Delphi and virus, or virus and Delphi.

Hi all.

There is some discussion about a 'new' virus, that targets Delphi (and
developers).

The article is in danish:
<http://www.version2.dk/artikel/11833-delphi-udviklere-jages-af-ny-type-malware>
but refers to this article:
<http://news.cnet.com/8301-27080_3-10312628-245.html>

From the Danish article POV, it seems like Delphi itself is vunerable, which
is not true.

As far as i can see, is the attack vector, injection of (source) code in the
'Sysconst' unit.

What's going on?

-- 
Best regards
Stig Johansen
0
Stig
8/20/2009 9:58:13 AM
πŸ“ embarcadero.delphi.non-tech
πŸ“ƒ 5933 articles.
⭐ 1 followers.

πŸ’¬ 15 Replies
πŸ‘οΈβ€πŸ—¨οΈ 2424 Views

Perhaps checking other threads before posting would help. Exactly 10 posts 
below yours.
0
rakyta_at_stonline
8/20/2009 10:25:15 AM
Stig Johansen wrote:

> 
> What's going on?
> 

Time to upgrade to D2010 :-)

-- 

m. Th.

On the Wings of the Wind...
http://wings-of-wind.com/
0
m
8/20/2009 10:43:13 AM
http://www.sophos.com/blogs/sophoslabs/v/post/6117

http://www.sophos.com/blogs/gc/g/2009/08/19/w32induca-spread-delphi-software-houses/

They say "this virus isn’t just a threat if you are a software developer who uses Delphi", literally, and that show they lie... which non-developer user will have D4-7 installed? come on... Richard Cohen and Graham Cluley are inventing an issue for the users where there is none.
That "Induc-A" crap does not affect the user machines at all, that is a lie (ok, a lie that will sell more antivirus licenses but its a lie).
That SOPHOS articles are almost defamatory for the Delphi brandname and the software which is produced with it.
Its incredible the disinformation they are propagating.
0
Javier
8/20/2009 8:37:35 PM
http://www.sophos.com/blogs/gc/g/2009/08/20/sophos-false-alarming-delphi-induc-virus/

LOL, i was writing an email to Graham Cluley complaining about his post and he posted again before i finish it. May be its not what we wanted to read but its something at least...
0
Javier
8/20/2009 9:01:05 PM
Ivan Rakyta <rakyta_at_stonline.sk> wrote:

> Perhaps checking other threads before posting would help. Exactly 10 posts
> below yours.

I had looked, but apparently not looked good enough - sorry.
I'll check the other thread.

-- 
Best regards
Stig Johansen
0
Stig
8/21/2009 4:35:45 AM
<Javier Santo Domingo> wrote in message news:152476@forums.codegear.com...
> http://www.sophos.com/blogs/gc/g/2009/08/20/sophos-false-alarming-delphi-induc-virus/
>
> LOL, i was writing an email to Graham Cluley complaining about his post 
> and he posted again before i finish it. May be its not what we wanted to 
> read but its something at least...

I have to agree, that it needs to be dealt with and considered at least a 
medium threat.  And, Sophos is not the only anti-virus treating it as such, 
NOD32, ClamWin, AVG and Kapersky, just to name a few, wont even let the 
application run or the application might be deleted when a scan is 
performed.  Even SpyBot is detecting it, and it's TeaTimer is not letting 
the application run.

-- 
Best Regards,
  Daniel Rail
  Senior Software Developer
  ACCRA Solutions Inc.(www.accra.ca)
  ACCRA Med Software Inc.(www.filopto.com)
0
Daniel
8/21/2009 6:19:37 PM
No problem Daniel, you are also right. Its a complex subject this one.
But look, what i say is that they are scaring users playing with their ignorance (since its a worm that infects nothing but old Delphi installations) and by the way they are defamating Delphi, which has far more impact to our businesses. They are affecting the reputation of a whole platform, thats a serious threat. And sadly, they seem to have the impunity to do that.
0
Javier
8/21/2009 8:38:44 PM
Javier Santo Domingo <> wrote:

> They are affecting the reputation of a
> whole platform, thats a serious threat. 

That was more or less my point with my original post.
We risk, that 'people' think, that Delphi is an 'unsecure' platform.

I don't have newer versions than D7, but i guess, the reason thet newer
versions are not affected, is that sysconsts doesn't exist on those
versions.

The same concept would be possible using another centric unit ?

-- 
Best regards
Stig Johansen
0
Stig
8/22/2009 4:39:01 AM
Stig Johansen wrote:

> I don't have newer versions than D7, but i guess, the reason thet
> newer versions are not affected, is that sysconsts doesn't exist on
> those versions.

No, the virus specifically looks for Delphi 4-7 in a loop (the code can
be found on the web).

There is a SysConst.dcu in Delphi 2009 as well.
-- 
Rudy Velthuis (TeamB)        http://www.teamb.com

"Computer /nm./: a device designed to speed and automate errors."
 -- From the Jargon File.
0
Rudy
8/22/2009 1:42:49 PM
Rudy Velthuis (TeamB) wrote:

> No, the virus specifically looks for Delphi 4-7 in a loop (the code can
> be found on the web).

Ok, saw that (hmm i posted a link to the code myself, but didn't look :).

Wonder why 'they' only targets older Delphi.

-- 
Best regards
Stig Johansen
0
Stig
8/22/2009 10:02:30 PM
Stig Johansen wrote:

> Wonder why 'they' only targets older Delphi.

1. Older Delphi versions need write access to their bin directory. So
under a Vista with active UAC the developer must grant write access to
the Delphi folder. This isn't necessary for newer Delphi versions
because they do not write to their program files directory. And without
write access the virus can't replace files.

2. The virus author didn't have a newer Delphi version and wasn't good
at guessing what the new registry key is.

3. The virus author wants everybody to upgrade (very unlikely)

4. ... put here your own thought ...


-- 
Regards,

Andreas Hausladen
0
Andreas
8/22/2009 11:23:55 PM
Andreas Hausladen wrote:

> Stig Johansen wrote:
> 
> > Wonder why 'they' only targets older Delphi.
> 
> 1. Older Delphi versions need write access to their bin directory. So
> under a Vista with active UAC the developer must grant write access to
> the Delphi folder. This isn't necessary for newer Delphi versions
> because they do not write to their program files directory. And
> without write access the virus can't replace files.
> 
> 2. The virus author didn't have a newer Delphi version and wasn't good
> at guessing what the new registry key is.
> 
> 3. The virus author wants everybody to upgrade (very unlikely)
> 
> 4. ... put here your own thought ...

{$CONSPIRACY ON}
if OutCome = ocUnlikely then
  goto 3;
{$CONSPIRACY OFF}

:p

-- 
Pieter

"A friendship founded on business is better than a business 
 founded on friendship." -- John D. Rockefeller (1874-1960)
0
Pieter
8/22/2009 11:50:22 PM
Pieter Zijlstra wrote:

> Andreas Hausladen wrote:
> 
>> Stig Johansen wrote:
>> 
>> > Wonder why 'they' only targets older Delphi.
>> 
>> 2. The virus author didn't have a newer Delphi version and wasn't good
>> at guessing what the new registry key is.
> 
> {$CONSPIRACY ON}
> if OutCome = ocUnlikely then
>   goto 3;
> {$CONSPIRACY OFF}

I think, that I'll stick to Anreas explanation/guess, since the loop is
(more or less):
for v: ='4 'to'7' do 
  if RegOpenKeyEx (HKEY_LOCAL_MACHINE, pchar ( 'Software \ Borland \ Delphi
\' + v + '.0'), 0 etc.

Since i don't have later versions, i don't know which registry key(s) are
used, but i guess, taht it is not 8..11 ?

And the use of char/pchar etc, will not be usable in D2009 ?

-- 
Best regards
Stig Johansen
0
Stig
8/23/2009 9:35:30 AM
> Since i don't have later versions, i don't know which registry key(s) are
> used, but i guess, taht it is not 8..11 ?

Not exactly, no. And don't forget the borland part ;-)

> And the use of char/pchar etc, will not be usable in D2009 ?

Actually it will.
0
Olivier
8/23/2009 10:28:50 AM
Stig Johansen wrote:

> And the use of char/pchar etc, will not be usable in D2009 ?

Why not? Char and PChar work in Delphi 2009 unless you think that
SizeOf(Char) = 1


-- 
Regards,

Andreas Hausladen
0
Andreas
8/23/2009 10:30:20 AM
Reply: