Docstoc

Undetectable_methods-3

Document Sample
Undetectable_methods-3 Powered By Docstoc
					Packing , Crypting, Binding ... Methods of the easy way :) Document series part 3
by psyc || icarus helios for any crew ...
      Msn : repsycoolez@hotmail.com
      Visit: www.darkdevelopments.com for other tutorials
      Thnx to PAL for pre-release feedback ..
      After changing EP and manually packing, whats all this shit about ?
      = Greeting part

        Welcome back everyone, this is the third part of the UD methods uncovered. Hope u
will enjoy it Btw i don t care if i make any grammer mistakes and such ... u know that ;)

       Tools and basic stuff again and again ...
For every method probably you will need a new tool, so i recommend that u get them step by
step.
Upx : http://upx.sourceforge.net/
Mew : http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/MEW-
SE.shtml
PC Guard : http://www.topshareware.com/PC-Guard-for-Win32-download-2638.htm
Yoda s crypter : http://www.softpedia.com/get/Programming/Packers-Crypters-
Protectors/Yodas-Crypter.shtml
All other cool programs and great crew :
www.darkdevelopments.com

        What is that tutorial about ? And for who ?

I wrote last two tutorials about entry point changing and manual packing, but those tutorials
were a little complicated for starters. Another fact is, there are lots of people trying to sell
undetectable trojans these days. And those guys just use packers & binders so the server will
be undetectable at scan time, but it will get detected on the runtime ... So why pay them if the
tools already available and using them is so easy ?

Trust me there are sooooo few people that know how to make a server undetectable *at both
scan and runtime* so be careful if you consider to pay for an undetectable server. Making UD
is not binding the file or damaging with hex editing. A lot of knowledge required and u can t
find that knowledge in any public forums easily. Btw i m not selling anything so please stop
asking about that lol.

This will be a quite easy and effective way of making servers undetectable but remember only
in scantime !

Ps : lol tuo teg os ylno sretrats rof si tnemucod sihT

Packers

Packers generally make the executable smaller, changes executable header and section
charasteristics. So the structure of the file will be changed so it is sufficient for us to call it
encrypted file. Famous packers like Upx are well known by the AV s so if you pack your
server with them it won t help much.

However we will start by using Upx because i saw a lot of people asking about it.
U can get upx at : http://upx.sourceforge.net/

Ok now put the upx.exe in your main directory c:\ ,
The fastest way to pack a file with upx is, select your file, drag it to the upx.exe. It will pack
your file immediately.




Another way to pack your file is
Start Run cmd.exe
Then write :
 address of upx.exe address of file to pack
*Or for better packing
 address of upx.exe --best address of file to pack
*If you want to unpack your file use d key
 address of upx.exe -d address of file to pack
Another good but known packer is Mew, u can get it at
http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/MEW-SE.shtml

I think it won t be hard to pack files with Mew for you because it has an interface =)

Ok here are the results with bifrost server after packing with Mew
You can get Bifrost at www.chasenet.org



Mew packing :

ClamAVdevel-2006012603.20.2006no virus found
F-Prot 3.16c        03.20.2006no virus found

This doesn t make sense so here comes the crypters

Here is a list of some packers :

ASPACK
BITARTS
BJFNT
COM2EXE
COMPACK
CONVERT
CryptCOM
CryptEXE
DEFILER
DIET
DXPACK
ENCODED
SCRIPT
EXE32PACK
EXEPACK
EZIP
FSG
HDD
IMAGE
JDPACK
KRYPTON
LZEXE
MEW
MOLEBOX
MORPHINE
MSFT
OPTLINK
PCSHRINK
PEBUNDLE
PECOMPACT
PECRYPT
PEDIMINISHER
PELOCK
PEPACK
PESHIELD
PESPIN
PETITE
PEX
PGMPAK
PHANTASM
PKLITE
PROTECT
SHAOLIN
SPLASHER
TELOCK
TINYPROG
UCEXE
UPC
UPX
VECNAPACK
VGCRYPT
WWPACK
WWPACK32
WINEXE
WINKRIPT
YODA
CPAV
F-XLOCK
PGPROT
VACCINE

Crypters

Crypters are elite packers =) the move the data, shange offsets, clear headers etc. So that the
file will be undetectable.

