Some days ago, Andreas Marx (of av-test.org) sent a copy of a new virus to all antivirus companies, with a warning that infected files were found on some magazine CD/DVD’s. True enough, the virus was new to the attention of antivirus companies. The virus was W32/Induc.A. This is something of a rarity – it is a source code infector. These viruses do not propagate directly from macine to machine, nor to they attach themselves directly to executables found on the victim machine. Instead, they try to use programming environments they encounter by somehow inserting their own source code (f. ex. C or Pascal) into existing innocent code.
A new kind of virus?
No. Nope. Not at all. This kind of virus is almost as old as the computer virus problem itself. In operating systems like Linux, C compilers are part of the setup and malware for these platforms often comes as source code to be compiled locally.
On the PC platform script/macro viruses has done this for years, though one may argue that these are special cases since no explicit compiler is targeted. However, a few source code viruses targetting compilers like C, pascal, or assembler were created in the early 90’ies, mostly as proof-of-concept. These viruses never had much success due to the lack of people with build environments.
This exact virus, Induc.A, has been very “successful” – it has at least existed since around December 2008, infecting files silently without anyone noticing it. How is this possible?
The first reason the virus has not been noticed is that it does not touch any of the files that normally are under scrutiny by security tools. Instead it replaces a file in the popular Delphi programming environment with itself. This file, sysconst.pas, is compiled into a file called sysconst.dcu and imported into almost all Delphi projects created. From now on, the programmers themselves create new infected files without knowing.
The second reason it has not been noticed is that it has no additional payload. It does not download anything, it does not attempt to contact any entity outside the infected PC. The action of just injectring itself into the Delphi environment is quickly done and requires no further resources on the computer.
The third reason has to do with trust. “I’ve just compiled this file, so I know it is clean”. A lot of these infected files have been digitally signed and/or come from serious software producers, and are thus treated with a lot more trust than run-of-the-mill executables. The files do what they are supposed to, their little sideeffect notwithstanding, so no one has raised any alarm.
It just goes to show that no software is entirely safe, even if the sources seem legitimate.
Add comment
If you find the content of this comment offensive, you can report it and our crew will have a look at it
Comments