Closer look on Swizzor

We were analysing a recent version of Swizzor – an Adware which Avira detects as TR/Dldr.Swizzor.Gen – and after getting past the first encryption layers of the software, we stumbled over a few interesting strings in the malware. Quite obviously it installs a browser helper object (BHO, an Internet Explorer plug-in) which does some form of search hijacking.

In case users get infected with Swizzor, they usually experience a redirected start page and a few pop-ups with advertisements for online poker or potency pills. In the Swizzor sample we analysed, we found the following strings which coincide with those ads:

Casino Online
Web Hosting|hosting
Antivirus
Penis Enlargement|Penis Enlargement Pill
Adult Education
Buy Adipex
Live Video Feeds
Christian dating
Inkjet Cartridge
Playstation

Swizzor downloads further software. It seems to be prepared for not running with administrative rights on the system as another message concealed within the malware reads:

CiD:  An important update is available to your CiD
sponsor software and must be run as administrator.
Please press 'YES' to proceed.  If you press 'NO'
you will be reminded again in a few hours.
If instead you prefer to remove the sponsor software,
download and run this universal uninstaller:
http://*****lp.com/uninstall.exe

Different Swizzor samples contain also different messages and links. Also, the malware is highly polymorphic.

The Swizzor sample also contains a lengthy list of URLs which it blocks within the windows hosts file by redirecting them to localhost (127.0.0.1). Interestingly, those URLs all point to FakeAV or RogueAV. It is yet unclear why it does that, as FakeAV don’t detect real malware/adware. Maybe the search hijacking gets disturbed by the RogueAV malware.

It seems that Swizzor is often bundled as advertisement add-on to some more legit software. We are convinced though that this privacy breach is unwanted by our users. Also we see reports by users on the net which are victim of a Swizzor infection and didn’t download such “sponsored software” knowingly, but installed it for example with the “Windows Live Messenger”-add-on “Windows Live Plus! Messenger” where users can choose whether to install the “sponsor software” or not.

Always keep an open eye whether the software you are going to install really is free or installs further stuff to your computer. You should find hints pointing to such add-ons in the EULA of the software.

Moritz Kroll
Engine Research & Development

Dirk Knop
Technical Editor