(07-31-2014, 03:20 AM)Maxx Wrote: Though, I can say that generally anything hack related gets picked up by anti-viruses and things like that because they're trying to prevent you from using it. Even if it's safe, it'll often say "HEY WAIT DONT EVER LOOK AT THAT!" just because at's their method of preventing you from trying to hack anyone in the first place.
No, they are not trying to prevent hacking by detecting hacking tools.
It is due to the way the crypter works, why it gets detected at some point.
Have a look at this graph:
![[Image: QUSDVgg.png]](http://i.imgur.com/QUSDVgg.png)
The (orange) file is the malware the attacker wants to make undetected from antivirus software. The crypter encrypts that file and places it in a stub. The stub is usually saved somewhere in the crypter or generated from a template. The stub has the purpose to decrypt the malware and execute it.
Let's simplify the detection methods of antivirus scanners to string scanning for now (it is by all means not the only one, but serves its purpose to understand why a crypter gets detected at some point). String scanning is actually scanning for byte sequences (=signatures) that are unique enough to identify a malware, it is not simply scanning for strings, so this is actually a misnomer.
The antivirus companies use, among others,
automated signature extraction to find patterns for their detection database. Otherwise it wouldn't be possible for them to keep up with the appr. 200000 newly created pieces of malware every day.
The crypter prevents signature detection and extraction for the malware piece (the orange file) by encrypting the content. Often crypters apply different encryption for every crypted file. However, the stub is still plain code. So once the crypter is used to crypt malicious code, and this crypted malware is spread, the stub will be used to extract a signature from. Thus, the stub will be detected, because the stub is the one commonality in all the malwares that where spread after using the crypter. This has nothing to do with the AV companies wanting to flag the tools, like crypters, as malware. It is due to the things that are most practically to realize. You can not extract a signature from the encrypted part of the file.
The crypter is flagged as malware, because it contains the stub somewhere and the stub is where the signature was extracted from.
However, if anyone wants to decide about a crypter being FUD, UD or detected, the crypted files should be tested, not the crypter. Afterall a crypter might modify the stub on random before creating the crypted file (all crypters with USG do this) and the detection of the resulting file might differ from detection of the crypter.
Edit: An additional note for everyone new to crypters or packers in general: A clean scan result of a crypter does NOT mean that the crypter itself is clean and will not infect you. You have to be careful with every tool you download from someone you don't know. Use a sandbox, take the usual precautions. A scanning site or antivirus scanner will NOT tell you if the file is clean. It just tells you if it gets detected.
I vouch for @Solixious that his crypter is clean, afterall the code is available for everyone here to look at.
Read this if you want to know more about this topic:
https://github.com/Doubleendedqueue/Pape...ypters.pdf
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: 2YpkRjy.png]](http://i.imgur.com/2YpkRjy.png)
![[Image: OilyCostlyEwe.gif]](http://fat.gfycat.com/OilyCostlyEwe.gif)