So, now you’re this Black Hat hacker, running around with your RAT spreading on the internet acting like some Facebook program, but you notice you have one issue. You chose a popular RAT, your Trojan Horse method was so thought out that even the Greeks would have been impressed, but you never thought about the AntiVirus companies being able to detect that your program is not as it seems. Welcome before us, the art of “Crypting”.
I remember when I first started to learn about RATs, the only way to stay Fully UnDetectable (FUD) was to have a custom created RAT or atleast have my version be newly made/custom. This still isn’t a bad rule of thumb, it makes sense that if your RAT is custom built and only you have that unique RAT then it’s less likely to have a common virus signature that AntiVirus companies detect. The idea behind it is, a program is built and it has a certain identifiying piece to it if it’s broken down. Much like humans have FingerPrints, RATs use pretty specific functions/methods and these are all categorized and can be deemed a signature for the program. If a virus is found on multiple computers, the AV companies take that virus, look at the variants of programs that are found on those infected computers (saying that it’s the same virus) and create a Virus Signature which they add to their list of Viruses to hunt down. By having your own custom coded, or just recoding certain aspects of your RAT, you change the “fingerprint” of your RAT and instantly you have a new “signature” that the AVs don’t know about and you’re FUD again.
So obviously with RAT makers who instead of worrying about infecting, but more so just like to develop RATs, handling their creation’s FUD status can be extremely exhausting. Equal exhaustion is felt for the Black Hat who wishes they didn’t have to again update all of their RATs or wait on the developer to create and issue out a hotfix to reFUD. Developers started to look at Binary Encryption methods. The basic idea for this is, you take your RAT or Virus that is Detectable, and instead of changing program itself, you encrypt it so that looks different but is still the same. Think about communication, you don’t want people to see what you’re saying so you start encrypting your messages to mean the same things but look completely different to others. Products out there that can be purchased to do this are normally called “Crypters”. The issue then still comes that if the Encryption gets detected, kind of like finding the cipher for an encrpyted message, all programs encrypted are detectable again. You can definitely see the cat and mouse game, as normally associated with Hackers and AV’s.