinet 2.71.0.0 03.01.2006 suspicious
F-Prot 3.16c 03.01.2006 no virus found
Ikarus 0.2.59.0 03.01.2006 Backdoor.Win32.HacDef.084
Kaspersky 4.0.2.24 03.01.2006 no virus found
McAfee 4708 03.01.2006 no virus found
NOD32v2 1.1422 03.01.2006 a variant of Win32/HacDef
Norman 5.70.10 03.01.2006 no virus found
Panda 9.0.0.4 03.01.2006 Suspicious file
Sophos 4.03.0 03.01.2006 no virus found
Symantec 8.0 03.01.2006 no virus found
TheHacker 5.9.5.103 02.28.2006 no virus found
UNA 1.83 03.01.2006 no virus found
VBA32 3.10.5 03.01.2006 BackDoor.HackDef.164

Out of 24 AV vendors, only 4 correctly identified the file as hxdef. Another 3 marked it as suspicious.

This means we have a 30% of AV detecting the file, 3 months after release of the packer. More worryingly, all the popular AV are not detecting it (KAV, McAfee, Symantec).

I suspect that the ones who do detect it, are not recognising the packer, but instead are seeing the Import Address Table of hxdef, which I did not encrypt.

Very poor response time, given the amount of fees that they charge,