The Interesting Case of the Induc Virus
In 2009, the Induc virus was the top new malicious code sample observed by Symantec worldwide. Notably, Induc does not actually do anything strictly malicious; all it does is propagate. No keystroke logging, no spam sending abilities, no ad clicking, and no destruction of data.
So what makes this virus interesting? All Induc does is propagate, but only on developer’s computers. Specifically, it does not do anything unless it detects an installation of versions 4 thru 7 of the Delphi® development environment. Delphi is a variant of the Pascal programming language originally developed by Borland and is meant to facilitate the development of applications for the Microsoft Windows platform. The targeted versions of Delphi were released between 1998 and 2002, but are still in wide use throughout the developer community.
Induc has been dubbed the “Compile-a-virus” by some, due to the way it propagates. This is because it rebuilds the “sysconst.dcu” file in Delphi installations so that all further output of the Delphi compiler reproduces the virus. Specifically, Induc propagates as follows: a developer of a Delphi-based application gets infected with Induc; they build a new release of their application; the new release gets distributed to their customers; some of the customers are also developers, and they get infected; repeat ad infinitum.
The successful spread of Induc is due in part to the virus traveling through trusted channels of legitimate software distribution. Technically savvy users practicing safe, and usually secure, computing practices have still been infected by this virus.
This propagation cycle is discussed as far back as 1984, in a paper by Ken Thompson, titled, “Reflections on Trusting Trust.” In it, the author describes a method of inserting a back door into a compiler that results in the propagation of malicious code through its output that cannot be detected by examining the source code of the compiler or of the application being compiled. (Another blogger made this connection in August 2009, and the paper is well worth reading for anyone interested in computer security.)
What makes Induc worth discussing, even though it appears to be completely innocuous, is that it was so successful propagating. The method of altering a compiler in order to inject malicious code in applications has been well known for more than 25 years, but there are very few instances of it being used, mostly because a successful compromise would entail hooking into the compiler from scratch. In this case, Induc is extremely hard to detect without antivirus solutions in place. This is because the resulting code output was a valid executable with no after-the-fact tampering to modify them, as is the case with usual viruses. Thus, lacking any signs of infection, no public notifications occurred for a long time—and, therefore, no signatures even. Once there were finally signatures, antivirus was basically the only way short of manually checking to find the infection. It has also been estimated that the virus was in the wild for as much as a year prior to being openly discovered. Developers are by definition, more advanced users, and potentially more cautious as well, and they are the ones affected in this instance. The success of Induc in 2009 has put this propagation method firmly on the radar of malicious software authors everywhere.
The success of Induc may mean that malicious software authors will be looking into other development environments, as Delphi is by no means unique in being susceptible to this attack. They might attempt to propagate a truly malicious threat by this means. A sophisticated, stealthy virus, propagating through a popular development environment, has the potential to have severe consequences. It can be very difficult to achieve all that is required for this type of malicious threat to succeed given all the steps involved, but this should not discount the possibility that other such threats are being developed by malicious code authors.
For more information about the Induc virus and malicious code trends in general for 2009, please see the latest volume of the Symantec Global Internet Security Threat Report.