(Win32/)Induc-tive Reasoning

I was passed a query from a journalist in the UK about Win32/Induc.A, the Delphi infector both Randy and I have blogged about previously, asking whether ESET has figures supporting my contention that this "harmless" malware actually has the potential to cause significant damage, as he had seen no reports of "even minor disruption."

While we do have statistics from our Threatsense.net technology, we don’t give out absolute numbers for malware detections, as that sort of statistic is more confusing than helpful. The feedback mechanism involves a large but self-selecting population of ESET-protected machines, and doesn’t necessarily reflect the situation among the total population of PCs accurately: it’s never more than a trend indicator, so any extrapolation to a global figure is guesswork.

However, I can tell you (as I told him) that when we added detection of Induc.A to our products, ThreatSense.Net came in with 30,000 detection reports in 24 hours. In the UK, it accounted for 0.26% of detections in August, putting it at number 51: worldwide, it scored 0.39%, putting at number 37. That’s still a pretty significant figure, though, for a recently added detection.

As of somewhere around 2.45 on Monday, 7th September, Win32/Induc.A represented 0.64% of our worldwide detections for September so far, which putting it at number 22 in the rankings at that time. That’s as compared to 4.11% for INF/Autorun, which was the top-ranked detection. For the UK, though, the ranking was significantly less: 0.40%, at number 36. Nonetheless, incidence is increasing worldwide and in the UK. 

You have to remember, though, that this is a measure of detections of infected files, not of disruption, whatever you may understand by that: that can’t really be calculated from this automated service.

  • Some of those detections will be Trojans in their own right that happen to be infected with Induc.A because they were compiled with an infected version of Delphi.
  • Some will be detections of programs that the user hasn’t tried to run, or weren’t installed because Induc was detected.
  • Many will be installations that cause minor inconvenience rather than major loss of functionality, which I guess is what the journalist was getting at. 

If you look back at my recent blog post, you’ll see that the blog isn’t about a scaremongering "thousands of machines will be put out of commission" prediction, it’s about the fact that there are a lot of infected files out there (and I think the figures speak for themselves on that).

However, in most cases, removal of those files won’t cause major damage. The case where a system is actually put out of commission because an infected program is installed and can no longer run is hypothetical: I don’t expect to see lots of those, but it was important to make the point that it -could- happen because there’s a tendency to assume that Induc.A is a "harmless" virus because it can’t infect most systems. The point that people are missing is that it can affect systems without "infecting" Delphi. In most cases the effect will probably be trivial, but it will still cause some disruption.

Having said all that, though, I’d still say that a reported distribution of 4m infected files by Computer Bild constitutes serious disruption though, irrespective of whether anyone actually executed that particular program (TidyFavorites 4.1, according to John E. Dunn on Techworld).

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

 

Author David Harley, ESET

  • http://silasjr.blog.com Silas Martins

    Ola ESET,
    tenho acompanhado e até mesmo publicado notas em meu blog sobre o induc, no Brasil este virus está atingindo até mesmo os criadores dos virus, uma vez que Delphi é uma das linguagens de programação mais usadas no Brasil.

    Acho que o induc só provou que não existe antivirus 100% eficaz, mostra disso foi ele ter ficado um ano sem ser detectado, e mesmo assim rodando em maquinas tidas como “limpas”. Serve tambem de alerta para a indústria de Segurança, para que possam como isso melhorar ainda mais o mecanismo de detecção.

    []‘s

    • Randy Abrams

      Fiundamentally, the author of the comment said that he’s published notes in his blog about Induc. He also says the virus is spreading in Brazil and that delphi is a very popular programming lanuage there. additionally, That Induc was around for up to a year before it was detect proves there is no 100% efficient antivirus and that this should alert the security industry that we still need better detection mechanisms.

      Of course, the person commenting is right. 100% detection is, at least, theoretically impossible. in actuallity it is impossible.

  • http://www.eset.com/threat-center/blog/ David Harley

    Indeed. When it comes to detection rates, this industry has no grounds for complacency, but of course there is no 100% solution: that’s why we advocate multi-layered defences.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

3 articles related to:
Hot Topic
07 Sep 2009
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.