Threat Research

The learning process of Swizzor

Michal Krejdl, 9 July 2009

The learning process of Swizzor

As mentioned in "Swizz with me" article, Swizzor is written by a group of highly skilled coders. They are always ready to improve the generator, make the Swizzor binaries more and more similar to common applications linked with MSVC and make the detection of new variants harder and harder. I can shortly describe the learning process:

  • the very first generation - there were no resources and the obfuscation of code was nicely visible
  • the code obfuscation was diluted to make it less suspicious
  • first attempts to generate resources (an application with resources looks more seriously)
  • inclusion of CRT and a higher dilution of obfuscated code and encrypted data
  • more sophisticated generation of resources

What will follow?

The most recent evolution step of Swizzor shows us the effort to make the resources generation even better. Here are some screenshots taken from a Swizzor sample generated two weeks ago:





The generated text is not perfect, but is good enough to fool simple statistical methods (all words have common lengths, the letters are well distributed - they have no suspicious repetitions etc.). But - it's not a known language and some more sophisticated methods can discover it. What's the solution used by Swizzor authors? It's an English dictionary - simple and effective. What you can see in the pictures below (taken from a Swizzor sample, that arrived today)?



There are "color", "folders", "wireless" and other English words. The dialogs are still quite ugly, but we can guess that it will be the next step in Swizzor evolution. I'm quite curious what will be the way chosen by Swizzor authors (the fine tuning of code or some improvements to the resources generator), but I'm also a bit afraid of that, they're gonna make a perfect obfuscation.