Cryptor (from the English word "Cryptor" - cryptographer) is the name of one of the types of software products that are used by virus programmers in order to hide the malicious essence of the software they write from antivirus programs.
Cryptor, using encryption of a program containing a virus, masks and protects it from antivirus programs that use signature search methods.
There are two types of cryptors: regular and polymorphic. Regular cryptors have a static decryptor-decryptor signature, while polymorphic cryptors have a dynamic signature, and each time they are compiled, they (files packed with such cryptors) look different.
So how do cryptors work? Everything is quite simple: the original source file of the malicious program is taken, then this program is encrypted with some cryptor, while the code for decrypting the program is written to the beginning of the newly received file. To make it more clear, we will explain with a simple example: a certain Trojan program is taken and archived by the WinRAR archiver, and it is archived not just like that, but with password protection. After performing these actions, no antivirus program will be able to get to this Trojan, since they can't decrypt passwords to archives.
There is one small pitfall here. Antivirus programs add decryption codes for the most common cryptor programs to their signature databases, but if you have created a program that is not a virus at all, but performs only useful actions, but at the same time packed it to reduce the size of any popular cryptor, then it can often happen that the antivirus will start swearing that this program contains a terrible virus when you try to copy this program to your computer or run it.
In general, according to the type of availability, cryptors are divided into Public (Public) and Private (Private).
The first type of cryptor is publicly available, they are widely distributed on the Internet and, if desired, any user can download them. The main negative side of such cryptors is that after a very short period of time, they begin to burn with almost all antiviruses (after all, anti-virus laboratories also do not sleep and try to catch fresh types of cryptors, especially since they are not caught if they are freely available).
With the second view, everything is not so simple. These cryptors are available only to a select community of people, or they can be purchased for very real money (mostly electronic). This type of cryptor is more resistant to anti-virus scanning due to both constantly improving encryption algorithms and a constantly updated stub. What is a stub, you may ask? We'll respond. Stub – the part of the cryptor code that is used to decrypt the malware data that was encrypted by this cryptor.
Often, the abbreviations FUD and semiFUD are used in the sections of forums where cryptors are presented. Let's decipher these abbreviations to make it more clear to you. What is it?
1) FUD - Full Undetected - "completely undetected by antivirus programs»
2) semiFUD - Semi-full undetected - "almost undetectable by antivirus software".
In addition to cryptors, when writing malicious software (viruses and Trojans), some other types of programs are also used. Let's briefly list their names and explain what they serve for.
To steal ICQ numbers, usernames and passwords to email accounts and social networks, special Trojan programs called pinches and xinches are used.
Special php scripts, called gates, are used to receive and process stolen information.
Joiners are used to connect a secure program and a virus to a single file. At the same time, the functionality of both the first (for example, a photo) and the second (for example, a Trojan virus) remains at the highest level.
Cryptor, using encryption of a program containing a virus, masks and protects it from antivirus programs that use signature search methods.
There are two types of cryptors: regular and polymorphic. Regular cryptors have a static decryptor-decryptor signature, while polymorphic cryptors have a dynamic signature, and each time they are compiled, they (files packed with such cryptors) look different.
So how do cryptors work? Everything is quite simple: the original source file of the malicious program is taken, then this program is encrypted with some cryptor, while the code for decrypting the program is written to the beginning of the newly received file. To make it more clear, we will explain with a simple example: a certain Trojan program is taken and archived by the WinRAR archiver, and it is archived not just like that, but with password protection. After performing these actions, no antivirus program will be able to get to this Trojan, since they can't decrypt passwords to archives.
There is one small pitfall here. Antivirus programs add decryption codes for the most common cryptor programs to their signature databases, but if you have created a program that is not a virus at all, but performs only useful actions, but at the same time packed it to reduce the size of any popular cryptor, then it can often happen that the antivirus will start swearing that this program contains a terrible virus when you try to copy this program to your computer or run it.
In general, according to the type of availability, cryptors are divided into Public (Public) and Private (Private).
The first type of cryptor is publicly available, they are widely distributed on the Internet and, if desired, any user can download them. The main negative side of such cryptors is that after a very short period of time, they begin to burn with almost all antiviruses (after all, anti-virus laboratories also do not sleep and try to catch fresh types of cryptors, especially since they are not caught if they are freely available).
With the second view, everything is not so simple. These cryptors are available only to a select community of people, or they can be purchased for very real money (mostly electronic). This type of cryptor is more resistant to anti-virus scanning due to both constantly improving encryption algorithms and a constantly updated stub. What is a stub, you may ask? We'll respond. Stub – the part of the cryptor code that is used to decrypt the malware data that was encrypted by this cryptor.
Often, the abbreviations FUD and semiFUD are used in the sections of forums where cryptors are presented. Let's decipher these abbreviations to make it more clear to you. What is it?
1) FUD - Full Undetected - "completely undetected by antivirus programs»
2) semiFUD - Semi-full undetected - "almost undetectable by antivirus software".
In addition to cryptors, when writing malicious software (viruses and Trojans), some other types of programs are also used. Let's briefly list their names and explain what they serve for.
To steal ICQ numbers, usernames and passwords to email accounts and social networks, special Trojan programs called pinches and xinches are used.
Special php scripts, called gates, are used to receive and process stolen information.
Joiners are used to connect a secure program and a virus to a single file. At the same time, the functionality of both the first (for example, a photo) and the second (for example, a Trojan virus) remains at the highest level.
