Thursday, March 26, 2009

Automating processes anti-analysis through of crimeware

The automation of malicious code is a life philosophy and a business round its creators as every day should focus their efforts on devising new "tools" that can "jump" detection methods proposed by the antivirus signatures.

Constantly appear new "proposals", increasingly professionalized, which help to delay the detection of malicious code through techniques anti-analysis and at the same time increase the profits of developers.

Polymorphic Cryptor Crum is one of many programs that are part of this category. It's a program used to encrypt malware environments; development in Russia for people who are on the mischievous side of the field to broaden the horizon of returns.


This is a new version of this crypter, just 1.1, which offers capabilities for handling polymorphic malicious code.

Among the features proposed by the polymorphic implementation are also of the same polymorphism:
  • Using random
  • Figures for imports and resources
  • 128 for each section
  • Overwriting the "Rich" and "Time / Date Stamp" on the header files
  • Provides capabilities anti-debugger
  • Avoid having to conduct a memory dump
  • Avoid performance in controlled environments
  • Change or delete the icon for the malicious binary
Here you will meet some of the functionality offered by the program, but sufficient to determine the degree of professionalism and hazardousness reached, in this case by Russian developers, the creation of malware is disturbing.

This implementation costs USD 100 on the black market. However, to complete the array of applications of this style, the same creator offers "only" a USD 50 joiner (used merging files) called Crum Joiner Polymorphic and USD 20 accessing updates same.

The interface of this program, which allows to merge several files such as a .jpg merge a binary .exe, is as follows:

In this case, some of the features that includes the application are:
  • Capacities polymorphic
  • Allows unlimited union files
  • Supports multiple file extensions like .doc, .mp3, .avi, .jpg, .bmp and .exe
  • File encryption of 256 bytes
  • Ability to carry not only files .exe files but also .dll
In both cases, the creator recommends certain "security measures" to protect the "integrity" of development as the application does not refer to services such as VirusTotal, be ordered to encrypt the files and not sharing any of the components that constitute the applications.

Related Information
Russian prices of crimeware - Spanish version

Creating Online polymorphic malware based PoisonIvy - Spanish version

# Jorge Mieres

No comments: