Win32/Swizzor is a very prevalent—and old—malware family having been around since at least 2002.  Over the years, ESET has collected millions of samples related to this family and we still receive hundreds of new ones every day.  Over the last two years, Win32/Swizzor has frequently shown up in our top ten lists of the most prevalent malware families. 

For all its prevalence, though, technical details about the Win32/Swizzor family are very hard to come by on the Internet.  One of the main reasons for this is because this threat protects its binary in such a complex fashion that it makes it hard to understand what exactly they do.  On average, the binary obfuscation executes 50 millions instructions before passing control to the original code.

In collaboration with Joan Calvet from the Ecole Polytechnique of Montreal, we have analyzed Win32/Swizzor from many different angles.  The results of our research were given in a presentation last weekend at the REcon 2010 conference.  This post is a basic overview of our findings, focusing on what this threat does and how you can tell if your PC is infected.

Win32/Swizzor is a complex piece of software that is made up of many different components.  The program’s main purpose is to deliver advertisements on infected PCs. Win32/Swizzor’s authors do not intall their adware on PCs themselves, instead they pay other groups to do this job for them through a pay-per-install scheme.

Much of the time, it is difficult to determine if a computer has been infected by Win32/Swizzor.  This is because this threat injects its code into Internet Explorer, so there are no running processes which are easily identifiable as belonging to Win32/Swizzor.  Furthermore, Win32/Swizzor uses random names for its file names, registry entries and other objects, meaning there is typically no “common set” to look for, unlike some other malware families.  In some cases, it is possible to find Swizzor-related files in the “Program Files” folder of a system.  The files often have strange icons such as the following:


 

Most of the time, users spot the infection when a new Internet Explorer window opens by itself containing an advertisement.  This threat delivers advertisement according to the location of the infected hosts, it is thus common to see specific advertisement per geographic region.  We have seen Win32/Swizzor deliver advertisements for the following type of websites:

  • Gambling
  • Computer hardware
  • Rogue antivirus

To protect yourself from this threat, we recommend using up to date antivirus and software.  We also recommend carefully reading license agreements when installing new software, as Win32/Swizzor is often installed by other applications as a “sponsor” program.

Pierre-Marc Bureau
Senior Researcher