Threat behavior
TrojanDownloader:Win32/Swizzor.CO is a trojan that contains limited backdoor functionality. Using this backdoor, Swizzor's controller can order the trojan to download and execute arbitrary files, display advertisements, and mediate the affected user's online experience by blocking access to particular hosts/domains.
Installation
When executed, Win32/Swizzor injects itself to the Internet Explorer process. Presumably this is to avoid detection by application-level firewalls and to hinder the trojan's removal.
Payload
Backdoor functionality
Win32/Swizzor downloads an encrypted configuration file from a specified domain. TrojanDownloader:Win32/Swizzor.CO has been observed contacting ayb.zone-media.com for this purpose. The downloaded configuration file can instruct the trojan to perform the following actions on an affected computer:
- Display advertisements
- Block specified hosts/domains
- Monitor Internet Explorer processes and capture data to send to a remote host (including URLs visited, meta data of visited pages, source of visited pages, etc.)
- Download and execute arbitrary files. Files are downloaded to the %temp% directory, where the filename is a combination of strings randomly selected from lists carried in the trojan's code. The following strings are used by the trojan in this manner:
| 1 16 2 32 4 64 about ace acid active admin aim amen amok ante anti army atom audio axis axis bags bait ball balm barb base bash bat beep bend bias bib bike bin bind bird bits blah bleh blue body bold bolt bone boob book bore bows browse build burn byte cake camp cash cast cdrom chic chin city clock close coal comp cool copy corn creative curb dale dart dash data date dead deaf debug default defy delete dent does dog download draw drive drv dumb dupe dvd each eggs | else enc error exit extra face fast file film find first five flag flap flaw for ford fork four frag free funk global glue gpl gram great grey grid grim heart heck help hide hold hole hope htm idle idol info inside inter internet intra iso itch joy jugs jump junk keep kind knob less license lies link list lite live load locks log logo long loud love mags mail manager mapi math meal media meet memo meow mess meta mfcd mix mode more move mp3 mpeg multi name new noun nurb obj | okay once one online ooze open option owns part peak phone pile ping plan platform play plus poke poll pop proc program proxy pure rdr readme real rect ref regs remote road roam rule safe save scr second sect seek send settings setup shim show sign site sixth size skip slow soap soft software spam start stop store stupid style support surf team test that the third this thunk tick time title tons tool trans tray trust two type upload user vga view wait warn wave way web win window wipe wma |
Analysis by Chun Feng
Prevention
