It's all Greek to Me
August 20, 2009 12:30 PM   Subscribe

In 1984 computer pioneer Ken Thompson wrote one of the seminal works of computer security, Reflections on Trusting Trust [PDF]. In it he postulated putting a trojan horse inside a compiler as a means of infecting software compiled by it. 25 years later somebody has finally done just that. Researchers at anti-virus house Sophos have discovered a virus that places a backdoor into applications compiled with the Delphi language. They've identified at least 3000 separate Delphi applications that have had this backdoor compiled into them so far, including banking programs and programs used for cellphone programming.
posted by scalefree (52 comments total) 16 users marked this as a favorite

 
Sophos 'discovered' it. In other news: Pfizer discovers new disease that thousands of people have but don't know it, so everyone will have to buy a new and expensive immunization, which, coincidentally enough, Pfizer has just discovered!
posted by Lutoslawski at 12:35 PM on August 20, 2009


Here's how it works:
W32/Induc-A searches computers for installations of Delphi, then attempts to temporarily modify SysConst.pas, and compiles this to infect SysConst.dcu. The original SysConst.dcu can be restored from the backup made by the virus in SysConst.bak.
So apparently we're talking about Delphi authors who've picked up viruses in the wild with their development machine (surfing porn sites, opening infected e-mail attachments, or running sketchy utilities, I presume), then later on compiled and released software programs on that same machine. I guess there's a lot to be said for keeping development machines disconnected from the network.
posted by crapmatic at 12:43 PM on August 20, 2009


The most amazing part of the scenario Thompson presents is that the compiler not only adds a backdoor to other applications it compiles, but it also recognizes when it is compiling itself, and reinserts the backdoor-adding code. It's like a metametabackdoor.
posted by grouse at 12:46 PM on August 20, 2009 [4 favorites]


Can the MeFi nerd detective squad decrypt these dork packets into something comprehensible by us laymen?
posted by orville sash at 12:49 PM on August 20, 2009 [6 favorites]


Sophos 'discovered' it. In other news: Pfizer discovers new disease that thousands of people have but don't know it, so everyone will have to buy a new and expensive immunization, which, coincidentally enough, Pfizer has just discovered!

If Sophos makes money by discovering and publicizing an unknown backdoor/security hole in 3,000 different applications, I think they deserve it.
posted by msalt at 12:52 PM on August 20, 2009 [4 favorites]


There have always been rumors of AV vendors writing & releasing viruses so they can "cure" their creations. Funny thing, it was always traceable back to virus writers spreading the rumor.
posted by scalefree at 12:56 PM on August 20, 2009 [2 favorites]


Is the backdoor called by name or by value?
posted by tommasz at 12:57 PM on August 20, 2009 [2 favorites]


Sophos 'discovered' it

Sophos isn't into those backdoor shenanigans. At least, there's no evidence for it.
posted by Blazecock Pileon at 1:01 PM on August 20, 2009


Thompson actually put a backdoor into his own C compiler, purely for debugging purposes of course... right?
posted by PenDevil at 1:03 PM on August 20, 2009


Lutoslawski, security companies certainly have been guilty of over hyping security risks but they'd be pretty dumb to lie about them. There are lots of independent researchers who love to investigate this kind of stuff and would call them on it in days. It looks like they just announced this today but I'd be really surprised if it wasn't real.
posted by octothorpe at 1:06 PM on August 20, 2009 [1 favorite]


>Can the MeFi nerd detective squad decrypt these dork packets into something comprehensible by us laymen?

Sure.

Presumably you know what a back door is from watching cheesy Hollywood thrillers: it's a way to access a system through some unexpected and undocumented channel, built into the system by its original creator so he (or someone else who knows the trick) can gain unauthorized access the system once it's been deployed in the real world.

Now, to explain a compiler: computer programs are not written in a language that a computer can understand directly. In order to make programming easier for our puny human brains, we write programs in so-called high-level languages, such as C++ or PHP—languages which can adequately describe the abstractions used by computers, yet which are sufficiently intuitive to (geeky) humans that we can make sense of them too. They're sort of an intermediary language between natural human language and the computer's native language (machine code).

Before a computer can actually run a program, it has to be translated, or compiled, into machine code. This translation is performed by a specialized program known as a compiler. Compiling is sort of like taking a blueprint of a thing (the source code, written in a human-friendly language) and making it into an actual thing (an actual, executable program composed of machine code—e.g., an .exe file, in Windows).

So, what we have here is a compiler which automatically builds a back door into every program it compiles. If a software company ships a program (such as banking software) that was unwittingly compiled with the shady compiler, then anyone who knows the trick to the back door can present the secret handshake and gain superuser access to the system.
posted by ixohoxi at 3:31 PM on August 20, 2009 [6 favorites]


Uh, Sophos have an international reputation they would stand to lose by manufacturing a virus threat. And you'd best believe there are plenty of white hats out there who would call them on it in about 5ms.

By releasing this information, as well, other antivirus makers will be able to modify their own software to find and clean the infection. This isn't something you can patent (knock wood).
posted by dhartung at 3:31 PM on August 20, 2009


Clever, the blackhats are a smart bunch of a-holes. The warning posted on the Sophos site is ominous:
Please be aware - this virus isn’t just a threat if you are a software developer who uses Delphi. It’s possible that you are running programs which are written in Delphi on your computers, and they could be affected. Sophos has received thousands of reports of programs infected by W32/Induc-A.
So are you we at risk?

Well, this virus seems to've flown under the radar for quite a while. And looking at lists of just some popular software created with Delphi (and therefore potentially at risk having been infected at compile-time), a few stand out to me: SoftTree SQL Assistant, Ad-Aware, KMPlayer, MediaMonkey, MySQL Administrator, Webroot Spy Sweeper, Spybot - Search & Destroy, Skype, etc.

Now hopefully/probably the devs of those (and other) apps didn't have infected development/deployment toolchains, but just think: a Skype developer with a pwnd machine compiles the binaries and that installer is published online for public download...good night & good luck.
posted by Glee at 3:33 PM on August 20, 2009 [2 favorites]


It's kind of odd that someone would go to all the work of figuring out how to do something like that, but then write it to target...Delphi. Really? I mean, Object Pascal? What did it ever do to anybody? Or for anybody, for that matter?

That's like constructing your own Javelin missile in your garage, but deciding to make it only capable of hitting pre-1987 American Motors cars.
posted by Kadin2048 at 3:37 PM on August 20, 2009 [4 favorites]


On the one hand, this is cool. On the other hand, it isn't.
posted by rodgerd at 3:40 PM on August 20, 2009


That's like constructing your own Javelin missile in your garage, but deciding to make it only capable of hitting pre-1987 American Motors cars.

I see what you did there.
posted by davejay at 3:41 PM on August 20, 2009 [1 favorite]


I had the same issue with not being able to comment here.

2 things wrong with this post:

1) The compiler is not affected/infected. The virus adds itself to a common library that gets compiled into the final exe.

2) There is no back door created. The virus just reproduces itself.
posted by Bort at 3:43 PM on August 20, 2009 [1 favorite]


Surprised that having dedicated, fire-walled (from other dev boxes), imaged build machines isn't a more common practice.

Having a set up where all built-binaries go out into the world from a clean build machine would pretty much avoid these problems.
posted by schwa at 3:45 PM on August 20, 2009


> Can the MeFi nerd detective squad decrypt these dork packets into something comprehensible by us laymen?

To extend ixohoxi's excellent explanation:

The effect on you the computer user? Hard to say. You're not in a position to know what on your computer is written in what language or compiled by what compiler. But this may affect you even if your own computer is not vulnerable: You probably run your card through a Windows-based ATM kiosk, and your credit-card purchases at some grocery store or another is bound to be processed by a Windows POS unit, a Windows server in the store, or Windows-based servers at the credit card processing company, and so on -- and if any of the applications handling your data on those computers were written in Delphi, they may be vulnerable to intrusion. Your store or bank may have appropriate security measures in place already, but so many systems are connected to so many other systems, you have to rely on the section of the aggregate financial network that your transactions go through to be sufficiently secure.

The manufacturer of the Delphi compiler should be shitting bricks right now.
posted by ardgedee at 3:47 PM on August 20, 2009


It's kind of odd that someone would go to all the work of figuring out how to do something like that, but then write it to target...Delphi. Really?

You may want to take a look at where Delphi is used.

