File infectors are not on the top of their popularity nowadays (there’s not a wide variety of them ITW, but the few active – such as Sality or Virut – are difficult to defeat). One reason is the frequency of their updates and the complexity of their polymorphism, another reason is the fact, that these viruses are not perfectly tuned. If the file infector should be successful (and transparent to the normal system behavior), it simply should not produce corrupted files (the process crashes will quickly point out what’s going on). I will show you some examples of bugs in file infectors (below in this article). The problem is that these bugs often make the infected binaries uncurable.
Win32:Andras is simple file infector, that looks for exe files and adds its body to the last section. The entry point is a bit obfuscated, but the code flow is well understandable.
As mentioned in “Swizz with me” article, Swizzor is written by a group of highly skilled coders. They are always ready to improve the generator, make the Swizzor binaries more and more similar to common applications linked with MSVC and make the detection of new variants harder and harder. I can shortly describe the learning process:
- the very first generation – there were no resources and the obfuscation of code was nicely visible
- the code obfuscation was diluted to make it less suspicious
- first attempts to generate resources (an application with resources looks more seriously)
- inclusion of CRT and a higher dilution of obfuscated code and encrypted data
- more sophisticated generation of resources
What will follow?
Swizzor is the detection name for a highly sophisticated, long lived piece of malware / adware. It’s based on a huge distribution network and is made by highly skilled bad-guys. At first sight, Swizzor looks like the usual modern software. The bad code is divided into small pieces and is distributed in the whole file by some code-generator. This technique makes analysis and detection difficult.
Let’s look at Swizzor from the other side… What is the first thing the common user sees before running some file? Yes, it’s an icon. The icon is code-generated as well as the whole file. And here inter alia can be seen the mathematical skill of the bad-guys. As Swizzor evolves and each generation becomes harder to detect, the icon becomes more sophisticated too. It’s interesting to see bad-guys producing nice art.