• Trials & Downloads
  • Personal / Home Office products
  • Business Products
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• About Norman
  • Vision & Values
  • Management Team
  • Our Technology
  • Awards & Certifications
  • Customer Cases
  • Press & Media Center
  • Events
  • Careers
  • Subscribe to newsletter
  • Contact Us

Security Center

Malware in applications - a special problem

2009-08-28 [Malware discussion, Spreading mechanisms, Trends & predictions]

   Week 16, 2009

Introduction

Recently Norman's senior virus analyst Snorre Fagerland wrote about the malware W32/Induc.A in our security blog. This is a virus which infects the programming language Delphi. The result is that applications that are created with an infected Delphi environment are infected themselves. This has interesting implications as we shall see.

Infections reported

Norman has recently received several reports about files that are infected with the Induc.A malware.

Delphi is a popular programming language, and one may presume that quite a lot of custom-made (and commercial) applications are in use. When an organization receives an application from its vendor or purchases a computer program from its trusted partner, security awareness will often be lower than when receiving a program in an unsolicited email or downloading it from the Internet.

In this particular case, this is obviously dangerous.

An interesting and disturbing observation

A more intriguing effect of this particular malware has to do with the so-called "false positives", a topic which has been discussed in previous security articles, see for example A security issue? Oops - not! earlier this year.

Several of our customers have sent us files, which are infected with Induc.A and reported these as false positives. This further strengthens the point made above: programs that are received from "trusted sources" are a priori defined by the recipient as secure. If a security application define such programs as infected, the security program is presumed to be incorrect.

Not only is this of course a dubious presupposition; for the security vendors it is indeed a paradox that false positives have become so common that even infected files are reported as such.

Expect more

Fortunately Induc.A is not a dangerous piece of malware, as it does not have any payload.

However, given the "success" that this malware has proven to accomplish with respect to spreading ability and successful infection, one may predict that other malware writers will use the same technique. Upcoming malware using this spreading vector may be much more dangerous.

• Privacy policy
• License agreement
• Trademarks
• Sitemap
• Contact Us

© Norman ASA