Understanding Swizzor's Obfuscation Scheme presented at REcon 2010

by Joan Calvet, Pierre-marc Bureau,

URL : http://www.recon.cx/2010/slides/Recon2010-UnderStaningSwizzorObfuscation.pdf

Summary : Swizzor is a malware family that was first seen on the Internet in 2002 and, since then, researchers have collected millions of different binary samples. The reason so many different files exist is that Swizzor uses strong server-side binary obfuscation to evade antivirus detection and slow down manual reverse engineering.
In this talk, we will present a set of tools and techniques we have developed to understand and defeat Swizzor's binary protection. Upon execution, the custom packer goes through more than 40 million instructions before reaching any useful code. To deal with this, we created a tracing framework which builds a comprehensive timeline of the process execution, including memory modifications.
We also created visualisation tools to quickly identify key elements of the unpacking process without having to read any assembly instruction. We have built an inference engine to automatically identify known patterns in memory such as decryption keys, useless values and control structures used by the packer. By taking into account the memory access and modification of the code, we were able to bypass its traditional syntactic obfuscation. We thus achieved a comprehensive understanding of the unpacking process and were able to reduce the need for manual analysis of new binaries.
To the best of our knowledge, no one has deeply investigated the Swizzor malware family and its ties to shady advertisement companies. We will explain how Swizzor and its adware components are installed by affiliation programs to finance the development of well known applications. We will show the communication protocol used by Swizzor to fetch binary updates and how different packages are deployed depending on the affiliation program.