[Lazarus] delphi - virus
Marc Santhoff
M.Santhoff at web.de
Sat Aug 22 23:30:45 CEST 2009
Am Samstag, den 22.08.2009, 20:04 +0200 schrieb Mattias Gaertner:
> On Sat, 22 Aug 2009 19:50:40 +0200
> Marc Santhoff <M.Santhoff at web.de> wrote:
>
> > Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch:
> > > Some more information on this...
> > >
> > > Its propgation mode is that it changes sysconst.dcu, and any app
> > > compiled and subsequently run on a machine which has delphi
> > > installed has its sysconst.dcu infected. Fixing is easy, as your
> > > original sysconst.dcu is renamed sysconst.bak, so you just switch
> > > it back and make the directory non-writable.
> > >
> > > Details at:
> > >
> > > http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99
> > >
> > > Cheers, Bruce.
> > >
> > > PS: of course it does not affect Lazarus :-)
> > >
> > > waldo kitty wrote:
> > > > Martin wrote:
> > > >> Just something I found:
> > > >>
> > > >> http://www.h-online.com/security/Virus-infects-development-environment--/news/114031
> >
> > In all those decriptions I miss the information on how the manipulated
> > sysconst.dcu has entered the system. There has to be some transporting
> > mechanism still undetected.
> >
> > Does anybody know how the infection works?
>
> It was explained on a german site:
> http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679
Very fast as always. :)
> Basically it works like this:
> If you got infected all your created programs contain the virus.
That is the real question for me, where and how did the first infection
occur.
> Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the
> virus.
I see, so one of those is suspected to be Patient Zero. It would be
interesting to know, how the got the virus.
> You as user download and execute the exe and the virus changes
> the sysconst.dcu. Apparently the file must be writable by the user and
> fit the Delphi version.
The nasty trick about the infection is that there is source code
injected, not a binary some scanner could detect using signatures. The
second link has another one titled "discovered" and leading there:
http://www.viruslist.com/en/weblog?weblogid=208187826
Maybe it is time to secure publically available software repos somehow
(checksums or similar/more).
--
Marc Santhoff <M.Santhoff at web.de>
More information about the Lazarus
mailing list