Threat Research

Swizz with me

Threat Intelligence Team, 3 July 2009

Swizz with me

Swizzor is the detection name for a highly sophisticated, long lived piece of malware / adware. It's based on a huge distribution network and is made by highly skilled bad-guys. At first sight, Swizzor looks like the usual modern software. The bad code is divided into small pieces and is distributed in the whole file by some code-generator. This technique makes analysis and detection difficult.

Let's look at Swizzor from the other side... What is the first thing the common user sees before running some file? Yes, it's an icon. The icon is code-generated as well as the whole file. And here inter alia can be seen the mathematical skill of the bad-guys. As Swizzor evolves and each generation becomes harder to detect, the icon becomes more sophisticated too. It's interesting to see bad-guys producing nice art.

Swizzor icon - 1st generation

Swizzor icon - 2nd generation

Current Swizzor icon