Thursday, August 20, 2009

Induc ... the Delphi Virus

Virus.Win32.Induc.a takes advantage of the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables. The new virus activates when an infected application is launched. It then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the computer. If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu. Practically all Delphi projects include the string “use SysConst”, which means the infection of only one system module results in the infection of all applications under development. In other words, the modified SysConst.dcu file causes all subsequent programs created in the infected environment to contain the code of the new virus. The modified .pas file is no longer required and is deleted. The virus is not currently a threat – there is no destructive behavior apart from infection. It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cybercriminals to make it more destructive. Kaspersky Lab solutions successfully detect Virus.Win32.Induc.a and treat both compiled Delphi files and Windows executables.
It's also quite interesting to note that Kaspersky Lab was the first to detect this new virus however it's a shame that some media are ignoring this!

Wednesday, August 19, 2009

Malware growth beyond 30 million soon, 30.000 new threats a day...

I'm back from my vacation and during the last 3 weeks a lot of things happened:
Koobface got new tricks, Twitter went down, Induc the innovative file infector (Delphi) was found and three people were indicted for stealing 130 million credit cards and other data useful in identity theft. And I was interviewed 4 times on my first working day(VTM (TV), De Morgen, etc..)... However the more real problem comes from the ungoing threat of the creation of new malware. Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger. Kaspersky Lab finds every day over 30.000 new samples. And it's not only us seeing this. Also AV-Test.org has released their findings(see picture).
With more than a million new samples being seen every month, we are now reaching 30 million soon depending how you count the samples. That should clearly illustrate the scale of the malware threat. As the threat continues to grow, so will the system resources needed to protect users from it. How else can users cope up with this threat growth? In my years of experience managing malware signatures, I believe that the only way to go is in the cloud combined with some other new technologies like whitelisting and sandboxing. By using these combined technologies the security world can still cope with the large amount of malware growth combined with good performance. You can find all these new features within the new released Kaspersky Lab Internet Security Suite 2010.