Breaking-Security.net


Key Features:

  • Encrypts and protects your file code from reverse engineers, software analysts and crackers;
  • Makes your file invisible to antivirus engines (checked with 35 different Antiviruses!), both scantime and runtime;
  • Modify behaviour if run inside an analysis environment (Virtual machines, sandboxes, debuggers etc.) to make analysis harder and trick analysts;
  • Join multiple files together in the same package and make them decrypt and execute together;
  • Download additional software from Internet when opening file;
  • Run automatically your encrypted file on each Windows startup;
  • Change file icon and informations cloning them from another file;
  • Small stub (decrypter & loader code) size;
  • Compatible from Windows XP to Windows 8.1, without any required dependency;
  • Years of development and customer satisfaction lead to a well tested, stable and reliable product;
  • Unique stubs for each customer.

Overview

Octopus is mainly an executable file crypter, although it offers many other functions.

You can use it, for example, to protect an executable file, completely hiding its actual structure and code from analysis tools, debuggers and antivirus software, while maintaining its original functionality.

You can also use it to bind together multiple files inside a single, encrypted .exe container, which will decrypt and run all bound files on runtime when it gets executed.


A file crypted with octopus will:

  • execute and work just like before;

  • be invisible to antivirus engines;

  • be considerably harder to get analyzed, cracked and/or reverse engineered;

  • on user's choice, avoid analysis by various tools such as debuggers, virtual machines, sandboxes etc.


But this program offers a wide range of functionalities, not limited to file encryption. With Octopus you can also:

  • Bind (and crypt) together multiple files of any type inside a single executable; you can choose where to drop them and whether to execute them. You can also choose for each file if you want it to drop/execute it if Octopus detects the presence of an analysis environment or tool;

  • Clone icon and version info from any file to your encrypted file;

  • Download, and on choice execute automatically, files from internet via a fixed URL;

  • Make your program run on each system restart;

  • Automatically copy your file to connected writable memories, such as USB, external HDDs and memory cards;

  • Execute encrypted file after a chosen time delay;

  • and more!

You can use togheter all the functions you want, the final output will always be a single, undetected executable file, which, with just a simple double-click, will perform all the actions you have chosen.

Octopus stubs are sold Fully UnDetected by antiviruses ( 0/35 using scan4you.net).

Each stub you get is unique, differently obfuscated each time, built and revised directly by the developer before being sold.

Octopus is coded in C,C++ (stub) and Delphi (builder). First version, 1.0, was completed in september 2009 and since then many updates have been done to the program. While 1.x series were written in Visual Basic 6, I decided to rewrite from scratch the new version, to be able to code and use more advanced techniques which are not possible to do in VB6.


Compatibility

Octopus is able to run on Windows XP, Windows Vista, Windows 7 and Windows 8, on both 32 and 64 bit.

Both stub and builder are programmed to be independent and stand-alone, not requiring any other dependency other than those offered by the system by default (which come with a basic Windows installation).


Octopus features:

Crypter:

Not only the input files and program settings are differently encrypted on each build, but also a part of the stub itself. In fact, Octopus v2 uses 2 loaders, Stub.exe and Stub.dll. Stub.dll gets encrypted togheter with the other input data, and contains the core crypter functions. Anti-Viruses are unable to analyze it, since it stays crypted like your files.

The only thing AVs can analyze is the Stub.exe file, which is nothing more than a decrypter and memory-loader for the encrypted DLL code.

Each stub.exe you buy is unique, undetected differently each time with an automatic self-made C++ code obfuscator I programmed to do the job. I always revise manually each stub, to verify that it is undetected and working with a good performance.

The Octopus builder will crypt input files and configurations with RC4 algorithm using a random-bytes, random-lenght encryption key. You have also the option to enter your own encryption password. The actual process in which the builder and stub write/read data is kept secret.

Stub.dll is around 12 kb big, while stub.exe has a variable length, around 30-100 kb, due to the amount of obfuscation.


Binder:

- Unlimited file number support: Join together how many files you want.

- Working with all file types: .exe, .doc, .jpg, etc.

- Direct memory execution: If you choose this option, your executable file will be executed directly in memory, without being dropped to hard disk.

Warning: memory execution works only with executable files (.exe, .scr ...)! For other file types, you must use the drop and execute option!

Warning: if you use the drop option, file will be decrypted before being dropped (scantime crypt only)! If you want the dropped file to still be crypted/undetectable, then crypt it using memory execution, save it, then bind it using dropping option.

- Selective execution when under analysis: Check/ Uncheck the flag on he left of each file to decide wheter that file will be decrypted or not when inside a detected analysis environment. You can select the analysis environments you want to detect by checking the appropriate flags in the Anti-Analysis tab.

  • Unchecked flag (default): this file will not be executed under a selected analysis environment.

  • Checked flag: this file will be executed also when under a selected analysis environment.

Warning: Self-Terminate option under “Anti-Analysis” tab will take priority on selective execution and will instantly shut down the whole program before any action (except MessageBox if enabled) is performed. If you want to make only some files execute when inside analysis environment, make sure that Self-Terminate option is disabled.



Spreader:

Drives/USB spread:

the program will spread itself to all drives (Removable hard drives, USB drives, memory cards etc.) connected to the computer. An autorun.ini file is created to execute the server automatically when the drive is opened. If you check the “Hide files” option, then the spreaded file and the Autorun.ini file will be hidden as a hidden, system file with readonly attributes. You can also choose a different name for the copied file.


Downloader:

Unlimited file number support (multidownloader)

Any file type supported.

The downloader will download chosen files from the specified URL to the specified directory. Then you can choose if it must also execute file or not. You can download and execute any file type (executables but also pictures etc.)

Downloader can be useful if you want Octopus to execute files without adding size to stub.


Message Box:

You can display a custom MessageBox on program start, or when an analysis environment is detected.

This is the only action the program does before the time delay (if there is).



General features:

  • No external dependencies needed: Neither the stub nor the builder need any external dependency (except standard Windows system dlls) and are programmed to run under Windows XP, Vista and 7.

  • Shell parameters support: Octopus is compatible with programs that need to be executed with command line parameters.

  • EOF Data support: This crypter is compatible with applications which store data/settings at End Of File (for example Bifrost). By the way some applications have got EOF data but they don't need it to store settings, so EOF preserve option can be disabled without corrupting the application.

  • Icon / Informations resource cloner: Clones icon, informations, or both, on your choice, from desided input file to output file.

  • Online authentication mechanism: Octopus will check online if the licence is authorized. This is a read-only operation and no information is transmitted remotely, except licence name and code. In case of suspicious chargebacks or scams, Builder will be locked and stub distributed to antivirus companies.

  • Anti-Analysis: Octopus will self-terminate if run under selected environments. You can choose the action for Octopus to perform if an analysis environment is detected: showing a custom messagebox, self terminate, or both.





Detected programs compatibility

This is a small list of some malwares which have been successfully proven compatible with Octopus; by the way, this is a very short demonstrative list which should be used just as an example of how Octopus can make undetectable to antiviruses even the most common malwares:

  • DarkComet

  • Spy-Net

  • Poison Ivy

  • Bifrost

  • Zeus

  • Viotto Keylogger

  • Ap0calypse 1.4.4

  • BlackShades.NET

  • SS-Rat

  • CyberGate

  • Bandook V1.9 Private Edition

  • ...More and more

By the way Octopus should be compatible with any common file. Obviously it will not work with some specific files such as protected files which do a CRC check to see if the file code on disk has been altered before executing.


Frequently Asked Questions

Q: I encrypted a program which is programmed to restart with Windows each time, but the file I bound with it gets executed too.

A: When you install a program which sets itself to run on each windows startup, for example a RAT backdoor, installed file will sometimes be a copy of file which has been run (so if you binded more files, they will be run also on startup)

This is a good technique to avoid this (for any binder or crypter):

  1. Build a single encrypted “autorunned” file, using memory run;

  2. Clear binder list;

  3. Bind the previously created crypted autorunned file with legit file/s, using drop & execute.



Example of Virus-Scan:


Unencrypted DarkComet backdoor:


http://scan4you.net/result.php?id=8e425_bq58n
   RESULTS:20/33
AVG FreeTrojan horse BackDoor.Generic13.BNKI
ArcaVirOK
Avast 5Win32:Flooder-GR [Trj]
AvastWin32:Flooder-GR [Trj]
AntiVir (Avira)TR/Spy.Gen2
BitDefenderOK
VirusBuster Internet SecurityOK
Clam AntivirusOK
COMODO Internet SecurityBackdoor.Win32.DarkC.~A@172262695
Dr.WebBackDoor.Comet.21
eTrust-VetOK
F-PROT AntivirusW32/Downloader.C.gen!Eldorado (generic, not disinfectable)
F-Secure Internet SecurityOK
G DataTrojan.Generic.KDV.203906 (Engine-A), Win32:Flooder-GR [Trj] (Engine-B)
IKARUS SecurityTrojan.Win32.CDur
Kaspersky AntivirusHEUR:Trojan.Win32.Generic
McAfeeBackDoor-EZG.c
MS Security EssentialsBackdoor:Win32/Fynloski.A
ESET NOD322Backdoor.Win32/Delf.NVC
NormanOK
Norton AntivirusOK
Panda SecuritySuspicious
A-SquaredTrojan.Win32.CDur!IK
Quick Heal AntivirusBackdoor.Fynloski.A9
Rising AntivirusBackdoor.Win32.Gpigeon2009.GEN
Solo AntivirusOK
SophosTroj/Agent-IHB
Trend Micro Internet SecurityOK
VBA32 Antivirusinfected Trojan.Siscos.bwh
Vexira AntivirusOK
Webroot Internet SecurityVirus: Mal/DelfInj-A
Zoner AntiVirusOK
AhnLab V3 Internet SecurityOK
  
File Namedarkcomet.exe
File Size:673792
File MD5:11772f85b7529d77e1748be88db1b4e3
File SHA1:9909fbed2dbaaa692e2612dc07201c864378aa8e
Check Time:2011-05-30 16:17:12


DarkComet crypted with Octopus:


http://scan4you.net/result.php?id=1fa6b_bq5bi
   RESULTS:0/33
AVG FreeOK
ArcaVirOK
Avast 5OK
AvastOK
AntiVir (Avira)OK
BitDefenderOK
VirusBuster Internet SecurityOK
Clam AntivirusOK
COMODO Internet SecurityOK
Dr.WebOK
eTrust-VetOK
F-PROT AntivirusOK
F-Secure Internet SecurityOK
G DataOK
IKARUS SecurityOK
Kaspersky AntivirusOK
McAfeeOK
MS Security EssentialsOK
ESET NOD32OK
NormanOK
Norton AntivirusOK
Panda SecurityOK
A-SquaredOK
Quick Heal AntivirusOK
Rising AntivirusOK
Solo AntivirusOK
SophosOK
Trend Micro Internet SecurityOK
VBA32 AntivirusOK
Vexira AntivirusOK
Webroot Internet SecurityOK
Zoner AntiVirusOK
AhnLab V3 Internet SecurityOK
  
File NameOutput.exe
File Size:720896
File MD5:1b71d1abc29fad5d2d1b1771362758b8
File SHA1:138b30832d79b88da1bc569b53cd0f7cd23d85dd
Check Time:2011-05-30 16:21:44


Disclaimer

I (the author) will not be held responsible for any use you make of this program.

You (the user) are responsible of the proper use of it; I will not be liable for any kind of use or damage caused to yourself or other people. Use it at your own responsibility and risk.

In order to use my software, you must accept the conditions described in this disclaimer.

Aside from this, have fun! ;)