[Lazarus] delphi - virus

Mon Aug 24 00:51:34 CEST 2009

Michael Van Canneyt schrieb:
> 
> 
> On Sat, 22 Aug 2009, Mattias Gaertner wrote:
> 
>> On Sat, 22 Aug 2009 20:22:14 +0200 (CEST)
>> Michael Van Canneyt <michael at freepascal.org> wrote:
>>
>>>
>>>
>>> On Sat, 22 Aug 2009, Mattias Gaertner wrote:
>>>
>>>> On Sat, 22 Aug 2009 19:50:40 +0200
>>>> Marc Santhoff <M.Santhoff at web.de> wrote:
>>>>
>>>>> Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch:
>>>>>> Some more information on this...
>>>>>>
>>>>>> Its propgation mode is that it changes sysconst.dcu, and any app
>>>>>> compiled and subsequently run on a machine which has delphi
>>>>>> installed has its sysconst.dcu infected. Fixing is easy, as your
>>>>>> original sysconst.dcu is renamed sysconst.bak, so you just switch
>>>>>> it back and make the directory non-writable.
>>>>>>
>>>>>> Details at:
>>>>>>
>>>>>> http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99
>>>>>>
>>>>>>
>>>>>> Cheers, Bruce.
>>>>>>
>>>>>> PS: of course it does not affect Lazarus :-)
>>>>>>
>>>>>> waldo kitty wrote:
>>>>>>> Martin wrote:
>>>>>>>> Just something I found:
>>>>>>>>
>>>>>>>> http://www.h-online.com/security/Virus-infects-development-environment--/news/114031
>>>>>>>>
>>>>>
>>>>> In all those decriptions I miss the information on how the
>>>>> manipulated sysconst.dcu has entered the system. There has to be
>>>>> some transporting mechanism still undetected.
>>>>>
>>>>> Does anybody know how the infection works?
>>>>
>>>> It was explained on a german site:
>>>> http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679
>>>>
>>>>
>>>> Basically it works like this:
>>>> If you got infected all your created programs contain the virus.
>>>> Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the
>>>> virus. You as user download and execute the exe and the virus
>>>> changes the sysconst.dcu. Apparently the file must be writable by
>>>> the user and fit the Delphi version.
>>>
>>> As I understood it, it modified the .pas file, and placed the
>>> modified file in the LIB directory (where the .dcu is located), thus
>>> causing the file to be recompiled and included every time one
>>> compiles a program. The Delphi version was irrelevant.
>>
>> Where do got that from?
> 
> http://www.sophos.com/blogs/sophoslabs/v/post/6195
> They speak of "Sophos has issued Genotype detection (Mal/Induc-A,
> Mal/Induc-B) for all infected versions of SysConst.dcu and SysConst.pas
> that we are aware of."
> 
> See also
> 
> http://www.sophos.com/blogs/sophoslabs/?p=6117
> 
> "When a file infected with W32/Induc-A runs, it looks to see if it can
> find a Delphi installation on the current machine. If it finds one, it
> tries to write malicious code to SysConst.pas, which it then compiles to
> SysConst.dcu (after saving the old copy of this file to SysConst.bak).
> The new infected SysConst.dcu file will then add W32/Induc-A code to
> every new Delphi file that gets compiled on the system - some of the
> strings from the inserted code look like this:"
> 
> They provide a look of the sysconst.pas file after infection.
> 
>>
>>>> Does the lazarus windows installer install writable ppus?
>>>
>>> AFAIK, it must, otherwise Lazarus cannot be recompiled ?
>>
>> ?
>>
>> Since years lazarus checks if the directory is writable and if not uses
>> its config directory \bin as output directory.
> 
> Ah. I didn't know that :-)
> 
>>
>>
>>> In each case, if it works on the source level, there is nothing to be
>>> done.
>>>
>>> Clever trick, however you look at it :-)
>>
>> If you try that with fpc you get:
>> PPU Loading /usr/lib/fpc/2.3.1/units/i386-linux/rtl/sysutils.ppu
>> Recompiling sysutils, checksum changed for sysconst
>> Fatal: Can't find unit sysutils used by Classes
> 
> Probably the author found a way to keep the checksum ?

1) On loading, the checksum is not recalculated but the compiler thrusts
the header so the checksum can be easily patched.
2) FPC uses a CRC, a CRC can be easily faked today.