In 1984, Ken Thompson, the operating system and programming language pioneer, received the ACM’s Turing Award. In his short, highly-readable Turing Award speech, he describes "the cutest program I ever wrote." He notes that because the C compiler is written in C, it is possible to alter the source code maliciously to produce a malicious compiler executable. The malicious code can then be removed from the C source, and the original code recompiled. The malicious code remains in the "new" executable, however, because it was prouced by the trojaned compiler.
If you can persuade someone to use your modified compiler, or if you can modify the compiler on their machine, then you can infect the executables they produce, even if they recompile the compiler itself from source code! If that seems unlikely or difficult, read the whole paper. It’s easier than you think. Thompson concludes:
The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untested code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.
Now it seems that somebody has actually gone and done this with old versions of Delphi. Frankly, I’m surprised it took so long. Perhaps this is just the first time we’ve noticed. But the problem described by Thompson is so insidious that in the quarter century since he gave his address (which really just gave additional prominence to an issue discovered decades before that) it’s almost remarkable that this technique is not more widespread. It’s also interesting that this specific case is relatively innocuous; the virus does nothing more than reproduce itself, and only affects a very old compiler. Is this a test shot? Someone whose curiosity got the better of them?
I don’t know. But the historical perspective is clear: This is not about Delphi, and it’s not about the malware of the week. It’s an old question of trust becoming new again.
Here is one proposal for countering these attacks. Interestingly, the technique can sometimes find unintended compiler bugs, as well. They can be hard to distinguish sometimes!