Re: [Lazarus] delphi - virus
Someone must really hate Delphi ... -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
Without knowing to much about the compiler internals... Wouldn't a SHA1 be a better option than CRC? For example, Git uses SHA1's to cryptographically ensure that no revision in the repository has been tampered with. Just a single byte change generates a completely different SHA1. isn't SHA1 slow? i'd suggest to use doubled checksum. There's Adler checksum (used for gzip), It's as simple as CRC (and unsafe in the same way) But if both CRC and Adler are used, it's quite hard to change the content not to violate the one of the sums. thanks, dmitry -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch: Some more information on this... Its propgation mode is that it changes sysconst.dcu, and any app compiled and subsequently run on a machine which has delphi installed has its sysconst.dcu infected. Fixing is easy, as your original sysconst.dcu is renamed sysconst.bak, so you just switch it back and make the directory non-writable. Details at: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 Cheers, Bruce. PS: of course it does not affect Lazarus :-) waldo kitty wrote: Martin wrote: Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 In all those decriptions I miss the information on how the manipulated sysconst.dcu has entered the system. There has to be some transporting mechanism still undetected. Does anybody know how the infection works? -- Marc Santhoff m.santh...@web.de -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
On Sat, 22 Aug 2009 19:50:40 +0200 Marc Santhoff m.santh...@web.de wrote: Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch: Some more information on this... Its propgation mode is that it changes sysconst.dcu, and any app compiled and subsequently run on a machine which has delphi installed has its sysconst.dcu infected. Fixing is easy, as your original sysconst.dcu is renamed sysconst.bak, so you just switch it back and make the directory non-writable. Details at: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 Cheers, Bruce. PS: of course it does not affect Lazarus :-) waldo kitty wrote: Martin wrote: Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 In all those decriptions I miss the information on how the manipulated sysconst.dcu has entered the system. There has to be some transporting mechanism still undetected. Does anybody know how the infection works? It was explained on a german site: http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679 Basically it works like this: If you got infected all your created programs contain the virus. Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the virus. You as user download and execute the exe and the virus changes the sysconst.dcu. Apparently the file must be writable by the user and fit the Delphi version. Does the lazarus windows installer install writable ppus? Mattias -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
On Sat, 22 Aug 2009, Mattias Gaertner wrote: On Sat, 22 Aug 2009 19:50:40 +0200 Marc Santhoff m.santh...@web.de wrote: Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch: Some more information on this... Its propgation mode is that it changes sysconst.dcu, and any app compiled and subsequently run on a machine which has delphi installed has its sysconst.dcu infected. Fixing is easy, as your original sysconst.dcu is renamed sysconst.bak, so you just switch it back and make the directory non-writable. Details at: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 Cheers, Bruce. PS: of course it does not affect Lazarus :-) waldo kitty wrote: Martin wrote: Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 In all those decriptions I miss the information on how the manipulated sysconst.dcu has entered the system. There has to be some transporting mechanism still undetected. Does anybody know how the infection works? It was explained on a german site: http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679 Basically it works like this: If you got infected all your created programs contain the virus. Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the virus. You as user download and execute the exe and the virus changes the sysconst.dcu. Apparently the file must be writable by the user and fit the Delphi version. As I understood it, it modified the .pas file, and placed the modified file in the LIB directory (where the .dcu is located), thus causing the file to be recompiled and included every time one compiles a program. The Delphi version was irrelevant. Does the lazarus windows installer install writable ppus? AFAIK, it must, otherwise Lazarus cannot be recompiled ? In each case, if it works on the source level, there is nothing to be done. Clever trick, however you look at it :-) Michael. -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
On Sat, 22 Aug 2009 20:22:14 +0200 (CEST) Michael Van Canneyt mich...@freepascal.org wrote: On Sat, 22 Aug 2009, Mattias Gaertner wrote: On Sat, 22 Aug 2009 19:50:40 +0200 Marc Santhoff m.santh...@web.de wrote: Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch: Some more information on this... Its propgation mode is that it changes sysconst.dcu, and any app compiled and subsequently run on a machine which has delphi installed has its sysconst.dcu infected. Fixing is easy, as your original sysconst.dcu is renamed sysconst.bak, so you just switch it back and make the directory non-writable. Details at: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 Cheers, Bruce. PS: of course it does not affect Lazarus :-) waldo kitty wrote: Martin wrote: Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 In all those decriptions I miss the information on how the manipulated sysconst.dcu has entered the system. There has to be some transporting mechanism still undetected. Does anybody know how the infection works? It was explained on a german site: http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679 Basically it works like this: If you got infected all your created programs contain the virus. Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the virus. You as user download and execute the exe and the virus changes the sysconst.dcu. Apparently the file must be writable by the user and fit the Delphi version. As I understood it, it modified the .pas file, and placed the modified file in the LIB directory (where the .dcu is located), thus causing the file to be recompiled and included every time one compiles a program. The Delphi version was irrelevant. Where do got that from? Does the lazarus windows installer install writable ppus? AFAIK, it must, otherwise Lazarus cannot be recompiled ? ? Since years lazarus checks if the directory is writable and if not uses its config directory \bin as output directory. In each case, if it works on the source level, there is nothing to be done. Clever trick, however you look at it :-) If you try that with fpc you get: PPU Loading /usr/lib/fpc/2.3.1/units/i386-linux/rtl/sysutils.ppu Recompiling sysutils, checksum changed for sysconst Fatal: Can't find unit sysutils used by Classes Mattias -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
On Sat, 22 Aug 2009, Mattias Gaertner wrote: On Sat, 22 Aug 2009 20:22:14 +0200 (CEST) Michael Van Canneyt mich...@freepascal.org wrote: On Sat, 22 Aug 2009, Mattias Gaertner wrote: On Sat, 22 Aug 2009 19:50:40 +0200 Marc Santhoff m.santh...@web.de wrote: Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch: Some more information on this... Its propgation mode is that it changes sysconst.dcu, and any app compiled and subsequently run on a machine which has delphi installed has its sysconst.dcu infected. Fixing is easy, as your original sysconst.dcu is renamed sysconst.bak, so you just switch it back and make the directory non-writable. Details at: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 Cheers, Bruce. PS: of course it does not affect Lazarus :-) waldo kitty wrote: Martin wrote: Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 In all those decriptions I miss the information on how the manipulated sysconst.dcu has entered the system. There has to be some transporting mechanism still undetected. Does anybody know how the infection works? It was explained on a german site: http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679 Basically it works like this: If you got infected all your created programs contain the virus. Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the virus. You as user download and execute the exe and the virus changes the sysconst.dcu. Apparently the file must be writable by the user and fit the Delphi version. As I understood it, it modified the .pas file, and placed the modified file in the LIB directory (where the .dcu is located), thus causing the file to be recompiled and included every time one compiles a program. The Delphi version was irrelevant. Where do got that from? http://www.sophos.com/blogs/sophoslabs/v/post/6195 They speak of Sophos has issued Genotype detection (Mal/Induc-A, Mal/Induc-B) for all infected versions of SysConst.dcu and SysConst.pas that we are aware of. See also http://www.sophos.com/blogs/sophoslabs/?p=6117 When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system - some of the strings from the inserted code look like this: They provide a look of the sysconst.pas file after infection. Does the lazarus windows installer install writable ppus? AFAIK, it must, otherwise Lazarus cannot be recompiled ? ? Since years lazarus checks if the directory is writable and if not uses its config directory \bin as output directory. Ah. I didn't know that :-) In each case, if it works on the source level, there is nothing to be done. Clever trick, however you look at it :-) If you try that with fpc you get: PPU Loading /usr/lib/fpc/2.3.1/units/i386-linux/rtl/sysutils.ppu Recompiling sysutils, checksum changed for sysconst Fatal: Can't find unit sysutils used by Classes Probably the author found a way to keep the checksum ? Michael. -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
Am Samstag, den 22.08.2009, 20:04 +0200 schrieb Mattias Gaertner: On Sat, 22 Aug 2009 19:50:40 +0200 Marc Santhoff m.santh...@web.de wrote: Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch: Some more information on this... Its propgation mode is that it changes sysconst.dcu, and any app compiled and subsequently run on a machine which has delphi installed has its sysconst.dcu infected. Fixing is easy, as your original sysconst.dcu is renamed sysconst.bak, so you just switch it back and make the directory non-writable. Details at: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 Cheers, Bruce. PS: of course it does not affect Lazarus :-) waldo kitty wrote: Martin wrote: Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 In all those decriptions I miss the information on how the manipulated sysconst.dcu has entered the system. There has to be some transporting mechanism still undetected. Does anybody know how the infection works? It was explained on a german site: http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679 Very fast as always. :) Basically it works like this: If you got infected all your created programs contain the virus. That is the real question for me, where and how did the first infection occur. Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the virus. I see, so one of those is suspected to be Patient Zero. It would be interesting to know, how the got the virus. You as user download and execute the exe and the virus changes the sysconst.dcu. Apparently the file must be writable by the user and fit the Delphi version. The nasty trick about the infection is that there is source code injected, not a binary some scanner could detect using signatures. The second link has another one titled discovered and leading there: http://www.viruslist.com/en/weblog?weblogid=208187826 Maybe it is time to secure publically available software repos somehow (checksums or similar/more). -- Marc Santhoff m.santh...@web.de -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
Martin schrieb: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 From the discussion in the Embarcadero groups there exists a simple protection against this virus: Create an file SysConst.bak (can be empty) beneath SysConst.dcu, so that the virus thinks it has been already active, and doesn't perform any further modifications on the installation. Since other viruses may not be so gentle, it may be time to consider such infections for other development systems as well. DoDi -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
[Lazarus] delphi - virus
Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
Martin wrote: Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 speaking as one who spends a lot of time on security aspects like this, i thank you for posting it... similar things have actually occurred in the past but there was not the available coverage such as we have today so their existence was not widely known and those who did get hit with such a critter quietly cleaned up their installations and released new versions to replace the infested ones... FWIW: i recall a TP/BP6 and TP/BP7 critter of such fame way back in the day... -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] delphi - virus
Some more information on this... Its propgation mode is that it changes sysconst.dcu, and any app compiled and subsequently run on a machine which has delphi installed has its sysconst.dcu infected. Fixing is easy, as your original sysconst.dcu is renamed sysconst.bak, so you just switch it back and make the directory non-writable. Details at: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 Cheers, Bruce. PS: of course it does not affect Lazarus :-) waldo kitty wrote: Martin wrote: Just something I found: http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 speaking as one who spends a lot of time on security aspects like this, i thank you for posting it... similar things have actually occurred in the past but there was not the available coverage such as we have today so their existence was not widely known and those who did get hit with such a critter quietly cleaned up their installations and released new versions to replace the infested ones... FWIW: i recall a TP/BP6 and TP/BP7 critter of such fame way back in the day... -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus