Many of those who read this have heard about "logs" at least once, let's first figure out what it is:
A log is a unit of user data, roughly speaking, your log is your entire life on the Internet, all your passwords, logins, cookies, browser history (in some cases including incognito) are reflected in this very log. So most likely, if you watched porn, then the log-keeper will see this porn in your history.
But what is so valuable about your logins and passwords? In general, nothing, most of you are simply of no use to us, we don't need your VKontakte where you correspond with your girls, we are specific guys and we have specific sharavars for money, we need guys who have cash.
But where do the logs come from?
Logs are obtained by stealers (read: a virus that steals data), a stealer can be "caught" when downloading a crack for Photoshop, on porn sites, on pirated games, so be careful with such things. Most of those who read this will never catch a serious stealer, for a very simple reason, serious stealers do not work in the CIS (article in Russian), you can catch the crafts of some schoolchildren and students, serious products, for example, Mars, do not work in the CIS.
How stealers (viruses) hide
Now each of us has an antivirus, most of us have the most powerful representative - Windows Defender (code name mssec), the most powerful because it is installed on every Windows user (10+), and on the sevens its castrated version, or other antiviruses (Kaspersky, etc.), because it is installed on every microwave oven it has the largest antivirus database of samples. But this does not help antiviruses. It's all about cryptors, a good cryptor is able to change the signature of the sample and the virus becomes "clean" for the antivirus database, signature analysis (also called scantime) in a simplified form works like this:
the file virus.exe is assigned its identification number in the antivirus system, for example 123456
inside the antivirus there are tables like this (again, I'm showing it in a simplified form):
virus.exe = 123456
program.exe = 56789
stealer.exe = 98765
When the file zombie vs. plants.exe gets onto your computer, the antivirus understands that the only plant is the owner of the computer, and calculates its hash, and its hash is 123456, the antivirus compares it with its database, and finds out that this was the name of the file virus.exe after which another user (who was less lucky and the antivirus did not know about the virus YET) screwed up his computer. And gives the user a warning. So, no matter how you change the file name, no matter how you change the icon, if you are caught, you will have to rebuild the file or resort to cryptors
Cryptors are the biggest deception
A normal cryptor is able to change the same hash of the virus (build. Build is a virus file) from those same tables. But even this does not save from being caught by antiviruses later. It's all about the runtime analysis of modern antiviruses. I will try to explain in simple words what it is, so, we have a file "open.exe", it is encrypted, when it gets on the computer, the antivirus does not swear at it because it did not find its signatures in the database (because it is encrypted again), everything is okay, but then this chain of actions occurs that knocks out most cryptors:
You open the file "Open.exe"
The antivirus intercepts the opening event, and then places it in a special isolated area in its memory (a virtual machine inside the antivirus) and watches what it does, checks its behavior. This analysis is called runtime, or behavioral in Russian
Even before the file opens in your main machine, the antivirus detects that the file is climbing into the Chrome password storage, to Telegram sessions, and immediately gives this behavioral fingerprint some kind of detection "Wacatac.B!ml" for example, by the way, !ml at the end means that the detection is given by machine learning, in short, the detection was given by artificial intelligence.
The stealer hash also gets into trouble (remember those same tables), as you can see, the cryptor did not help us, despite the fact that it provides FUD (Full undetected) of antiviruses in scantime, which is also temporary by the way. That's why the crypto itself does not live long.
It turns out that cryptors are partly useless in modern realities because no cryptor can protect against runtime analysis properly, although they try, for example: garbage instructions are added, they are usually not connected to each other in any way, this confuses the runtime analysis, random delays are added when opening and much more, I will say right away that antiviruses equally coolly suppress all these attempts, especially our beloved Mssec, it detects the meaninglessness, incoherence of instructions and issues a detection S.Kriptik!ml, and everything happens as usual.
But why does everyone use cryptors? They are useless!
Cryptors are useless, but only partly. The fact is that not all users have the "cloud analysis" function enabled in the same Windows Defender (our runtime analysis). Let's say if we infected 1000 users, 500 of them do not have an antivirus at all, because: "why the hell do we need it??? I'm pretty fucking smart myself without any of your antiviruses", 400 users have the runtime analysis option disabled because it takes longer to open files, and only 901 users have an antivirus and runtime analysis enabled, EXACTLY UNTIL THIS USER THE VIRUS IS ELUSIVE! And the cryptor helped us with this! But after the 901st user, whose antivirus has detected that the virus is a virus, the 902nd user's file will not start even if he has the runtime analysis option disabled. So, the user who has everything enabled is called the last patient)))) then, after him, the build will start only for those users who do not have antiviruses, this does not happen immediately, in practice, after the 901st user, another 200-300 people are easily infected before the virus is completely filled with detections. After the virus goes into Total with its detections, it will be necessary to make a rescript, and with the price of crypto at 25 bucks, this turns into a needle that needs to be used constantly. This is how seemingly useless cryptors live and prosper.
How to stay safe
Do not turn off and under no circumstances cut out Windows Defender, it is even better if you turn on cloud protection, you can do this in the Defender settings, from browsers use for important data (just don't crash) YANDEX.BROWSER, yes I know that there is a finished Alice, but it is the safest browser, look right now who shares on github stealer stealer yandex browser, although Yandex browser is built on the chrome engine there are changed security algorithms, and with its recent update it completely killed all stealers that work on it. Well done guys from Yandex respect to them, because the same opera does not bother with this. By the way, you can also use Mozilla Portable, in most cases stealers load libraries needed for stealing Mozilla passwords from the main directory of the browser, and since the Portable version of Mozilla is located God knows where (more precisely, where you want) the stealer simply does not know about it, and will not notice the Portable version.
A log is a unit of user data, roughly speaking, your log is your entire life on the Internet, all your passwords, logins, cookies, browser history (in some cases including incognito) are reflected in this very log. So most likely, if you watched porn, then the log-keeper will see this porn in your history.
But what is so valuable about your logins and passwords? In general, nothing, most of you are simply of no use to us, we don't need your VKontakte where you correspond with your girls, we are specific guys and we have specific sharavars for money, we need guys who have cash.
But where do the logs come from?
Logs are obtained by stealers (read: a virus that steals data), a stealer can be "caught" when downloading a crack for Photoshop, on porn sites, on pirated games, so be careful with such things. Most of those who read this will never catch a serious stealer, for a very simple reason, serious stealers do not work in the CIS (article in Russian), you can catch the crafts of some schoolchildren and students, serious products, for example, Mars, do not work in the CIS.
How stealers (viruses) hide
Now each of us has an antivirus, most of us have the most powerful representative - Windows Defender (code name mssec), the most powerful because it is installed on every Windows user (10+), and on the sevens its castrated version, or other antiviruses (Kaspersky, etc.), because it is installed on every microwave oven it has the largest antivirus database of samples. But this does not help antiviruses. It's all about cryptors, a good cryptor is able to change the signature of the sample and the virus becomes "clean" for the antivirus database, signature analysis (also called scantime) in a simplified form works like this:
the file virus.exe is assigned its identification number in the antivirus system, for example 123456
inside the antivirus there are tables like this (again, I'm showing it in a simplified form):
virus.exe = 123456
program.exe = 56789
stealer.exe = 98765
When the file zombie vs. plants.exe gets onto your computer, the antivirus understands that the only plant is the owner of the computer, and calculates its hash, and its hash is 123456, the antivirus compares it with its database, and finds out that this was the name of the file virus.exe after which another user (who was less lucky and the antivirus did not know about the virus YET) screwed up his computer. And gives the user a warning. So, no matter how you change the file name, no matter how you change the icon, if you are caught, you will have to rebuild the file or resort to cryptors
Cryptors are the biggest deception
A normal cryptor is able to change the same hash of the virus (build. Build is a virus file) from those same tables. But even this does not save from being caught by antiviruses later. It's all about the runtime analysis of modern antiviruses. I will try to explain in simple words what it is, so, we have a file "open.exe", it is encrypted, when it gets on the computer, the antivirus does not swear at it because it did not find its signatures in the database (because it is encrypted again), everything is okay, but then this chain of actions occurs that knocks out most cryptors:
You open the file "Open.exe"
The antivirus intercepts the opening event, and then places it in a special isolated area in its memory (a virtual machine inside the antivirus) and watches what it does, checks its behavior. This analysis is called runtime, or behavioral in Russian
Even before the file opens in your main machine, the antivirus detects that the file is climbing into the Chrome password storage, to Telegram sessions, and immediately gives this behavioral fingerprint some kind of detection "Wacatac.B!ml" for example, by the way, !ml at the end means that the detection is given by machine learning, in short, the detection was given by artificial intelligence.
The stealer hash also gets into trouble (remember those same tables), as you can see, the cryptor did not help us, despite the fact that it provides FUD (Full undetected) of antiviruses in scantime, which is also temporary by the way. That's why the crypto itself does not live long.
It turns out that cryptors are partly useless in modern realities because no cryptor can protect against runtime analysis properly, although they try, for example: garbage instructions are added, they are usually not connected to each other in any way, this confuses the runtime analysis, random delays are added when opening and much more, I will say right away that antiviruses equally coolly suppress all these attempts, especially our beloved Mssec, it detects the meaninglessness, incoherence of instructions and issues a detection S.Kriptik!ml, and everything happens as usual.
But why does everyone use cryptors? They are useless!
Cryptors are useless, but only partly. The fact is that not all users have the "cloud analysis" function enabled in the same Windows Defender (our runtime analysis). Let's say if we infected 1000 users, 500 of them do not have an antivirus at all, because: "why the hell do we need it??? I'm pretty fucking smart myself without any of your antiviruses", 400 users have the runtime analysis option disabled because it takes longer to open files, and only 901 users have an antivirus and runtime analysis enabled, EXACTLY UNTIL THIS USER THE VIRUS IS ELUSIVE! And the cryptor helped us with this! But after the 901st user, whose antivirus has detected that the virus is a virus, the 902nd user's file will not start even if he has the runtime analysis option disabled. So, the user who has everything enabled is called the last patient)))) then, after him, the build will start only for those users who do not have antiviruses, this does not happen immediately, in practice, after the 901st user, another 200-300 people are easily infected before the virus is completely filled with detections. After the virus goes into Total with its detections, it will be necessary to make a rescript, and with the price of crypto at 25 bucks, this turns into a needle that needs to be used constantly. This is how seemingly useless cryptors live and prosper.
How to stay safe
Do not turn off and under no circumstances cut out Windows Defender, it is even better if you turn on cloud protection, you can do this in the Defender settings, from browsers use for important data (just don't crash) YANDEX.BROWSER, yes I know that there is a finished Alice, but it is the safest browser, look right now who shares on github stealer stealer yandex browser, although Yandex browser is built on the chrome engine there are changed security algorithms, and with its recent update it completely killed all stealers that work on it. Well done guys from Yandex respect to them, because the same opera does not bother with this. By the way, you can also use Mozilla Portable, in most cases stealers load libraries needed for stealing Mozilla passwords from the main directory of the browser, and since the Portable version of Mozilla is located God knows where (more precisely, where you want) the stealer simply does not know about it, and will not notice the Portable version.
