Crypter

start

cryper are programs that change the structure of known malware and encrypt it to bypass antivirus software of the victim. Antiviruses are using certain techniques to protect you against malware. These techniques have structural weaknesses the crypters will bypass.

function

scenario: The attacker is in possession of a known malware. Known as known by the antivirus solution the victim is using. The virus is detected by its signature, that has been created by the antivirus provider. The detect the virus with honeypots or on other computers working with the antivirus solution.

doing: Now the cryper is used to change the malware. First it will change parts of the malware code like variables or the structure of the code, after that it encrypts the malware core and bundles it with a program, that can decrypt it. At the end, it hides this bundle in a jumble of code. Now the signature of the workload is totally different from the original malware and because it is encrypted the AV software cannot detect parts of the code as the malware core.

outcome: When the victim executes the malware bundle on its machine the core of the malware is decrypted and placed in the RAM where it is executed and can be used to exploit the victims system.

examples

example for a crypter is Veil you can find it on kali linux. It can be used to change metasploid payloads to bypass antiviruses.

sum it up

Crypters are a good example to show the weaknesses of AV software. It can only detect malware what is already known. Beside that it alters the attack surface by itself.