Dissecting the Induc Virus presented at Hashdays 2012

by Robert Lipovsky,

Tags: Security

Summary : Although parasitic viruses are not as prevalent as they used to be, we still see some classic virus families in-the-wild. The virus Win32/Induc is not known for its wide distribution (like Win32/Sality, for example), but for its different, interesting modus operandi. The Induc virus, first discovered in 2009, infected a standard Delphi library instead of parasitizing executable files directly. This way, every application compiled using this malignly modified IDE would end up infected. In 2011, the latest version of the virus was discovered and found to be used in real cybercrime incidents. The presentation covers the evolution of this unique virus family. We will also present a detailed low-level analysis of the Induc code, showing disassemblies of its various functions.