Also, virus writers don't choose their exploits so much as take advantage of the ones they find.
posted by dhartung at 3:55 PM on August 20, 2009


I wrote this up during the Big Metafilter Blackout, and I'll go ahead and post it now. It's an explanation from a different angle than what's above.

*****
Ok, rough attempt at layperson-speak:

Delphi is a very nice programming environment, something like Visual Basic, but a lot more powerful. It's suitable for writing just about anything short of device drivers. It's used heavily in banking because it makes reliable code, talks really well with a bunch of different databases (banks are heavily database-dependent), and is smoking fast.

This specific trojan does two things. It opens a backdoor on the machine, possibly a listening socket that lets the bad guy run remote commands.... they don't talk too much about this part of it. Further, when it runs on a machine with Delphi installed, it modifies the Delphi compiler. From then on, any Delphi program compiled on that machine will include the trojan. This means it would spread completely through a Delphi development house in just a few days, meaning that all future output from that dev team would include the trojan.

They're not talking about it like it's a virus -- it doesn't sound like it keeps running. When you run an infected app, it opens a socket or something, and infects your local Delphi installation if you have one. But once you close the app, it sounds like the backdoor goes away, so your whole system isn't screwed -- unless someone who knew about the backdoor used it to gain entry, or unless the backdoor actively downloads other exploits.

They're aiming this at banks, so they need to be really subtle. My guess would be that even if you've run infected programs, unless you have a Delphi compiler installed, your system is probably intact. As long as you're behind an external firewall of some kind, you probably just need to delete the infected programs. Probably.

Don't take that as a promise. They haven't yet been very clear about what the backdoor consists of.
posted by Malor at 3:56 PM on August 20, 2009 [1 favorite]


I actually had no idea that people were still building applications with Delphi. I thought that went away in the late nineties.
posted by octothorpe at 3:58 PM on August 20, 2009 [2 favorites]


So ixohoxi is right in describing this exploit, but wrong in describing "Reflections on Trusting Trust". Let me try:

A compiler is a program that turns "source code", a version of a program that is easy for humans to read and write, into "machine code", a version of a program that machines can run.

As an analogy, think of a compiler as a program that takes a recipe and returns finished food. You feed it a recipe that looks like "1 cup flour, 1/2 cup butter, 10 apples, peeled, 1 cup sugar..." and it gives you an apple pie.

Now, say someone gives you an evil compiler. What it does is whenever it sees a recipe with apples, it uses poison apples instead. Anyone who eats this compiler's pies will die (i.e. the programs it makes will have backdoors)! Even if you examine the recipe itself to make sure it is poison-free, if you have an evil compiler you might still end up with a poison pie. So how do you make sure that the compiler follows the recipe?

Luckily, the compiler is a program too, so it has its *own* recipe (source code) -- which you can examine to make sure that what it does is on the up-and-up. So we're set now, right? All we need to do is read the source code for the compiler, and if it's fine, we know the programs it makes will be fine too.

But the insight of "Reflections on Trusting Trust" is that you still need to turn the source code for the compiler into an actual compiler that your computer can run. And this requires another compiler. What if an evil compiler was used to compile our compiler itself? Then we'd have an evil compiler, even though the source code looks fine.

This leads to an infinite regression. These days, your compiler is a product of generations and generations of previous compilers. Sure, maybe you can check which program compiled your compiler, but you can't check which program compiled the program that compiled your compiler, etc. So you have no way of knowing for sure that you have a good one and not a bad one.

Luckily, nobody's suggesting that this exploit exploits other compilers. So it's just a virus that spreads through compilers, rather than a true "reflections on trusting trust" style virus.
posted by goingonit at 4:02 PM on August 20, 2009 [8 favorites]


It's all Greek to Me

Indeed. "Delphi" and "Trojan Horse" and "Sophos" -- and because it's a back door exploit.
posted by pracowity at 4:02 PM on August 20, 2009 [17 favorites]


It's kind of odd that someone would go to all the work of figuring out how to do something like that, but then write it to target...Delphi. Really? I mean, Object Pascal? What did it ever do to anybody? Or for anybody, for that matter?

The approach they used might not work with other compilers. You attack what's vulnerable.
posted by Chocolate Pickle at 4:04 PM on August 20, 2009


Nice metaphor, goingonit. I'll remember that one.
posted by ixohoxi at 4:06 PM on August 20, 2009


Except rather then just poisoned pies, the pies are harmless, and taste just like normal pies except if you re-heat the pie in another oven that oven turns evil too. Oh and also the pies contain brain-control parasites, so anyone who's eaten anything cooked in a contaminated oven can become a zombie at the flip or a switch.
posted by delmoi at 4:17 PM on August 20, 2009 [2 favorites]


Again, there is no back door here. Win32.Induc does nothing malicious besides propagating.

Also, it is not the compiler that gets compromised. It is a common library file that gets included as part of the compiling process. It's debatable whether this is a distinction that matters; however, as it is a code (text) file that gets compromised as opposed to an exe, it is easier to detect (in theory, anyway).
posted by Bort at 4:31 PM on August 20, 2009


Can the MeFi nerd detective squad decrypt these dork packets into something comprehensible by us laymen?

I had hoped your insulting question would go unanswered but I guess dorks and nerds are also chumps.
posted by srboisvert at 4:36 PM on August 20, 2009 [1 favorite]


I actually had no idea that people were still building applications with Delphi. I thought that went away in the late nineties.

Nothing ever goes away, and the last two programmers in $LANGUAGE make very good money.
posted by mikelieman at 4:37 PM on August 20, 2009 [2 favorites]


The rumor has always been that Ken Thompson actually did do this (altered the compiler, deleted the altered source code, waited for someone to recompile login, logged in using the back door). It's probably just one of those rumors that persists simply because people want it to be true, though.

ə: Sure, but where do you generate the images for your build machines? And so on. It gets pretty elaborate pretty quickly, and then your boss starts asking why you're spending time on such an abstruse threat, and…
posted by hattifattener at 5:05 PM on August 20, 2009


Indeed. "Delphi" and "Trojan Horse" and "Sophos" -- and because it's a back door exploit.

I'm glad somebody got it, I was quite pleased with myself. Though I hadn't intended that last one.
posted by scalefree at 5:08 PM on August 20, 2009


Win32.Induc does nothing malicious besides propagating.

Yeah that's my fault, I misread part of the original article I took it from:
Sophos detected more than 3,000 programs infected with the code, including some banking Trojans, suggesting that even cybercriminals have had their computers compromised by the program.
So you can strike anything anybody's said about backdoors. My bad.
posted by scalefree at 5:17 PM on August 20, 2009


I actually had no idea that people were still building applications with Delphi. I thought that went away in the late nineties.

Delphi is a beautiful language; it feels more like writing poetry than programming. It's my belief that Delphi only went out of fashion because Borland decided to focus on database development instead of the graphics stuff that hobbyists found hot at the time. Object Pascal is extremely fast, both in terms of compile and run speed, and it would have been a truly serious mainstream development environment. They should have eaten Visual C's lunch.

But Borland decided they wanted to go after the super-high end, that they'd rather have 50,000 sales at $2k/seat than however many they'd get at $100. That may have been the right decision from a short-term monetary-extraction premise, but it doomed them to market irrelevance everywhere but in a few niches. It was really a shame to watch the company that made Turbo Pascal, just about the definition of the Everyman Compiler, completely abandon its roots and, essentially, kill itself.

I think Delphi really died when Microsoft poached Anders Hejlsberg, the primary architect. They gave him millions, correctly determining that he was the driving force behind their biggest language competitor. And he went on to design C#, turning into a major force for their .NET initiative, so it appears they were right.
posted by Malor at 5:26 PM on August 20, 2009 [2 favorites]


Again, there is no back door here. Win32.Induc does nothing malicious besides propagating.

The article Bort linked to doesn't explain how the analysts have concluded that this virus does nothing but propagate. (Have they successfully decompiled it and determined nothing else is in there? Have they "just" set up a sandbox, observed its behaviour, and seen nothing but propagation?)

If the virus is still a blackbox with no observable "bad behaviour," why didn't its creator(s) arm it? For such an uncommon virus type, they managed to infect a ton of computers for...the lulz?

What I'm asking, I think, is:

1. Is the virus only currently dormant (bad news coming soon from Win32.Induc-A)? or
2. Is this a dry run with a prototype (bad news coming from later generations, Win32.Induc-B–Z)?
posted by Glee at 5:40 PM on August 20, 2009


Woah woah woah people. I was jesting about the whole 'discovered' thing. Let's not derail this thread into some Oryx and Crake conspiracy theory craziness.

No, I don't actually think this is a ploy the same cannot be said for many corporations, however.
posted by Lutoslawski at 5:49 PM on August 20, 2009


(tried to post I was kidding earlier, but mefi was actin' up)
posted by Lutoslawski at 5:51 PM on August 20, 2009


doesn't explain how the analysts have concluded that this virus does nothing but propagate

From the article linked in the post:
The W32/Induc-A virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable.
So the analysts have access to the source of the virus.

-

I'd opt for 2. Is this a dry run with a prototype (bad news coming from later generations, Win32.Induc-B–Z)? Although it could just be a proof-of-concept type thing and/or someone just fooling around.
posted by Bort at 6:04 PM on August 20, 2009 [1 favorite]


I'm pretty sure there aren't any delphi apps on my mac... yet.
posted by b1tr0t at 6:14 PM on August 20, 2009


Object Pascal is extremely fast, both in terms of compile and run speed, and it would have been a truly serious mainstream development environment.

And with Pascal's string handling, if it were more popular for general programming that C/C++, you'd see substantially fewer dumb coding related security problems.

*sigh*
posted by rodgerd at 6:29 PM on August 20, 2009


No rumor, hattifattener. Ken Thompson not only postulated it, he actually admitted he did it.
posted by fings at 6:32 PM on August 20, 2009 [2 favorites]


Lay-people! Listen to me! They are all lying! Evil phreeks have hacked the gibson, and with a single password on their no-more-secrets cryptkeeper chip (probably something like "swordfish") they can kill you from their Moonraker satellite! The only way to be safe is to clean your power supply with a mixture of diet coke and mentos. Just pour the cure into your keyboard if you have a notebook, or into the fan vent if it's a desktop. If it's an iMac, a hatchet is your only chance. Do it now!

* * *

OK. Jut us nerds in the thread now? Good.

That's like constructing your own Javelin missile in your garage, but deciding to make it only capable of hitting pre-1987 American Motors cars.

Oh, you poor, deluded fool. You are aware there are mission critical applications still run on VMS? That "Cobol and JCL programmer" is a recession-proof job descriptions? No? Well, boy howdy, are you in for a surprise. Welcome to corporate IT - like the Hotel California, you can check out your code any time you like, but you can never migragte.

Every language, ever, is still in use some place. Not only is Delphi still in business, they are actually making money. Why? A jillion little companies hand-roll their own apps for their desktop and backend servers with it, and have had the same codebase since the early '90s. It would simply cost too much, and bring too much risk of downtime, to migrate away (in the mind of the typical CIO, who has an MBA and a membership at the same club as the CEO and CFO.) So, yes, Delphi is freakin' =everywhere=.

The bigger question is, how much exposure is there? What does the backdoor actually do, how does it circumvent OS security measures, and how would it be accessed from the outside? We saw something like this with the Code Red virus backdoor into MSSQL... a firewall rule or switch/router ACL pretty much killed it dead.

Remember, when it comes to 'sploits, "Gee, that's neat" is about as far as the impact goes... countermeasures are trivial so long as your infosec guy keeps up.
posted by Slap*Happy at 7:03 PM on August 20, 2009 [1 favorite]


So we had a hiccup on MeFi and there were some comments when it cleared and then they were deleted. Why? I hate that stuff.
It must have gotten this thread as I have tried to comment about a dozen times and MeFi just fails to respond. ;) Not that anyone will ever see this if it continues, but it amuses me to keep trying. I just add a little more each time. I am just talking to myself it seems. I hope it does not get too embarrassing if the thread finally accepts my comment.

It's still amusing, but starting to get annoying.

I notice no one else is commenting here either. odd.

Maybe if I try a different browser...
posted by caddis at 6:31 PM on August 20 [+] [!]

...

Weee. Now that was fun. All the comments came in at once. It must be the compiler. ;)
posted by caddis at 6:38 PM on August 20 [+] [!]
So, it was probably clean-up, but perhaps too much. We had gobs of comments posted multiple times. Yet, why erase the comments about the problem? That has always been part of the fun of MeFi. JRun, run....
posted by caddis at 7:12 PM on August 20, 2009


The bigger question is, how much exposure is there? What does the backdoor actually do, how does it circumvent OS security measures, and how would it be accessed from the outside?

