Octopus news
Posted by Viotto Security on Wednesday, May 18, 2011
It has been some months that I don't write any news here and I know because of the many emails I receive that many people is interested to know about Octopus 2.0 status.
Well it is 95 % complete :) I expect to complete it in a week or so (I am not sure because development depends on my spare time).
Anyways the development never stopped these months, but it is a big project and there have been a lot of work to do. It is much more advanced than 1.x series: now Builder is in Delphi and stub in C++, I decided to use these languages to use some techniques which are not possible to do in VB6.
There have been also a lot of work to code all the various functions, since it is not a simple crypter.
I also have spent a lot of time in some features which are not so visible for the user, but makes generic
detections much harder for AV companies. For example:
Now I have just to do some debug to the C++ source obfuscator. After I get it to work good, Octopus will be fully functional.
Well it is 95 % complete :) I expect to complete it in a week or so (I am not sure because development depends on my spare time).
Anyways the development never stopped these months, but it is a big project and there have been a lot of work to do. It is much more advanced than 1.x series: now Builder is in Delphi and stub in C++, I decided to use these languages to use some techniques which are not possible to do in VB6.
There have been also a lot of work to code all the various functions, since it is not a simple crypter.
I also have spent a lot of time in some features which are not so visible for the user, but makes generic
detections much harder for AV companies. For example:
- The stub core is an encrypted DLL which gets saved inside the stub .exe. This DLL gets decrypted and loaded without being dropped to disk. This leaves unencrypted only a decryption routine and a DLL loader, while the rest of the stub code remains always encrypted (including RunPE). What does this mean? It means that for AVs is impossible to analyze the stub code which is contained inside the DLL. The only thing they can analyze is the .exe.
- Statically imported functions in the stub .exe have been kept to minimum. Not even LoadLibrary() or GetProcAddress() are used.
- The stub .exe code, which is not dinamically encrypted on each build (on the contrary of the stub .dll) is manually undetected by me by a C++ source obfuscator I coded. An unique stub is given to each customer.
- The whole data wich gets saved inside the stub is contained in an encrypted block. No constant strings, no settings splitters etc. The only thing which remains unencrypted is the decryption key, which is a random byte sequence of random length. But it is very difficult (except for me) to know which is the encryption key. Probably the only methods to get the key are viewing the crypter source or do a deep analysis with a debugger.
Now I have just to do some debug to the C++ source obfuscator. After I get it to work good, Octopus will be fully functional.
