Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Compiler virus infects thousands of programs
Published: 2009-08-20

A malicious program that infects software built with the Delphi programming language at compile time has been detected in thousands of applications, including other malicious programs, antivirus firms said this week.

The virus, known as Win32.Induc, replaces the SysConst.pas file used by Delphi compilers, leaving behind a backup of the original file. Programs compiled with the new file will spread the code to other systems, if those systems have older Delphi compilers installed. While the malicious program is several months old, antivirus firms have only recently started detecting the code, said security firm Sophos.

"Delphi is frequently used to create bespoke software, either by small software houses or by internal teams," Graham Cluley, senior technologist at Sophos, said in a blog post. "If you believe that you may be using software written in Delphi you would be very wise to ensure that your antivirus software is updated."

Sophos detected more than 3,000 programs infected with the code, including some banking Trojans, suggesting that even cybercriminals have had their computers compromised by the program. Another antivirus firm, Avast, has detected more than 200,000 files, although it's not clear whether the files are unique programs.

Compiler viruses are not common but are not new, either. In a 1984 paper Reflections on Trusting Trust (pdf), computer scientist Ken Thompson posited that a compiler could be modified to produce programs modified with a backdoor. In a 1992 paper, antivirus researcher Vesselin Bontchev mentions the existence of the compiler virus, which infects executables when they are recompiled, as a way to get around integrity checking.

Even though the Win32.Induc does nothing malicious besides propagating, security firms warned that the virus does not just pose a danger for developers.

"Let me reiterate," Cluley warned. "This virus isn’t just a threat if you are a software developer who uses Delphi. It’s possible that you are running programs which are written in Delphi on your computers, and they could be affected."

The virus only affects programs compiled with older versions -- 4 through 7 -- of the Delphi compiler.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus