Security Just Got A Lot More Complicated

Last month, security investigators stumbled across a new an innovative variety of malicious software. Named Induc, it's been hiding out there -- undiscovered -- for more than a year. Now that researchers can find Induc, they believe it's one of the top 100 most common viruses.What makes Induc innovative -- and scary -- is that it infects the tools that create programs, rather than the programs themselves. In particular, Induc infects the files that are used to create programs in versions 4.0 to 7.0 of Delphi. Any Delphi program created on an infected system will have the ability to spread Induc to a system when that program is run and the Delphi compiler is installed.

It's not like this style of attack has never been considered. In fact, Unix co-creator Ken Thompson theorized this type of attack in 1984, and said the idea originated with an Air Force security analysis of Multics in the 1960s. In the PC world, there have been a few viruses that modify the source code of files they find on the target computer. Induc, however, seems to be the first PC virus that targets the code the compiler generates without changing the original source program.

If an attacker can corrupt the tools that create programs, they can get the innocent programmers of the world to provide distribution of malicious code. This is especially devastating because those programs may be digitally signed. Imagine if a virus similar to Induc managed to infect the compilers at a large company like Microsoft or Mozilla. Or what if it infects the compler that a large company uses to create its own line-of-business applications? Those applications are often whitelisted to avoid accidental interference from anti-malware software, but that would give them free reign to do whatever they wanted.

Induc itself seems to be a proof-of-concept piece of code. It doesn't have a malicious payload, it simply tries to spread itself far and wide. In that sense, the industry is lucky to have gotten this wake-up call in a way that didn't involve an ugly disaster. So let's wake up and think about the implications of Induc.