An important component of a crypter is a crypter stub, a code that is used to encrypt and decrypt malicious code.
A crypter can either be static or polymorphic. Static crypter stubs are sold as a separate program to which the encrypted file is tied. If a user opens the seemingly harmless file, the payload is extracted, decoded, and executed. Cybercriminals who employ static crypters use different stubs to make each encrypted file unique. If a stub has been detected by a security software, the author of the stub must then modify it.
polymorphic crypters are more sophisticated. It uses algorithms that utilize random variables, data, keys, decoders, and other elements. The result is that an input source file never produces an output file identical to the output of another source file. This is done by making use of several algorithms, shuffling blocks of code while preserving the malicious file’s ability to run itself and create macros.
How Crypter Works
- Cybercriminals either create their own crypter tool or purchase one that’s already available. Crypters are sold in the Russian Underground.
Product: Crypter 2011 2012 2013 Basic static US$ 10 - 30 US$ 4 – 10 No data Static with stub and add-ons US$ 30 - 80 US$ 15 – 25 US$ 10 - 30 Polymorphic US$ 100 US$ 80 US$ 65
- The Cybercriminal encrypts a malicious program or code with a crypter, then reassembles the code into an actual working program.
- The Cybercriminal then sends out these programs as part of an attachment in spear phishing emails and spam messages.
- If a user executes the program, the program will decrypt itself and release the malicious code.
How does Trend Micro protect users from Crypters
In November 2015, Trend Micro researchers took part in an investigation and the eventual takedown of sites that offer crypters.
The best way to protect computer systems from Crypters encrypted files is to block the entry points. The Trend Micro Smart Protection Network does just that. All URLs, emails, and files users interact with are constantly checked against updated and correlated threat database in Trend Micro’s cloud client content security infrastructure. This program automatically tags malicious URLs or emails before users even click them or open them, thus preventing crypter encrypted files from ever entering a user’s computer.