Another crypter :
http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/Yodas-
Crypter.shtml

PC Guard program makes a bit of crypting itself so if you want to explore it :
http://www.topshareware.com/PC-Guard-for-Win32-download-2638.htm

Using crypters is same shit as using packers so easy stuff again ...
Binders, Scramblers ... Combining all of them ..

Ok we will have a visit to www.darkdevelopmets.com Download section. There you can find
a link to Binders, packers etc.

I reccomend Daemon Crypt and NtPacker both nice programs.

Ok i know that u want your first undetectable server right ? Now lets make one.
Create your server and pack it with upx.

We will use Daemon Crypt now, you can easily get it at www.darkdevelopments.com . Open
Daemon Crypt, select the server that u just packed, set the AV Killer option OFF not to
trigger any AV. Crypt ypur file, new file will be created in Daemon Crypt directory. Let s see
how good it is =)

Then you can do the same shit with NtPacker and all such Crypters. So far so lame =)



AntiVir           6.34.0.53     03.20.2006no virus found
Avast             4.6.695.0     03.20.2006no virus found
AVG               386           03.20.2006no virus found
Avira             6.34.0.53     03.20.2006no virus found
BitDefender       7.2           03.20.2006no virus found
CAT-QuickHeal 8.00              03.20.2006no virus found
ClamAV            devel-2006012603.20.2006no virus found
DrWeb             4.33          03.20.2006no virus found
eTrust-InoculateIT23.71.106     03.19.2006no virus found
eTrust-Vet        12.4.2126     03.20.2006no virus found
Ewido             3.5           03.20.2006no virus found
Fortinet          2.71.0.0      03.20.2006no virus found
F-Prot            3.16c         03.20.2006no virus found
Ikarus            0.2.59.0      03.20.2006no virus found
Kaspersky         4.0.2.24      03.20.2006no virus found
McAfee            4722          03.20.2006no virus found
NOD32v2           1.1452        03.20.2006no virus found
Norman            5.70.10       03.20.2006no virus found
Panda             9.0.0.4       03.20.2006Suspicious file
Sophos            4.03.0        03.20.2006no virus found
Symantec          8.0           03.20.2006no virus found
TheHacker         5.9.6.116     03.20.2006no virus found
UNA               1.83          03.20.2006no virus found
VBA32             3.10.5        03.19.2006no virus found

Ok our file is undetectable in scan time. Most of starters will be happy about these result, and
it is ok if the person that has the AV doesn t use real time scan option of their AV s.
You can do the same shit with a good Binder. Binders are programs that combines your server
with another program so if the victim opens the file, all of the subfiles that u combined will
be executed. While searching for a binder try to find a binder that has an undetected stub. So
what is the stub ?

Answer :

So here is the detailed information of how Binder works :
Stub.exe + Server.exe + Fake program.exe + Fake program2.exe ..... = Package.exe

When Package.exe is executed, a specially coded file called stub, designed to extract the files
that are contained in the package to a temporary location and execute all the files in the
package from that temporary location.

Daemon Crypt also uses a stub to make the file undetected. You can surely use Binders but if
the user has an active scanner (real time scan/protection option enabled) so the result will be
failure. See the picture below, AV detects the trojan at the time it was extracted from
package.exe to a temporary location. I think you understand the real concepts about making a
trojan undetectable. These methods are good for starters and will improve you much =)
Btw Daemon Crypt and NtPacker are really cool programs so you can try different methods
and observe how it effects your server s detection level. Hope you will get familiar with all
these Packer, Binder, Crypter stuff ...


I will continue from fooling heuristic scans in next document so this is the first and last
document for starters ...


Cya in next document,
Don t trust to everyone that tries to sell you undetectables.


Cya for now
icarus-helios a.k.a. psyc

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:330
posted:7/10/2010
language:English
pages:7