Fully Undetectable Cryptors and the Antivirus Detection Arms Race

Antivirus companies and malicious software makers are in a continual battle. Antivirus developers attempt to identify and block malicious software, and the malicious software developers want to evade detection so their products can succeed to earn them money.

The recently released Symantec Report on Attack Toolkits and Malicious Websites discusses how malicious software is increasingly being bundled into attack kits and how those kits are being sold in the underground economy and used in a majority of online attacks. One aspect of the report discusses the various forms of obfuscation methods built into these kits to avoid detection by antivirus sensors and researchers.

A major part of this obfuscation arms race is called a “FUD cryptor.” FUD in this case does not stand for “fear, uncertainty, and doubt,” but rather for “fully undetectable” or “fully undetected.” FUD cryptors are increasingly showing up in sophisticated attack kits and their purpose is to obfuscate a malicious executable file’s contents so that it can still run as it was intended, but remain unrecognizable to antivirus software.

Antivirus signatures look for certain strings or patterns in files in order to locate known malicious executables. Because a substantial effort goes into the creation of these signatures before they can be distributed to customers, with the increasing popularity of malicious software creation toolkits, ostensibly it has become easier to create new malcode than it is to create signatures to block it. For antivirus companies to keep up, a single signature would need to block more than one piece of malware.

The FUD cryptor software encrypts the contents of a malicious executable file (the payload) and combines it with a small stub program. The stub’s job is to decrypt and execute the original malicious program at runtime. In order to make the resulting executable file unique, the FUD program uses a new encryption key every time it runs. The encryption process turns the payload into what looks like completely random data, changing any data that antivirus signatures would use to block the original malicious software.

The payload is completely obfuscated from antivirus detection, but the stub portion remains. The stub is a more difficult portion to obfuscate, because it must remain executable in order to properly perform its job of decrypting and running the original executable. Since the payload changes for each instance, antivirus signatures have to match on the stub portion in order to be able to match more than a single individual piece of malware.

In order to obfuscate the stub program, a unique stub generator (USG) can be used. The generator might insert random data in certain unused locations of the stub. It might insert randomized executable operations that have no effect. It might substitute or reorder certain portions of the code. The USG attempts to create a stub that is both unique and that contains as small of an unchanging portion of code as possible to make signature creation more difficult.

Once a particular piece of malware has been made undetectable and released into the wild it is only a matter of time until antivirus companies identify and block it. This necessitates the reapplication and possibly the reengineering of the FUD process, escalating the arms race over time.

It is expected that a FUD product will have a relatively short useful lifespan before antivirus companies can reliably detect executables that have been created by it. This lifespan can be days, weeks, or several months at most.

Because of the detection arms race, a range of FUD cryptor products and services has sprung up in the underground economy. There are stand-alone products designed to operate on EXE files, and there are malicious software creation toolkits that include FUD-crypting options as both standard and optional features. Applying FUD techniques to a Trojan can also be provided as a pay-per-use service. The report discusses advertisements in the underground economy in which these services are offered, and FUD services are generally included in most popular and better-maintained toolkit releases. In fact, a significant reason for users to purchase support for major toolkits is the repeated reapplication of FUD crypting to keep the resulting Trojans undetectable.

Because of the seesaw nature of signature-based detection, the next step in detecting malware is behavior- and reputation-based technologies not depending on signatures. If effective, tricks such as FUD cryptors may be made obsolete by improvements to behavior- and reputation-based detection.

For a more in-depth look at FUD-cryptors, attack kits, and how these things are affecting the threat landscape, please download the Symantec Report on Attack Kits and Malicious Websites.