Delphi Software houses may be infecting customers

rpm · Aug 19, 2009

Delphi security concern

Software houses may be unwittingly infecting customers, Sophos reports

zeely · Aug 19, 2009

interesting.. .we do all our development in delphi

i'd be keen to see what it injects into the source code. anyone have a sample?

Gambit · Aug 19, 2009

Yeah, we use delphi as well.

found more info

When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system.

from http://www.scmagazineus.com/Virus-discovered-deep-in-Delphi-programming-language/article/146804/

Taqyon · Aug 19, 2009

Same here. Saw it first on Marco Cantu's blog.

Complete details on Eureukalogs's site: http://blog.eurekalog.com/?p=244 (Awesome tool for Delphi btw..)

Quote:

Is it serious?

Depends on what you’re asking about.

If you want to know about this particular virus, then the answer is: NO. This thing does nothing, except replicating itself.

If you ask about any threat of such sort, then the answer is probably: YES. Well, at least it’s so for Delphi’s developers. Look, that thing was here for few years and nobody didn’t notice it. It was detected only because it is buggy (see below). What if there are other such things lives on our Delphi’s out there? They may be not such innocent, as this one, and may be bug-less, so it’s harder to notice. Developers often tends to work in “weaker” environment: i.e. with UAC off, under administrator account, with disabled A/V, etc, etc. Those conditions are like heavens for viruses.

Lazy · Aug 20, 2009

Ironically, Sophos has also seen a number of banking Trojan horses - which are often written in Delphi - infected by Induc-A, indicating that malware authors themselves could also have been affected.

ROTFLMAO

zeely · Aug 20, 2009

i found the source code.

it does nothing malicious except propogate the source code to overwrite and recompile sysconst.pas

Lazy · Aug 20, 2009

zeely said:
i found the source code.

it does nothing malicious except propogate the source code to overwrite and recompile sysconst.pas

So it's like any other delphi program then

(just kidding of course)

Taqyon · Aug 20, 2009

This is a very old trojan - it only affects Delphi 7 and earlier - released 2002.

Veroland · Aug 20, 2009

Delphi is still around?

The_Unbeliever · Aug 20, 2009

We also use Delphi.

Fired off the link (from The Register) to our lead developer.

Our code is clean, otherwise we would've got a lot of silly bugger errors

Lazy · Aug 20, 2009

Taqyon said:
This is a very old trojan - it only affects Delphi 7 and earlier - released 2002.

If that's true then watch this space, Sophos will discover the 'Stoned' virus sometime soon.

EDIT: You're PC is now Stoned.

Join the MyBroadband community

Get started

Delphi Software houses may be infecting customers

rpm

Admin

zeely

Senior Member

Gambit

Expert Member

Taqyon

Well-Known Member

Lazy

Senior Member

zeely

Senior Member

Lazy

Senior Member

Taqyon

Well-Known Member

Veroland

Executive Member

The_Unbeliever

Honorary Master

Lazy

Senior Member