What should we do with the Induc infections?

Filed Under: Malware

"The Induc virus continues to make the headlines, with infected files being found even on the free cover CD ROMs given away by magazines. Paul Ducklin, Sophos's Asia-Pacific head of technology, wonders how should anti-virus vendors be responding? By the way, we'll be giving Duck his very own blog "real-soon-now" - so watch this space.."

Paul Ducklin
The hot malware story of the moment is the Induc virus.

The elevator pitch about Induc is that it is a virus which infects Windows programs compiled using Delphi. If you run an infected file on a PC which doesn't itself have Delphi installed, the virus is mostly harmless. But if you do have Delphi, the virus infects your Delphi installation. Any file that you compile thereafter is infected.

Induc infections have been floating around on the internet for a while, occasionally being installed by Delphi programmers. Every time this happens, new infected files get compiled, some of which end up published and downloaded. So infected programmers become virus disseminators.

(Interestingly, since Delphi is regularly used by cybercriminals for producing malware - especially phishing Trojans - we are also seeing Trojans infected with Induc. Quality control has never been
much of a priority with malware writers.)

This begs the question: how do you clean up Induc-infected files?

Technically, Induc is a parasitic virus, which means that it hitches a ride inside a host program. This differentiates it from a worm, which is a self-contained virus with no original host file. However, since Induc is added to its host at compile time, there is never actually an uninfectious original host file to restore.

This means that it can be considered correct to disinfect Induc by deleting every infected file, and asking the provider of the infected program to republish a cleanly-compiled, uninfected
version of the file.

But it may take a while to get hold of a cleanly-compiled replacement, which might leave you stuck without a needed piece of software for a while. So, since Induc is parasitic, it can certainly be considered useful to disinfect by patching out the infectious part and thus to produce a safely-working copy of the program.

And that leaves you with another problem. The disinfected programs aren't actually what the original publisher intended to distribute, so they can't be guaranteed to behave as properly-compiled versions would.

Fly in soupPatching out the virus code can probably be done safely, but there is something unappealing about using a program in this state - it is rather like having a fly in your soup.

Do you ask for a new bowl of soup, or do you spoon out the fly and eat the soup anyway?

So there is also a middle ground for cleanup: disinfect the file, but patch it into a state in which it will then be detected not as a virus but as a Potentially Unwanted Application (PUA).

This means you can use disinfection as a short-term fix, but still identify the "fly-infested soup bowls" later when an official replacement is available.

The question is: which is the right approach?

Why don't you tell us?

What should we do with the Induc infections?(poll)

* Image source: Orin Zebest's Flickr photostream (Creative Commons)

,

You might like

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog