Michal Trs

19 August 2009

Win32:Induc, new concept of file infector?

Go to comments Leave a comment

A few days ago, Andreas Marx (independent AV tester) sent all AV companies a file infected by "Delphi Source Code infector". This file was linked by chip.de and a few others. Two days ago an analysis of this innovative file infector was published by Kaspersky Lab and F-Secure. But this is just the recent media bubble. This virus is actually several months old and all AV companies were blind. Why?

Till now, file infectors (like Virut, Sality, Parite, ...) have modified executable files on the victim's machine. They appended their body and changed the entry point - "thats all". Win32:Induc is different. The infected file looks for the Borland Delphi compiler on the victim's machine. If Delphi is found, the source file SysConst.pas is replaced by a malicious one and is compiled into SysConst.dcu. Each new build (using SysConst.dcu - practically all) of any Delphi project on an infected machine produces an infected file. This malware is produced by "white" programmers without their permission. Many files are digitally signed and distributed globally through download servers.

A few statistics: A few hours after VPS update 090818-0 (contains detection Win32:Induc) we received hundreds of suspected "false positive alerts" - all of them were infected. In the last 12 hours (since VPS was released) avast! has found ~200 000 infected files.

Virus Lab, Analyses, Induc, Delphi, infector