Understanding Swizzor's Obfuscation Scheme

Presented at REcon 2010, July 9, 2010, 5:30 p.m. (60 minutes).

Swizzor is a malware family that was first seen on the Internet in 2002 and, since then, researchers have collected millions of different binary samples. The reason so many different files exist is that Swizzor uses strong server-side binary obfuscation to evade antivirus detection and slow down manual reverse engineering. In this talk, we will present a set of tools and techniques we have developed to understand and defeat Swizzor's binary protection. Upon execution, the custom packer goes through more than 40 million instructions before reaching any useful code. To deal with this, we created a tracing framework which builds a comprehensive timeline of the process execution, including memory modifications. We also created visualisation tools to quickly identify key elements of the unpacking process without having to read any assembly instruction. We have built an inference engine to automatically identify known patterns in memory such as decryption keys, useless values and control structures used by the packer. By taking into account the memory access and modification of the code, we were able to bypass its traditional syntactic obfuscation. We thus achieved a comprehensive understanding of the unpacking process and were able to reduce the need for manual analysis of new binaries. To the best of our knowledge, no one has deeply investigated the Swizzor malware family and its ties to shady advertisement companies. We will explain how Swizzor and its adware components are installed by affiliation programs to finance the development of well known applications. We will show the communication protocol used by Swizzor to fetch binary updates and how different packages are deployed depending on the affiliation program.


Presenters:

  • Pierre-Marc Bureau
    Pierre-Marc Bureau is senior researcher at antivirus company ESET. In his position, he is responsible of investigating trends in malware and finding effective techniques to counter these threats. Prior to joining ESET, Pierre-Marc Bureau worked for a network security company where he was senior security analyst. Pierre-Marc Bureau finished his Master degree in computer engineering at Ecole Polytechnique of Montreal in 2006. His studies focused mainly on the performance evaluation of malware. He has presented at various international conferences including Recon, Infosec, and Virus Bulletin. His main interests lie in reverse engineering, application and network security.
  • Joan Calvet
    Joan Calvet is a Ph.D. student at the High Security Lab in LORIA (Nancy, France) and the SecSI Lab at the Ecole Polytechnique of Montreal. His main interests lie in malware analysis, reverse engineering, and software security.

Links:

Similar Presentations: