Anti-virus software vendor Kaspersky has discovered a new type of virus which infects and compromises systems running the Delphi development environment. After infection, all Delphi programs compiled using the infected Delphi environment are also infected. Anti-virus laboratory AV-Test has already spotted the first examples in the wild.
The virus affects Delphi versions 4.0, 5.0, 6.0 and 7.0. After making a backup which it names SysConst.bak, it overwrites the Delphi file SysConst.dcu with a self-compiled version. Since the infected file is loaded whenever Delphi programs are compiled, all programs generated after this point will be infected.
The virus does not carry a malicious payload, so does not do any damage to systems which are not running Delphi. It does not therefore represent an actual hazard at present. The programs Any TV Free 2.41 (anytv241_setup.exe) and Tidy Favorites 4.1 (TidyFavorites_Setup_4_1_free.exe), which are included on some current magazine CDs and are also among the top 100 downloads on some download portals, are infected with the virus. Kaspersky, F-Secure and Ikarus anti-virus products report the malware as "Virus.Win32.Induc.a". McAfee reports infected files as "W32/Induc" or "Generic!Artemis". Other anti-virus vendors have been informed of the virus and are working on updates.
The idea of concealing malicious code in a compiler is by no means new. In his very readable acceptance speech for the 1984 Turing Prize, Reflections on Trusting Trust, Unix grandee Ken Thompson discussed the possibility of using the C compiler to inject a back door into the login process. However, it has taken 25 years for reality to catch up with the theory.
No comments:
Post a Comment