[Owasp-cincinnati] Fwd: A Thompson hack virus is found in the wild

Marco M. Morana marco.m.morana at gmail.com
Sat Aug 22 08:51:05 EDT 2009

Thanks for forwarding this James


According to the latest information I read  on this virus
(http://www.wired.com/threatlevel/2009/08/induc/) it seems not to be
malicious (it is a prank that just spread itself).  Indeed it is included in
every application old and new that was build with old versions of Dephi
compilers (4 to 7). Ironically was also found in bank Trojans that where
developed with old versions of Dephi.


Nevertheless you are completely right, this highlights the fact that it is
not just important to check the source  code for vulnerabilities but the
tools that you are using to build them and the applications that are build
with them. 


In my opinion, the threat of virus spread via developer tools is an area
that is overlooked by the security industry, besides compilation you also
have possible ways to introduce viruses source control tools (via malicious
source code) and  during the packaging (building scripts) . Also interesting
is the opportunity for developers themselves to inject malicious code as a
backdoor. Jeff Williams had a very nice presentation on that  subject at
recent BH conference.


As you know, also per your research, another opportunity to spread
vulnerabilities is via the use of FOSS libraries.


For example how many developers check the version of SPRING framework they
are using for DDOS vulnerabilities recently found by Dinis and Ryan at Ounce










From: owasp-cincinnati-bounces at lists.owasp.org
[mailto:owasp-cincinnati-bounces at lists.owasp.org] On Behalf Of James Walden
Sent: Friday, August 21, 2009 10:56 PM
To: OWASP Cincinnati
Subject: [Owasp-cincinnati] Fwd: A Thompson hack virus is found in the wild


A Thompson hack virus has been found in the wild and it's apparently
infected some malware authors' compilers.  It's interesting to see but also
a bit scary.  We're going to have to look more and more at object code, not
just source code for security in the future.


BitDefender Finds Win32.Induc.A Puts Delphi Compilers at Risk and
Compromises Legitimate Applications



The virus, called Win32.Induc.A, spreads by infecting systems that have the
Delphi compiler (versions up to 7.0) installed. 


BitDefender <http://www.bitdefender.com/> R today announced the discovery of
a threat that directly affects many applications, including TabBrowser v1.0,
GreenOpen, WebMoney Keeper Classic v3.7.0.0, Tidy Favorites v4.1 and any TV
Free v2.41. The applications were being distributed with the virus code
already embedded, due to an unusual trick employed by the malware author or

The virus, called Win32.Induc.A, spreads by infecting systems that have the
Delphi compiler (versions up to 7.0) installed. Any programs which are
subsequently compiled using the compromised compiler contain the virus code.
Although no payload is dropped or malicious action taken other than
self-reproduction, the spreading of this virus to installer packages proves
that this extremely unusual infection vector is, in fact, valid and relevant
today, raising concerns that it will eventually be used to nefarious

When executed, the virus searches for valid Delphi compiler versions and, if
found, creates a SysConst.pas file inside the compilers \Lib folder. It
writes its code inside it, then renames the SysConst.dcu into SysConst.bak.
The .pas file will be compiled then deleted. The resulting SysConst.dcu is
used by the compiler in every compilation act, which automatically creates
infected executables by including the malicious code from inside the

An interesting aspect about the epidemic is that not only legitimate
applications have been infected, BitDefender antivirus researchers found
that several members of the Trojan.Banker malware "family" have been
compromised by Win32.Induc.A. 

Detected by BitDefender as Trojan.Downloader.JMGZ, Trojan.Spy.Banker.ABWA
<http://www.bitdefender.com/VIRUS-90747-en--Trojan.Spy.Banker.HQ.html>  -
ABWC, Trojan.Spy.Banker.ABWK - ABWQ and so on, these trojans target local
banks, namely Caixa - Spain's biggest savings bank and Bradesco - a notable
bank in Brazil.

Delphi developers are advised to check if their compilers' \Lib folder
contains a SysConst.bak file (the most obvious sign of infection) and to
rename it to SysConst.dcu if it exists, overwriting the compromised file,
then recompile their applications.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20090822/264d9cf9/attachment-0001.html 

More information about the Owasp-cincinnati mailing list