Primitive file infector for Borland Delphi proggies

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Primitive file infector for Borland Delphi proggies

Post by luntrus »

Hi users of the unique NS extension,

Friends there is a new trend out among malcreants, trying to take out a whole class of software on a machine with a file infector coming by vector of the compiled program. If one of the programs you have is made with a certain version of Borland Delphi since to-day various av will flag this as Win32:Induc infected.
A program that I lost to this file infector is Event Log Exlorer [As Protect)- read an analysis of the malcode here:
http://www.viruslist.com/en/weblog?weblogid=208187826
and here: http://www.f-secure.com/weblog/archives/00001752.html
Also about the infection: http://forum.avast.com/index.php?topic=47738.0
or here: http://www.sophos.com/blogs/gc/g/2009/0 ... re-houses/
A number of 3000 programs have to be updated and signed anew. In addition, and quite ironically, we have seen a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A aka Win32: Induc.
Also MS flags it now since two days:n a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.
The applications were being distributed with the virus code already embedded, due to an unusual trick employed by the malware author or authors.
The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed. Any programs which are subsequently compiled using the compromised compiler contain the virus code. Although no payload is dropped or malicious action taken other than self-reproduction, the spreading of this virus to installer packages proves that this extremely unusual infection vector is, in fact, valid and relevant today, raising concerns that it will eventually be used to nefarious purposes. We'll keep you informed

luntrus aka polonus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.0 (KHTML, like Gecko) Iron/3.0.189.0 Safari/531.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Primitive file infector for Borland Delphi proggies

Post by GµårÐïåñ »

This virus is not as new as people think. This was a POC that got out of hand about 3 months ago and it got out when some douche decided to release it into the wild. It can be kept at bay and prevented from spread relatively easily but still annoying. Here is a couple of recent articles for those interested:

http://www.computerweekly.com/Articles/ ... e-code.htm
http://news.zdnet.com/2100-9595_22-332782.html
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Primitive file infector for Borland Delphi proggies

Post by Grumpy Old Lady »

Quoth luntrus
Also MS flags it now since two days:n a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.
Oh, how nicely ironic. The biters bit :-)
No AV exes made with Borland, I trust ;-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Primitive file infector for Borland Delphi proggies

Post by GµårÐïåñ »

Actually Microsoft essential flagged it before anyone else or at the very least right as soon as many of the forerunners and they are still in private Beta. AntiVir flagged it shortly after and well the rest pretty much follow suit.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Primitive file infector for Borland Delphi proggies

Post by Grumpy Old Lady »

The "biter" I meant in luntrus' quote was banking trojan writers, not MS - - at least not this time :-)
a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Primitive file infector for Borland Delphi proggies

Post by GµårÐïåñ »

Gotcha! :oops:
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Post Reply