It appears that the group behind the Win32/Swizzor malware family has put an end to their operation. This malware family has been around since 2002. Security companies have seen hundreds of thousands of unique binaries classified as this family, which was installed on PCs through "affiliate" programs. The malware is used to display unsolicited advertisements on infected systems. Win32/Swizzor is known among security researchers for aggressively trying to evade detection through code obfuscation, frequent updates, and anti emulation tricks. For example, the obfuscated code would often execute up to 100 million CPU instructions before reaching unpacked code.

In February, we started seeing a decrease in reports of Win32/Swizzor infections. Further investigation shows that the servers used by this malware family have stopped distributing new malicious binaries. Most affiliates that were distributing Win32/Swizzor have either stopped operating or have moved to something else. For example, a majority of links from the cash4downloads website are now broken. The last couple of files which can still be downloaded from there are unable to install Win32/Swizzor and display the error message shown in the image below.

  Download error while installing affiliate software  

We do not think the disparition of Win32/Swizzor has anything to do with the recent Rustock takedown by Microsoft.  Both malware operations were different and did not end at the same time.  It is hard to say exactly what prompted the Win32/Swizzor operators to stop but it is a possibility that they did not appreciate the public attention they started receiving in 2010. To our knowledge, our REcon presentation was the first time their obfuscation techniques were detailed, and part of their operation was publicly exposed as a consequence of this analysis.  

Pierre-Marc Bureau

Senior Malware Researcher