I was passed a query from a journalist in the UK about Win32/Induc.A, the Delphi infector both Randy and I have blogged about previously, asking whether ESET has figures supporting my contention that this "harmless" malware actually has the potential to cause significant damage, as he had seen no reports of "even minor disruption."
While we do have statistics from our Threatsense.net technology, we don't give out absolute numbers for malware detections, as that sort of statistic is more confusing than helpful. The feedback mechanism involves a large but self-selecting population of ESET-protected machines, and doesn't necessarily reflect the situation among the total population of PCs accurately: it's never more than a trend indicator, so any extrapolation to a global figure is guesswork.
However, I can tell you (as I told him) that when we added detection of Induc.A to our products, ThreatSense.Net came in with 30,000 detection reports in 24 hours. In the UK, it accounted for 0.26% of detections in August, putting it at number 51: worldwide, it scored 0.39%, putting at number 37. That's still a pretty significant figure, though, for a recently added detection.
As of somewhere around 2.45 on Monday, 7th September, Win32/Induc.A represented 0.64% of our worldwide detections for September so far, which putting it at number 22 in the rankings at that time. That's as compared to 4.11% for INF/Autorun, which was the top-ranked detection. For the UK, though, the ranking was significantly less: 0.40%, at number 36. Nonetheless, incidence is increasing worldwide and in the UK.
You have to remember, though, that this is a measure of detections of infected files, not of disruption, whatever you may understand by that: that can't really be calculated from this automated service.
- Some of those detections will be Trojans in their own right that happen to be infected with Induc.A because they were compiled with an infected version of Delphi.
- Some will be detections of programs that the user hasn't tried to run, or weren't installed because Induc was detected.
- Many will be installations that cause minor inconvenience rather than major loss of functionality, which I guess is what the journalist was getting at.
If you look back at my recent blog post, you'll see that the blog isn't about a scaremongering "thousands of machines will be put out of commission" prediction, it's about the fact that there are a lot of infected files out there (and I think the figures speak for themselves on that).
However, in most cases, removal of those files won't cause major damage. The case where a system is actually put out of commission because an infected program is installed and can no longer run is hypothetical: I don't expect to see lots of those, but it was important to make the point that it -could- happen because there's a tendency to assume that Induc.A is a "harmless" virus because it can't infect most systems. The point that people are missing is that it can affect systems without "infecting" Delphi. In most cases the effect will probably be trivial, but it will still cause some disruption.
Having said all that, though, I'd still say that a reported distribution of 4m infected files by Computer Bild constitutes serious disruption though, irrespective of whether anyone actually executed that particular program (TidyFavorites 4.1, according to John E. Dunn on Techworld).
David Harley
Director of Malware Intelligence