Win32:Andras is simple file infector, that looks for exe files and adds its body to the last section. The entry point is a bit obfuscated, but the code flow is well understandable.
As mentioned in “Swizz with me” article, Swizzor is written by a group of highly skilled coders. They are always ready to improve the generator, make the Swizzor binaries more and more similar to common applications linked with MSVC and make the detection of new variants harder and harder. I can shortly describe the learning process:
- the very first generation – there were no resources and the obfuscation of code was nicely visible
- the code obfuscation was diluted to make it less suspicious
- first attempts to generate resources (an application with resources looks more seriously)
- inclusion of CRT and a higher dilution of obfuscated code and encrypted data
- more sophisticated generation of resources
What will follow?
Swizzor is the detection name for a highly sophisticated, long lived piece of malware / adware. It’s based on a huge distribution network and is made by highly skilled bad-guys. At first sight, Swizzor looks like the usual modern software. The bad code is divided into small pieces and is distributed in the whole file by some code-generator. This technique makes analysis and detection difficult.
Let’s look at Swizzor from the other side… What is the first thing the common user sees before running some file? Yes, it’s an icon. The icon is code-generated as well as the whole file. And here inter alia can be seen the mathematical skill of the bad-guys. As Swizzor evolves and each generation becomes harder to detect, the icon becomes more sophisticated too. It’s interesting to see bad-guys producing nice art.