[Lazarus] delphi - virus

Michael Van Canneyt michael at freepascal.org
Sat Aug 22 20:51:35 CEST 2009



On Sat, 22 Aug 2009, Mattias Gaertner wrote:

> On Sat, 22 Aug 2009 20:22:14 +0200 (CEST)
> Michael Van Canneyt <michael at freepascal.org> wrote:
>
>>
>>
>> On Sat, 22 Aug 2009, Mattias Gaertner wrote:
>>
>>> On Sat, 22 Aug 2009 19:50:40 +0200
>>> Marc Santhoff <M.Santhoff at web.de> wrote:
>>>
>>>> Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch:
>>>>> Some more information on this...
>>>>>
>>>>> Its propgation mode is that it changes sysconst.dcu, and any app
>>>>> compiled and subsequently run on a machine which has delphi
>>>>> installed has its sysconst.dcu infected. Fixing is easy, as your
>>>>> original sysconst.dcu is renamed sysconst.bak, so you just switch
>>>>> it back and make the directory non-writable.
>>>>>
>>>>> Details at:
>>>>>
>>>>> http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99
>>>>>
>>>>> Cheers, Bruce.
>>>>>
>>>>> PS: of course it does not affect Lazarus :-)
>>>>>
>>>>> waldo kitty wrote:
>>>>>> Martin wrote:
>>>>>>> Just something I found:
>>>>>>>
>>>>>>> http://www.h-online.com/security/Virus-infects-development-environment--/news/114031
>>>>
>>>> In all those decriptions I miss the information on how the
>>>> manipulated sysconst.dcu has entered the system. There has to be
>>>> some transporting mechanism still undetected.
>>>>
>>>> Does anybody know how the infection works?
>>>
>>> It was explained on a german site:
>>> http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679
>>>
>>> Basically it works like this:
>>> If you got infected all your created programs contain the virus.
>>> Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the
>>> virus. You as user download and execute the exe and the virus
>>> changes the sysconst.dcu. Apparently the file must be writable by
>>> the user and fit the Delphi version.
>>
>> As I understood it, it modified the .pas file, and placed the
>> modified file in the LIB directory (where the .dcu is located), thus
>> causing the file to be recompiled and included every time one
>> compiles a program. The Delphi version was irrelevant.
>
> Where do got that from?

http://www.sophos.com/blogs/sophoslabs/v/post/6195
They speak of 
"Sophos has issued Genotype detection (Mal/Induc-A, Mal/Induc-B) for all 
infected versions of SysConst.dcu and SysConst.pas that we are aware of."

See also

http://www.sophos.com/blogs/sophoslabs/?p=6117

"When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi 
installation on the current machine. If it finds one, it tries to write malicious 
code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old 
copy of this file to SysConst.bak). The new infected SysConst.dcu file will then 
add W32/Induc-A code to every new Delphi file that gets compiled on the system - 
some of the strings from the inserted code look like this:"

They provide a look of the sysconst.pas file after infection.

>
>>> Does the lazarus windows installer install writable ppus?
>>
>> AFAIK, it must, otherwise Lazarus cannot be recompiled ?
>
> ?
>
> Since years lazarus checks if the directory is writable and if not uses
> its config directory \bin as output directory.

Ah. I didn't know that :-)

>
>
>> In each case, if it works on the source level, there is nothing to be
>> done.
>>
>> Clever trick, however you look at it :-)
>
> If you try that with fpc you get:
> PPU Loading /usr/lib/fpc/2.3.1/units/i386-linux/rtl/sysutils.ppu
> Recompiling sysutils, checksum changed for sysconst
> Fatal: Can't find unit sysutils used by Classes

Probably the author found a way to keep the checksum ?

Michael.




More information about the Lazarus mailing list