Monday, December 8, 2008

Catching Swizzor

Users of ClamAV’s cutting edge SVN release may have noticed that on 2nd December we added heuristic support to catch the Swizzor Trojan.

Released in late 2004, Swizzor downloads and installs Adware and other Trojans and installs them on the infected machine. Just browsing websites can infect your PC if it is not properly patched or protected.

You may have been wondering why we’ve decided to include the heuristic algorithm in the engine rather than continue writing signatures to catch it. Swizzor is clever in the way that it changes itself so often and can mimic standard (and therefore clean) Windows programs. There are nearly 1000 signatures for Swizzor in the ClamAV signature database, yet nearly four years after it was written we are still receiving undetected samples.

By writing an algorithm to detect Swizzor and including that algorithm into the anti-virus engine of ClamAV we will save a lot of effort writing signatures, and new variants will be caught as soon as they are created. So far we’ve found no sign of false positives from the algorithm.

The variant of Swizzor that has been in the wild since early in 2008 has proven particularly difficult to find because it adds strings throughout itself that are almost random. We hit upon the idea of detecting Swizzor’s variants by analyzing these strings in the program. Although the strings are gibberish, somehow they looked to us as though they are automatically generated. At first we thought these strings, looking almost random, would be impossible to detect; but after some careful examination of the strings’ ngrams we were able quickly to generate a heuristic rule by building a decision tree using data mining.

The algorithm built into ClamAV shows over 83% detection rate on Trojan.Swizzon.Gen with no false positives, but the battle carries on to improve the detection rates even further.

4 comments :

  1. Is the blog a new thing? If so – congrats on launching and what a great idea.

    ReplyDelete
  2. That's great!

    Could you please direct me to the function that does the trick?

    ReplyDelete
  3. The code is in special.c, look for _swizz_

    ReplyDelete
  4. The file is special.c, look for _swizz_.

    ReplyDelete