Skip to main content

Spy programs vs Anti-Virus

Is redpill spy products FUD? I get asked this question a lot. FUD (in some circles) means Fully UnDetectable spy programs.

The answer depends on what you mean with FUD. Some Anti-Virus packages will block and remove any program that is downloaded or received via email and is not a well known program. The program is not really detected as a known virus, and it does not even need to show any suspicions behavior, but is blocked and removed by some strict AV (Anti-Virus packages) because it is seen as a potential threat.

If you take that into consideration, no spy program can be completely undetectable (or FUD).

redpill products like redpill Hacker and redpill Agent gets past more Anti-Virus than most other spy programs. It however also depends on how you use your spy program. I will explain how to use your spy program, but first, it is important that you understand how detection works.

How Does Anti-Virus Software Detect Spy Programs?

AV companies basically detect spy software (and viruses) in three ways:
  1. Comparing the file against a library of known viruses and malware - This method can only detect known viruses and spy programs.
  2. Heuristic Analysis – Anti-Virus companies use heuristic analysis to detect new viruses and spy software that is new or new variants. In short, anti-virus software that use this method will run he program in a controlled virtual system (sandbox testing) or decompile the suspected program and analyze the source code before releasing it into the real system. The anti-virus software will use profiling to make an 'educated guess' to decide if the unknown program is a virus or malware. Obviously this method will lead to a lot of false-positives.
  3. Wisdom of the crowd - It is often impossible to decide if a file is malicious or not, basing this decision only on data from one computer. The picture changes when it’s possible to analyze application behavior on multiple computers. Using this data and heuristic analysis methods, anti-virus companies can very quickly make a verdict about a suspected file.

How does redpill get past Anti-Virus detection?

As explained in the beginning, no spy program will get past all AV all the time on all systems. redpill however has some of the best results in getting past AV in the business. The reason for this is that redpill works very hard at developing unique techniques to avoid detection … and has been doing this for 10 years. redpill has some unique counter detection features:
  1. redpill uses a range of techniques to prevent its products from being detected as known spy software including: encryption, code scrambling, code obfuscation, covert coding (over the years redpill has learned some coding principles that will make applications more difficult to detect) and code fogging (code fogging is a redpill term that means adding 'tons' of program generated code to improve obfuscation of code and making it more difficult to find and detect the red flag code).
  2. Unique Install Every Time – Even if you use the same install module on the same computer, each install will be unique. New program names, folders, registry keys, etc. is used with each installation.
  3. Masking – Heuristics scans will look at how the program behave (Is it hidden, was it downloaded or received via email, did it install a keyboard hook, is it sending data over the internet, etc.). redpill has developed some unique (and secret) methods of masking some of these operations. Note that masking techniques can't hide everything .. the program still needs to be downloaded or received via email, etc. Again … redpill will get past a lot of AV scans but not all. (no spy program can).

How can you avoid your redpill product from being detected?

As explained in this document, redpill has done a lot to avoid detection. It however will also depend on how you use your redpill Agent or redpill Hacker that will determine if it will be detected.

With redpill Agent, don't re-use old install modules. redpill Agent is designed to do multiple installations, but not huge numbers. So as long as you don't use old install modules, you should not have any problems.

redpill Hacker however can do a large number of installs. redpill Hacker even comes with a database where you can add or import targets from a file. You can also select a huge list of targets and then redpill Hacker can email all the targets for you.

HOWEVER ... just because you can import a huge number of emails and email an attack module to them all at once, does not mean you should do it. Emailing 5000 targets (or any number) an attack module or link is a very bad idea:
  • It is a bad idea because redpill hates phishing emails and phishing attacks... just like everybody else. It is a bad idea because it is illegal. You should only do spear phishing on specific targets you need to (and can) monitor.
  • It is a bad idea because the 'wisdom of the crowd' will very quickly kick in and your install module will be detected by almost every AV.
Remember, you don't have to have successful installations before your module is scanned. Attachments and even links can be scanned as they are received.

If this happens (if your redpill Hacker gets known by AV), you will need to request a rebuild by redpill (for a fee).

Things you can do to prevent your redpill Hacker from becoming known by AV:
  • Only do spear phishing - hacking on specific targets.
  • Choose your targets and methods of hacking/monitoring carefully. 
  • Never test your payload detection rate with multi-scan anti-virus sites. Your payload will be scanned against every Anti-Virus package available. The more you expose your payloads to AV scans the greater the risk that they will find a 'fingerprint' and add your version of redpill Hacker to AV databases.
  • You can use a two phase attack as shown in this video to prevent your redpill Hacker from becoming known.
  • You can use incremental hacking.
  • You can disable your Anti-Virus on your own computer or choose the one that you use carefully. When you do testing on your own computer the payloads will be scanned each time you create a new payload. If the payloads are scanned enough times, it will be possible for your AV to find a 'fingerprint' in the modules and add your build of redpill Hacker to their database. 
If you use your redpill Hacker correctly, it might never be needed for you to do a rebuild. If you do need to do a rebuild to get a new clean version, contact redpill. You will then also get a upgrade to the latest version.


Popular posts from this blog

How to remotely install spy software

---------------------------------------------------------------------------------------------- Update (2015/07/07):  redpill now has a new and better product for installing spy software remotely: redpill Hacker
You can also have a look at newer articles with better tools at: -----------------------------------------------------------------------------------------------
In a previous article we discussed how to get usernames and passwords from other users on a computer you have access to. We will now look at how to install spy software on a computer you do not have access to … even if the computer is on the other side of the world.

Step 1: Get quality Spy Software

You will need quality spy software that can be remotely installed and is not easily detected and removed by anti-virus. There are a couple of key loggers that can be installed remotely, but very few that can secretly be remotely installed.

redpill Detective has been designed to be covertly installed…

Sending a spy program with gmail

To install a spy program remotely you need to email the target an install module. Spy software like redpill Agent and redpill Detective allows you to hide the install module within a 'cover application' . When emailing the target the install module, you will need either zip the file, embed it into wordpad or send it as a link as most email service providers doesn't allow you to add executables (exe's) as attachments.

To see how to send the spy program as a link see 'Installing spy software with a link'.
To see how to embed the spy program in wordpad, see  'How to remotely install spy software'.

Using a zipped file for the attachment can be a problem when either you or your target is using gmail as gmail will block attachments that contain executables even when they are zipped.

There is however a simple solution to the problem:

Add a password to your zip file

In winrar and winzip you can choose to add a password to your zip/rar file. When you add a passwo…

How to get a username and password

---------------------------------------------------------------------------------------------- Update (2015/07/07):  redpill now has a new and better product available: redpill Hacker

You can also see more up to date articles at:
This article will explain how to get a username and password for an email account like gmail or yahoo or a social network account like facebook.

In this article we will focus on getting a username and password of another user (the target) on a computer that you have access to. In a following article we will explain how to get a username and password from someone that works on a computer that you do not have access to that might be in another part of the world.

Step 1: Install a key logger

You will need to download and install a key logger that is not easily detected by anti-virus software and that is completely hidden and discreet