[Lazarus] delphi - virus

Mattias Gaertner nc-gaertnma at netcologne.de
Sat Aug 22 20:37:52 CEST 2009


On Sat, 22 Aug 2009 20:22:14 +0200 (CEST)
Michael Van Canneyt <michael at freepascal.org> wrote:

> 
> 
> On Sat, 22 Aug 2009, Mattias Gaertner wrote:
> 
> > On Sat, 22 Aug 2009 19:50:40 +0200
> > Marc Santhoff <M.Santhoff at web.de> wrote:
> >
> >> Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch:
> >>> Some more information on this...
> >>>
> >>> Its propgation mode is that it changes sysconst.dcu, and any app
> >>> compiled and subsequently run on a machine which has delphi
> >>> installed has its sysconst.dcu infected. Fixing is easy, as your
> >>> original sysconst.dcu is renamed sysconst.bak, so you just switch
> >>> it back and make the directory non-writable.
> >>>
> >>> Details at:
> >>>
> >>> http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99
> >>>
> >>> Cheers, Bruce.
> >>>
> >>> PS: of course it does not affect Lazarus :-)
> >>>
> >>> waldo kitty wrote:
> >>>> Martin wrote:
> >>>>> Just something I found:
> >>>>>
> >>>>> http://www.h-online.com/security/Virus-infects-development-environment--/news/114031
> >>
> >> In all those decriptions I miss the information on how the
> >> manipulated sysconst.dcu has entered the system. There has to be
> >> some transporting mechanism still undetected.
> >>
> >> Does anybody know how the infection works?
> >
> > It was explained on a german site:
> > http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679
> >
> > Basically it works like this:
> > If you got infected all your created programs contain the virus.
> > Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the
> > virus. You as user download and execute the exe and the virus
> > changes the sysconst.dcu. Apparently the file must be writable by
> > the user and fit the Delphi version.
> 
> As I understood it, it modified the .pas file, and placed the
> modified file in the LIB directory (where the .dcu is located), thus
> causing the file to be recompiled and included every time one
> compiles a program. The Delphi version was irrelevant.

Where do got that from?

 
> > Does the lazarus windows installer install writable ppus?
> 
> AFAIK, it must, otherwise Lazarus cannot be recompiled ?

?

Since years lazarus checks if the directory is writable and if not uses
its config directory \bin as output directory.

 
> In each case, if it works on the source level, there is nothing to be
> done.
> 
> Clever trick, however you look at it :-)

If you try that with fpc you get:
PPU Loading /usr/lib/fpc/2.3.1/units/i386-linux/rtl/sysutils.ppu
Recompiling sysutils, checksum changed for sysconst
Fatal: Can't find unit sysutils used by Classes


Mattias




More information about the Lazarus mailing list