Sebastián Bortnik, Security Analyst at ESET Latin America, has shared with me his translation of an FAQ written with Cristian Borghello, ESET Latin America'sTechnical and Educational Manager, about the malware ESET NOD32 detects as Win32/Induc.A. I've done a little cosmetic editing on the original and added quite a lot of material (so any mistakes and
Sebastián Bortnik, Security Analyst at ESET Latin America, has shared with me his translation of an FAQ written with Cristian Borghello, ESET Latin America'sTechnical and Educational Manager, about the malware ESET NOD32 detects as Win32/Induc.A.
I've done a little cosmetic editing on the original and added quite a lot of material (so any mistakes and misapprehensions are likely to be mine!)
1. What does it mean if a file is detected as Win32/Induc.A?
It means that the file contains a piece of code that includes routines to modify files belonging to the Delphi development tool and thereafter, all applications compiled using Delphi will also contain the virus.
2. What sort of development tool is Delphi?
Delphi is a visual development platform that generates compiled programs written in a version of Pascal. Ironically, it's a tool frequently used by malware authors, and we've seen examples of Trojans that are themselves infected with Win32/Induc.A, as described below.
3. What is a compiled program?
As we use it here, the term denotes a stand-alone program generated by a compiler rather than an interpreter: that is, one that can run without the development platform that generated it being present. As computer scientists use the terms, the differences between a compiler and an interpreter are considerably more complex, but the fine detail isn't really important in terms of this malware – for an end user, at any rate.
4. What damage could my system sustain if I run the infected file?
There's no such thing as a harmless virus, but this one is not intentionally destructive.For end users, Induc will not cause direct damage to their systems, though they may find that they lose the ability to run infected programs when their antivirus software recognizes the infection (see 11). For programmers, this is a major threat: any application that is compiled after the infection will be malicious, and, if distributed, runs the risk of infecting other systems used for development, as well as causing considerable inconvenience when programs they've distributed are found to be infected.
5. What changes would the virus make to my system?
In systems where Delphi is not installed, there no changes are made to the system, though there may nevertheless be undesirable consequences arising from the presence of an infected file. On development systems where Delphi is installed, the virus performs the following actions:
- The file SysConst.pas is copied into the %delphi rootdir%Lib directory
- The new Sysconst.pas file is modified to contain the infective code
- The file SysConst.pas is compiled, generating a new file (which will now be infected) as %delphirootdir%LibSysConst.dcu. This file will be referenced when code is compiled, and all the programs that are generated will be infected with the malicious code it contains.
6. How do I know if my installation of Delphi is infected?
Firstly, if newly-compiled applications are detected by antivirus as infected with Win32/Induc.A, this is almost certainly because your installation of Delphi is infected. There have been some reports of false positives by developers, but the chances are that this is because they don't understand the infection mechanism and don't realize that applications can be infected even when they write and compile the programs themselves. To perform a manual check, there are two alternatives.
- First of all, applications compiled and infected will contain a string of characters that are characteristic of the virus (see the code image at http://blogs.eset-la.com/laboratorio/wp-content/uploads/2009/08/induc2.png)
- Secondly, the malicious code makes a backup file before SysConst.dcu is modified. If you access the folder where the file is hosted, you should find two files: one with a BAK extension (the original, saved as a backup file) and other with a DCU extension (the malicious, infective file). These should differ in size (the malicious file is bigger) asis shown in the picture at http://blogs.eset-la.com/laboratorio/wp-content/uploads/2009/08/induc3.png.
7. What is a .DCU file?
DCU stands for Delphi Compiled Unit. This is a kind of library file or module containing object code used by Delphi when it compiles (builds) a program file. This is why all executables compiled after infection are themselves infective.
8. How can I fix my installation of Delphi?
To repair the Delphi installation, you should delete the sysconst.dcu file and replace it with the backup file (sysconst.bak), changing the file extension to .dcu. Another alternative is to rebuild the file with the original PAS file. That can be done with the following command (however, simply deleting the infected .dcu and renaming the backup file is simpler):
"%delphi rootdir%BinDCC32.exe" "%delphi rootdir%sourcertlsysSysConst.pas"
9. Can I be sure that will work?
There is no absolute guarantee. There may be circumstances under which the backup file is also infected/infective, or no longer exists, in which case simply deleting the infective file will affect the functionality of the compiler. Or there may be new variants or subvariants that aren't so obliging as to leave the original code available. In such a case, you'll need to rebuild the .dcu as described in (8). If that fails, you might even have to reinstall the compiler/IDE (Integrated Development Environment). If that happens, you may want to be sure that you've backed up all your source code.
10. How can I fix applications that have been compiled while the IDE was infected?
Applications that have been compiled with the infected system must be deleted; and therefore they should be re-compiled once the system has been fixed (see question 8). If you have an innocent application that is diagnosed as infected but don't have Delphi or the source code, you'll have to get hold of a clean version. Because of the nature of the infection (that is, because the infection takes place at compile-time), there's no satisfactory way to disinfect without recompiling: simply removing or patching out the virus code may result in an executable that behaves unpredictably.
11. How many infected programs are there?
As Randy already mentioned in his blog at http://www.eset.com/threat-center/blog/2009/08/19/the-retro-virus, we know of several thousand (more than four thousand as of 19th August) in our malware sample collection. These are actually Trojans that have been compiled using an infected version of Delphi. We also know of presumed non-malicious programs that are also infected, and it's likely that there are quite a few more out there being spread directly (and unknowingly) by vendors, by software (and warez – pirated software) distribution sites, over peer-to-peer networks, and so on.
This suggests that although the number of systems that will be directly affected by this malware is relatively small, there may be an enormous number of infected files on systems that aren't directly vulnerable. Once these programs are identified as infected by security software, they will normally be deleted or blocked from executing
12. Could this method of attack be used with other development platforms?
In principle, certainly. We can't exactly say how likely that is, but it's certainly not impossible. This is a type of attack that's been recognized hypothetically for many years, and it could in theory be implemented in many environments and on many types of device. The attacker was almost certainly aware of Ken Thompson's 1984 paper "Reflections on Trusting Trust" and later papers that develop the idea further, such as Ian Whitten's 1987 paper on "Infiltrating Open Systems."
13. Is it worth bothering with this if it's mostly harmless?
I don't altogether agree that it's harmless, even on a system without Delphi installed': it certainly could affect a system's functionality under some circumstances. For instance, what if an innocent program is installed, makes changes to the system, and is then discovered to be infected and has to be removed, but the changes aren't reversed?
14. So this isn't just a proof-of-concept attack?
This seems to be a classic "proof of concept" attack in that it probably wasn't intended to be destructive, though there's no reason why it couldn't be adapted to do something more malicious, either something deliberately destructive or something that allows a criminal some form of backdoor access, for instance. (See 12.) If the bad guys see a way to use this for profit, the chances are that it will happen.
Here is the link to the original Spanish FAQ: http://blogs.eset- la.com/laboratorio/2009/08/20/preguntas-frecuentes-sobre-induc/
And here is a link to ESET's description of the virus: