[IN-VM] RAT bypass Emsisoft v9

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
AV##### and Dsplit is also another very famous method used to FUD malwares

My point is if you're simply using pre-made tools and techniques to create and try to stop malware being detected, you're not going to get far. The level of skill needed to write a sustainable piece of malware with survival and persistence characteristics far exceeds the level of skill needed to download every hack tool you can get your hands on, copy and paste some anti-debug codes into your 'VB.NET' RAT, press the button labeled "Crypt" or "$£(*&????"&01??????????????-" if it's in some other language that you haven't got support for on your computer...

That was my point, if the limit of your skill is mucking around with a hex editor and pressing buttons in pre-made tools, good luck! ;)
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
this is all-about script-kiddies, but if the plan is to quickly infect a specific machine to retrieves some datas then leave it; it is enough.

Yeah I was talking about script kiddies but you're right, if you want to smash and grab, then it's more than enough. I suppose I'm biased in that I share the mentality of a friend of mine who was a member of Paradox (anyone who's ever used cracks and keygens will recognise that name). He once told me "anything worth anything is protected with everything", and I always took that to mean "an easy target is a target for somebody else".

But very good point Umbra, thanks for making that :)
 
D

Deleted member 178

yep mostly easy targets are just canon-fodder (aka Bots in Botnets) or guinea pigs before challenging more difficult and valuable targets. it was the case at my "dark side" time long time ago ^^
 
  • Like
Reactions: user and Cowpipe

nsm0220

Level 21
Verified
Sep 9, 2013
1,054
Except that behavior based detection won't care about crypters. Quite frankly adding a crypter will make it a lot more likely the file will trigger an alert in many cases :).
not all behavior based detection won't care about crypters there are some that care that will most likely stop it before it happens
 
  • Like
Reactions: Rahadian Putra

Fabian Wosar

From Emsisoft
Verified
Developer
Well-known
Jun 29, 2014
260
not all behavior based detection won't care about crypters there are some that care that will most likely stop it before it happens
Since you clearly have a hard time figuring out the implied meaning of what I said, please let me spell it out for you:

Behavior blockers can't be bypassed using crypters. It doesn't matter how a malware is encrypted or obfuscated, as both only change the physical appearance of the file but not what it does on a system (the later being the only thing any behavior blocker cares about). In fact, using a crypter or obfuscator is a huge red flag for any behavior blocker so trying to hide your malware using any of these techniques will make behavior based detection more likely. This is especially true for all crypters and obfuscators that implement "run PE" behavior.
 

nsm0220

Level 21
Verified
Sep 9, 2013
1,054
Since you clearly have a hard time figuring out the implied meaning of what I said, please let me spell it out for you:

Behavior blockers can't be bypassed using crypters. It doesn't matter how a malware is encrypted or obfuscated, as both only change the physical appearance of the file but not what it does on a system (the later being the only thing any behavior blocker cares about). In fact, using a crypter or obfuscator is a huge red flag for any behavior blocker so trying to hide your malware using any of these techniques will make behavior based detection more likely. This is especially true for all crypters and obfuscators that implement "run PE" behavior.
can you next time be a little clear about it
 

SD-ahmad

Level 1
Verified
Aug 24, 2013
34
Since you clearly have a hard time figuring out the implied meaning of what I said, please let me spell it out for you:

Behavior blockers can't be bypassed using crypters. It doesn't matter how a malware is encrypted or obfuscated, as both only change the physical appearance of the file but not what it does on a system (the later being the only thing any behavior blocker cares about). In fact, using a crypter or obfuscator is a huge red flag for any behavior blocker so trying to hide your malware using any of these techniques will make behavior based detection more likely. This is especially true for all crypters and obfuscators that implement "run PE" behavior.
Your words are true, but there are serious gaps have been exposed in the blocker behavior in emsisoft
Skipped Behavior blockers not through encryption but through entry points ;)

" Nothing can not be skip it, even hips can be skiped "


Encryption normal ways to be revealed easily
show that :


pcCi9.jpg
 

Dubseven

Level 14
Verified
Aug 12, 2013
694
Since you clearly have a hard time figuring out the implied meaning of what I said, please let me spell it out for you:

Behavior blockers can't be bypassed using crypters. It doesn't matter how a malware is encrypted or obfuscated, as both only change the physical appearance of the file but not what it does on a system (the later being the only thing any behavior blocker cares about). In fact, using a crypter or obfuscator is a huge red flag for any behavior blocker so trying to hide your malware using any of these techniques will make behavior based detection more likely. This is especially true for all crypters and obfuscators that implement "run PE" behavior.

You are wrong my friend. We are in 2014, the hackers keep progressing, and search new systems to bypass all new security possibilities and 98% of crypters sold for less than 5$ can bypass much of behavior systems of anti-virus that you can see on VirusTotal (populars). I have seen myself a live bypass of Comodo firewall and sandbox in less than 3 minutes of codes and changes.
With 30$ you can bypass ALL security solutions on VirusTotal list.
In our actual time, the crypters manipulate the file and behaviors. And it's not only "appearance" change, like in the old time.

It's not a dream, it's the reality. That's why with Tiranium we keep progressing and communicate with some hackers to be able to block all new
technics
that they discover.

The security solutions in our actual time, update them security one time per year.
The hackers need only 1 month ~ to found a fail in the security.

I hope it's clear to understand, sorry for my english.
Best Regards
 
Last edited:

goke

Level 1
Thread author
Verified
Jun 26, 2014
19
Since you clearly have a hard time figuring out the implied meaning of what I said, please let me spell it out for you:

Behavior blockers can't be bypassed using crypters. It doesn't matter how a malware is encrypted or obfuscated, as both only change the physical appearance of the file but not what it does on a system (the later being the only thing any behavior blocker cares about). In fact, using a crypter or obfuscator is a huge red flag for any behavior blocker so trying to hide your malware using any of these techniques will make behavior based detection more likely. This is especially true for all crypters and obfuscators that implement "run PE" behavior.
"Behavior blockers can't be bypassed using crypters" no

Test proves you
Do you want to try it yourself Sampler?
 
  • Like
Reactions: SD-ahmad

SD-ahmad

Level 1
Verified
Aug 24, 2013
34
You are wrong my friend. We are in 2014, the hackers keep progressing, and search new systems to bypass all new security possibilities and 98% of crypters sold for less than 5$ can bypass much of behavior systems of anti-virus that you can see on VirusTotal (populars). I have seen myself a live bypass of Comodo firewall and sandbox in less than 3 minutes of codes and changes.
With 30$ you can bypass ALL security solutions on VirusTotal list.
In our actual time, the crypters manipulate the file and behaviors. And it's not only "appearance" change, like in the old time.

It's not a dream, it's the reality. That's why with Tiranium we keep progressing and communicate with some hackers to be able to block all new
technics
that they discover.

The security solutions in our actual time, update them security one time per year.
The hackers need only 1 month ~ to found a fail in the security.

I hope it's clear to understand, sorry for my english.
Best Regards
Unfortunately, there are many sites offering these services for free and there are free courses on how to skipping any protection program
And give you the special methods undiscovered all this for free

Unfortunately, most of the security companies that know the truth and ignore them and have already raised the subject of this particular forum in Kaspersky were closed subject and transformative link to another, I have been ignored
 
  • Like
Reactions: goke
D

Deleted member 178

Unfortunately, most of the security companies that know the truth and ignore them and have already raised the subject of this particular forum in Kaspersky were closed subject and transformative link to another, I have been ignored

because "publicly" revealing flaws is not good for business :D
 
  • Like
Reactions: XhenEd and SD-ahmad

Fabian Wosar

From Emsisoft
Verified
Developer
Well-known
Jun 29, 2014
260
Your words are true, but there are serious gaps have been exposed in the blocker behavior in emsisoft
Which is not a design bypass but an implementation issue. There will always be implementation issues. Quite frankly, there are implementation issues in every product out there. That doesn't mean that behavior blockers as a concept are weak though. By the way, if you stumble upon a particular implementation issue in one of our products, feel free to contact me.

You are wrong my friend. We are in 2014, the hackers keep progressing, and search new systems to bypass all new security possibilities and 98% of crypters sold for less than 5$ can bypass much of behavior systems of anti-virus that you can see on VirusTotal (populars).
You are aware, that VirusTotal does not include any behavior blocker results in their detections, right? They solely perform an on-demand scan of files and for files that look particularly interesting throw them into the Cuckoo sandbox cluster.

Test proves you
Do you want to try it yourself Sampler?
Sure, feel free to send me the sample via PM.
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
Which is not a design bypass but an implementation issue. There will always be implementation issues. Quite frankly, there are implementation issues in every product out there. That doesn't mean that behavior blockers as a concept are weak though. By the way, if you stumble upon a particular implementation issue in one of our products, feel free to contact me.

I think this quote pretty much sums it up for me. And I'd just like to point out that it says a lot that Fabian has been active in this thread. A potential way to bypass Emsisoft was proposed and Fabian has investigated and not just that, has taken the time to explain his reasoning too. There are of course some other antivirus companies who have posted here, I won't name them, who I have passed exploits on to only to find that they have not been patched or even acknowledged, what does that say about their commitment to their products?

There are a lot of misguided posts on this thread, particularly about the "amazing power of crypters". For anyone struggling to understand, the purpose of an executable protector is to prevent the file from being reverse engineered. It's purpose is not to hide malicious behaviour. As Fabian pointed out above, the scans included with Crypters on the sales pages are usually "scan time" results, that is an on-demand scan in which the behaviour of the file is not taken into account. Some crypters include so called 'run time' protection however this is almost universally the RunPE method (at least in the sorts of crypter kits most of you will encounter on self proclaimed 'black hat' forums), this again is easily detected (and easily unpacked in case you were wondering).

So to all of those on this thread who seem to be firm advocates of so called FUD crypters, please bear the above in mind and do a bit of research before arguing a point with someone with a professional level of knowledge ;) (calm down ego, I was talking about Fabian :p)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top