Virus discovered deep in Delphi programming language

Tools

By Greg Masters

A new virus outbreak has been detected by researchers at SonicWALL and SophosLabs, and it is reportedly spreading quickly. The researchers claim that the Win32.Induc virus infects applications built using the Delphi code, an object-oriented, visual programming environment derived from the Pascal language, used to develop 32-bit and Microsoft .NET applications for deployment on the web, Windows and Linux. Once a computer is infected, any code or documents written on that machine will automatically be infected as a result, allowing the virus to spread as an executable file of itself, as well as the source code, SonicWALL researchers stated in a release. While the virus is not currently showing signs of malicious intent, it is evidence of yet another enterprising way for hackers to infect computers with alarming ease, the researchers said. "This malware just spreads, it doesn't delete files or do anything malicious," Nick Bilogorskiy, manager of anti-virus research at SonicWALL, told SCMagazineUS.com on Wednesday. "What is new and interesting about this is that it is being spread by innocent, already infected parties, such as developers who use the Delphi programming language." It could be much worse, Bilogorskiy said, but the virus does have side effects. "Anti-virus software will pick this up so third-party software will get caught," he explains. This means that people's computers will get marked as infected and could result in IT managers cutting off their machines from the network. Graham Cluley, senior technology consultant at Sophos, posted an explanation on his Sophos blog that said that "the W32/Induc-A virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable." Sophos, he states, has received over 3,000 unique infected samples of programs infected by W32/Induc-A from the wild. "This makes us believe that the malware has been active for some time, and that a number of software houses specializing in developing applications with Delphi must have been infected." Richard Cohen, an analyst at SophosLabs Canada, posted a report on the SophosLabs blog on Tuesday, explaining further: When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system. "At the moment it's a mystery what drove the virus writer to write this Delphi malware," Cluley informed SCMagazineUS.com in an email on Wednesday. "Maybe it was created as a proof-of-concept to prove it was possible, and then got out of hand." The samples Sophos has seen so far only spread, there is no intentional malicious payload, no sign of creating a botnet or stealing information, Cluley said. "Nevertheless, it's possible that the code could cause incompatibilities on users' computers, or that new variants could emerge in the future with more nefarious designs." SonicWALL's Bilogorskiy calls the virus an abuse of trust. "It doesn't seem to be financially motivated." He agrees that it's likely a proof-of-concept exercise, someone showing off. "But it does point out that you cannot 100 percent trust programs that are written by someone else, and that you should at all times continue to ensure you have up-to-date anti-virus software." Cluley advised the same. "Businesses that may be using software written in Delphi would be wise to check that their anti-virus software is updated. If a W32/Induc-A infection is found in a program, its developers should be contacted immediately – as it's possible that the infection could be passed on to other customers." Cluley added that Sophos had also seen examples of infected programs being distributed via download sites – "presumably without the knowledge of the websites themselves who are assuming the programs to be clean."

Add a comment

Name:

Comment: 1000 Characters Left

WNCF and its affiliated companies are not responsible for the content of comments posted or for anything arising out of use of the above comments or other interaction among the users. Comments are posted on site immediately and without station moderation. If you feel a comment is inappropriate you may flag it for review. For guidelines on flagging comments see our Terms & Conditions. We reserve the right to screen, refuse to post, remove or edit user-generated content at any time and for any or no reason in our absolute and sole discretion without prior notice, although we have no duty to do so or to monitor any Public Forum.

What's Trending