Michael Van Canneyt schrieb: > > > On Sat, 22 Aug 2009, Mattias Gaertner wrote: > >> On Sat, 22 Aug 2009 20:22:14 +0200 (CEST) >> Michael Van Canneyt <mich...@freepascal.org> wrote: >> >>> >>> >>> On Sat, 22 Aug 2009, Mattias Gaertner wrote: >>> >>>> On Sat, 22 Aug 2009 19:50:40 +0200 >>>> Marc Santhoff <m.santh...@web.de> wrote: >>>> >>>>> Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch: >>>>>> Some more information on this... >>>>>> >>>>>> Its propgation mode is that it changes sysconst.dcu, and any app >>>>>> compiled and subsequently run on a machine which has delphi >>>>>> installed has its sysconst.dcu infected. Fixing is easy, as your >>>>>> original sysconst.dcu is renamed sysconst.bak, so you just switch >>>>>> it back and make the directory non-writable. >>>>>> >>>>>> Details at: >>>>>> >>>>>> http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 >>>>>> >>>>>> >>>>>> Cheers, Bruce. >>>>>> >>>>>> PS: of course it does not affect Lazarus :-) >>>>>> >>>>>> waldo kitty wrote: >>>>>>> Martin wrote: >>>>>>>> Just something I found: >>>>>>>> >>>>>>>> http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 >>>>>>>> >>>>> >>>>> In all those decriptions I miss the information on how the >>>>> manipulated sysconst.dcu has entered the system. There has to be >>>>> some transporting mechanism still undetected. >>>>> >>>>> Does anybody know how the infection works? >>>> >>>> It was explained on a german site: >>>> http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679 >>>> >>>> >>>> Basically it works like this: >>>> If you got infected all your created programs contain the virus. >>>> Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the >>>> virus. You as user download and execute the exe and the virus >>>> changes the sysconst.dcu. Apparently the file must be writable by >>>> the user and fit the Delphi version. >>> >>> As I understood it, it modified the .pas file, and placed the >>> modified file in the LIB directory (where the .dcu is located), thus >>> causing the file to be recompiled and included every time one >>> compiles a program. The Delphi version was irrelevant. >> >> Where do got that from? > > http://www.sophos.com/blogs/sophoslabs/v/post/6195 > They speak of "Sophos has issued Genotype detection (Mal/Induc-A, > Mal/Induc-B) for all infected versions of SysConst.dcu and SysConst.pas > that we are aware of." > > See also > > http://www.sophos.com/blogs/sophoslabs/?p=6117 > > "When a file infected with W32/Induc-A runs, it looks to see if it can > find a Delphi installation on the current machine. If it finds one, it > tries to write malicious code to SysConst.pas, which it then compiles to > SysConst.dcu (after saving the old copy of this file to SysConst.bak). > The new infected SysConst.dcu file will then add W32/Induc-A code to > every new Delphi file that gets compiled on the system - some of the > strings from the inserted code look like this:" > > They provide a look of the sysconst.pas file after infection. > >> >>>> Does the lazarus windows installer install writable ppus? >>> >>> AFAIK, it must, otherwise Lazarus cannot be recompiled ? >> >> ? >> >> Since years lazarus checks if the directory is writable and if not uses >> its config directory \bin as output directory. > > Ah. I didn't know that :-) > >> >> >>> In each case, if it works on the source level, there is nothing to be >>> done. >>> >>> Clever trick, however you look at it :-) >> >> If you try that with fpc you get: >> PPU Loading /usr/lib/fpc/2.3.1/units/i386-linux/rtl/sysutils.ppu >> Recompiling sysutils, checksum changed for sysconst >> Fatal: Can't find unit sysutils used by Classes > > Probably the author found a way to keep the checksum ?
1) On loading, the checksum is not recalculated but the compiler thrusts the header so the checksum can be easily patched. 2) FPC uses a CRC, a CRC can be easily faked today. -- _______________________________________________ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus