Way back in 1984, Ken Thompson theorized about a type of virus that could infect the tools that create programs, rather than the programs themselves. In this way, a virus would remain undetected in the program creator but be inserted in every program created.
Now, in 2009, this theoretical virus is now a reality. Win32.Induc or Induc is a virus that targets development environments in order to infiltrate applications at the point they are written and compiled. Specifically, Induc infects files that are used to create programs in versions 4.0 to 7.0 of Delphi resulting in Induc infected applications and files when they are compiled. Whenever these Induc-infected applications are run on another PC, the virus searches for a Delphi installation and attaches itself to it, thus spreading the virus to any new software compiled in the infected environment, and so on.
The Induc virus seems to have no malicious payload, but serves as a proof-of-concept to test how such a virus might spread. The challenge in dealing with such a virus is that the infection must be traced back to the original Delphi compilers to correct the source. With the virus removed, all software would have to be recompiled. It is believed that a number of software houses specializing in developing applications with Delphi must have been infected already.
Induc has been hiding out and replicating itself for more than a year before it was discovered in August. Researchers believe it’s one of the top most common viruses. Even though Induc does not have a malicious payload, current AV software updated to detect the virus will cause disruptions as infected applications and files will be quarantined. AV vendors will be flooded with false positive claims in applications that are actually Delphi files infected with the virus. Chaos and confusion will ensue and the AV people are going to have to sort through this mess.
Additionally, the virus has the potential to bypass AV because it can affect whitelisted programs which are ignored and regarded as safe by AV software. Even if the programs are whitelisted, the compilers used to make them may become infected and pass on the infection to these whitelisted programs.
Since the virus corrupts tools that create programs, innocent programmers are the unintentional distributors of the virus. As Ken Thompson said in 1984, “The moral is obvious. You can’t trust code that you did not totally create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.” Pretty scary stuff, huh?
You must log in to post a comment.