Understanding Swizzor's Obfuscation Scheme

Joan Calvet 1 Pierre-Marc Bureau
1 CARTE - Theoretical adverse computations, and safety
Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
Abstract : Swizzor is a malware family that was first seen on the Internet in 2002 and, since then, researchers have collected millions of different binary samples. The reason so many different files exist is that Swizzor uses strong server-side binary obfuscation to evade antivirus detection and slow down manual reverse engineering. In this talk, we will present a set of tools and techniques we have developed to understand and defeat Swizzor's binary protection. Upon execution, the custom packer goes through more than 40 million instructions before reaching any useful code. To deal with this, we created a tracing framework which builds a comprehensive timeline of the process execution, including memory modifications. We also created visualisation tools to quickly identify key elements of the unpacking process without having to read any assembly instruction. We have built an inference engine to automatically identify known patterns in memory such as decryption keys, useless values and control structures used by the packer. By taking into account the memory access and modification of the code, we were able to bypass its traditional syntactic obfuscation. We thus achieved a comprehensive understanding of the unpacking process and were able to reduce the need for manual analysis of new binaries. To the best of our knowledge, no one has deeply investigated the Swizzor malware family and its ties to shady advertisement companies. We will explain how Swizzor and its adware components are installed by affiliation programs to finance the development of well known applications. We will show the communication protocol used by Swizzor to fetch binary updates and how different packages are deployed depending on the affiliation program.
Type de document :
Communication dans un congrès
REcon, Jul 2010, Montréal, Canada. 2010
Liste complète des métadonnées

https://hal.inria.fr/inria-00536718
Contributeur : Joan Calvet <>
Soumis le : mardi 16 novembre 2010 - 18:07:58
Dernière modification le : jeudi 11 janvier 2018 - 06:21:25

Identifiants

  • HAL Id : inria-00536718, version 1

Collections

Citation

Joan Calvet, Pierre-Marc Bureau. Understanding Swizzor's Obfuscation Scheme. REcon, Jul 2010, Montréal, Canada. 2010. 〈inria-00536718〉

Partager

Métriques

Consultations de la notice

239