From everything I've read, it does nothing but self-replicate. It's not a backdoor, no external access at all. What it is is a nifty proof-of-concept of something Thompson predicted 25 years ago, and at the same time is a bit of a "shot across the bow" for security and applications software vendors, exposing a major weak spot in the defenses they provide.
posted by deadmessenger at 7:14 PM on August 20, 2009


The bigger question is, how much exposure is there? What does the backdoor actually do, how does it circumvent OS security measures, and how would it be accessed from the outside?

There is no backdoor, at least in the version that's known. That was my mistake, I skimmed the article a bit too fast before posting. There may be other versions, but all this one does is propagate itself. It's been a hot day; sorry for the confusion.
posted by scalefree at 7:15 PM on August 20, 2009


Delphi is a beautiful language; it feels more like writing poetry than programming.

I agree 100%... that's one reason I've used it for years to develop and maintain a very complex scientific program that numbers well over 100,000 lines of code. Everything is so damn readable and elegant, no matter how complex the algorithm. I have Delphi 5 on an OS that has been steaming along for 3 years with various third-party VCLs, and this trojan is nowhere to be found after I ran today's Kaspersky, manually examined the /lib directories, and gone in with a hex editor. It's admittedly a limited sample but I have a hunch that the exploit is not all that common.
posted by crapmatic at 9:57 PM on August 20, 2009


Oho, thanks, fings. And now that I read that, I remember having read it before. (Possibly even when I used to read a.f.c, probably not.)
posted by hattifattener at 11:00 PM on August 20, 2009


Tried to post this yesterday mid-bork.

Reflections is absolutely the most mindfucking piece of writing I've ever had the pleasure to be violated by. Becuase computer programs can be so introspective and self-modifying security issues get to the Gödelian limit rather quickly; you really need to have an entirely different mindset to really make headway.
posted by Skorgu at 7:23 AM on August 21, 2009


Everything is so damn readable and elegant, no matter how complex the algorithm.

If the readability doesn't vary according to the complexity of your algorithm, it might have more to do with your font than your programming language.
posted by atbash at 7:39 AM on August 21, 2009 [1 favorite]


What do you mean, Zapfino isn't a programming font?
posted by hattifattener at 11:49 AM on August 21, 2009


Oh, you poor, deluded fool. You are aware there are mission critical applications still run on VMS? That "Cobol and JCL programmer" is a recession-proof job descriptions? No? Well, boy howdy, are you in for a surprise. Welcome to corporate IT - like the Hotel California, you can check out your code any time you like, but you can never migragte.

I wish I didn't know that as well as I do. :)

But even compared to DCL, JCL or COBOL, attacking the Delphi compiler seems like an strange choice. I've worked on projects in some really niche languages (Forte TOOL, anyone?) and Delphi seems to be in the same boat; I get that there's stuff written in it, but if you have the chops to backdoor a compiler and make a self-propagating worm, it's an odd target. As Malor points out, it was a beautiful language, but it was a language that never really took off. Why not go after a bigger target?

It makes me wonder if it's not an inside job in some way. I don't mean by Sophos, but by someone who had or has really intimate knowledge of the Delphi compiler. It just seems like such an odd choice otherwise.
posted by Kadin2048 at 12:29 PM on August 21, 2009


One thought is that it might be very old. It's patching a compiler library file, and if it's clever about how it does so, the same patch might work across multiple revs of the system as a whole. Delphi has stayed pretty backward-compatible, as far as I know. Could it have been written back in, say, 1999 when it was still kind of mainstream, and nobody ever noticed before?

I guess it doesn't actually have a backdoor, which is why I was confused about what the backdoor did up there. (I assumed it existed because the OP thought it did, and noticed that there was little talk about the nature of the exploit.) So if that's the only symptom, that Delphi programs modify a compiler file if and only if that specific file already exists, it could have just flown under the radar for a decade or more. Without any additional symptoms and no working exploit, you'd just never think to analyze further.
posted by Malor at 2:54 PM on August 21, 2009


« Older Joseph Brodsky: In Praise of Boredom -- from his ...  |  Thank you Miles, but your apot... Newer »


This thread has been archived and is closed to new comments