Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research A Haven For Swizzor

August 25, 2010 - 3 min read
Based on a comment, I modified the title to be versus DNSMADEEASY. Let me explain:
  • DNSMADEEASY provides the resolution / name services for the domains in question
  • Hurricane Electric / C2 Media provides the hosting / IP space (
  • Tucows is the registrar for the registered domain names
When I was doing the analysis I was looking at free/cheap DNS services and their abuse, which was why I fixated on the name resolution services, DNSMADEEASY. However, there are multiple players supporting this Swizzor infrastructure and it should be explained as such.

Update 2:
Also, after I published the post, I checked and found that the hostname portion of the domain does not seem to matter / affect the ability to download the binary payload. For example,
let's you download the binary (where "garbage" can be anything). It is likely that the hostname is used for tracking purposes to identify which sites / trojan packages are most successful. The listed fully-qualified domain names below are what was seen in the wild.

This may not be news for some of you, all it takes is a simple Google for something like host192-168-1-2.com malware. You’ll see a rich history of abuse from Trojan Swizzor ranging from 2009 to today:

host192-168-1-2.com is registered through Tucows and has resolution / name services provided through DNSMADEEASY. This robtex report shows the other related domains, each having a varying degree of abuse related to Swizzor:


Below is a brief list of recent domains used to host Trojan Swizzor payloads. Note the domains used / listed here include: host127-0-0-1.com, host192-168-1-2.com, host-domain-lookup.com, and host255-255-255-0.com:
All resolve to the Hurricane Electric IP:
Note, the above active/live list we provide is much more extensive that what is listed on MalwareURL for example. The URL paths to the malware within the above domains include:

While they all have an "int" file extension, they are all PE32 executable files.

9kgen_up.int (Swizzor variant)
MD5: c79cd77012c848f93e0a8dfc28dee992
V/T (20/41)

upd_admn.int (Swizzor variant)
MD5: 43edfa7f55d4331ad2d3f5ca1bb4b999
V/T (22/42)

kr3.int (Swizzor variant)
MD5: ff7d4cbb6aa30bbf58d945e182700fb7
V/T (22/41)

tp_map16.int (Swizzor variant)
MD5: 599ebaed9e147ef8a0b6967dba2da040
V/T (24/42)

Swizzor is a Trojan that is typically installed via drive-by download or social engineering. It has the ability to interact with Internet Explorer through Browser Helper Objects (BHOs) to inject ads and to download/install other threats (for additional information see Microsoft's threat entry for Swizzor). In the particular variants that I downloaded, I saw C&C update activity to other related domains, e.g.,



I’m in the process of sending something along to Hurricane Electric / Tucows/ DNSMADEEASY now, but you may want to check the logs in your environment for systems connecting to the mentioned domains. Here's a continuation of the above list of recent Swizzor domains:
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.