The End of Win32/Swizzor?

It appears that the group behind the Win32/Swizzor malware family has put an end to their operation. This malware family has been around since 2002. Security companies have seen hundreds of thousands of unique binaries classified as this family, which was installed on PCs through "affiliate" programs. The malware is used to display unsolicited advertisements on infected systems. Win32/Swizzor is known among security researchers for aggressively trying to evade detection through code obfuscation, frequent updates, and anti emulation tricks. For example, the obfuscated code would often execute up to 100 million CPU instructions before reaching unpacked code.

In February, we started seeing a decrease in reports of Win32/Swizzor infections. Further investigation shows that the servers used by this malware family have stopped distributing new malicious binaries. Most affiliates that were distributing Win32/Swizzor have either stopped operating or have moved to something else. For example, a majority of links from the cash4downloads website are now broken. The last couple of files which can still be downloaded from there are unable to install Win32/Swizzor and display the error message shown in the image below.

  Download error while installing affiliate software  

We do not think the disparition of Win32/Swizzor has anything to do with the recent Rustock takedown by Microsoft.  Both malware operations were different and did not end at the same time.  It is hard to say exactly what prompted the Win32/Swizzor operators to stop but it is a possibility that they did not appreciate the public attention they started receiving in 2010. To our knowledge, our REcon presentation was the first time their obfuscation techniques were detailed, and part of their operation was publicly exposed as a consequence of this analysis.  

Pierre-Marc Bureau

Senior Malware Researcher

Author Pierre-Marc Bureau, ESET

  • Yegor

    The article is broken:

    • David Harley

      No problem from here?

Follow us

Copyright © 2018 ESET, All Rights Reserved.