back to article Old-school virus threatens Delphi files

Virus writers have gone old school with the creation of a virus that infects Delphi files as they are built. When a Delphi file infected with Induc-A virus is run, it searches for Delphi programming installations on an infected machine and attempts to infect this installation. More specifically, the malware attempts to infect …

COMMENTS

This topic is closed for new posts.
  1. Mike 119
    WTF?

    Oh dear

    How limited is this going to be?

    Who actually still uses Delphi?

  2. John70

    Delphi?

    People still program in it?

  3. Anonymous Coward
    Unhappy

    Delphi programmers

    Yeah, but how many of us poor unfortunates are left working in Delphi?????

  4. Dave Murray
    Unhappy

    So much FUD

    and all copied directly from Sophos press release.

    Delphi files can't be run. They can be compiled into programs that can be run but they themselves can't. Opening a file of Delphi code can't cause it to automatically make changes to other files.

    Then there's the "if you have programs written in Delphi you're probably infected" scaremongering. It all depends how long this virus has been in the wild, something Sopos fail to mention. If it's been around for a week then only software released in the last week could be suspect. If it's been around longer then more software could be suspect. Not publishing these details and the tone of Sophos press release doesn't help anyone, least of all the millions of Delphi developers worldwide.

  5. Doug
    Gates Horns

    W32/Induc-A virus being spread by Microsoft software

    | headline corrected |

    'When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas'

    Does the original W32/Induc-A require administrator rights to infect the machine. Is SysConst.pas normally required to be writable by administrator. Notice how they managed to not one mention Windows in the body of that 'report'.

    <insert payload>

    "W32/Induc-A virus being spread by Delphi software houses"

    "If you believe that you may be using software written in Delphi you would be very wise to ensure that your anti-virus software is updated. Actually, regardless of whether you use Delphi-written apps that's a good idea"

    </insert payload>

  6. Pirate Dave Silver badge
    Pirate

    FreePascal too?

    I wonder if this also affects/infects FreePascal installations, since FPK is more or less a Delphi clone?

    As to "are there people still using Delphi", I don't know about Delphi proper, but there are still quite a few of us using FPK. Old habits are hard to break...

  7. Dr. Vesselin Bontchev
    Boffin

    Clarifications

    1) This thing has been around for at least a year - there is one report about an infected application compiled in August 2008.

    2) The only "threat" it represents is that of an embarassment, if you're a Delphi developer. It has no malicious payload and if you don't have Delphi installed, it simply does NOTHING.

    3) It is buggy and causes a runtime error in some cases.

    4) It is written for obsolete versions of Delphi. (No jokes that Delphi itself is obsolete, please.)

    5) Yes, it requires administrative privileges to install. But everybody runs as admin anyway. Yes, you can prevent the admin from writing to those files - but then Delphi can't update itself, either.

    6) Kaspersky and F-Secure blogged about this thing two days ago. Why is Sophos taking all the credit?

  8. Anonymous Coward
    Thumb Up

    Delphi lives!

    You would be surprised, Delphi is still alive an well. Or at least still alive anyway, delphi 2009 is a bit sickly....

  9. Bassey

    It's a job!

    We still have tons of legacy Delphi code and it still requires updates and maintenance. One of our main Delphi systems celebrates it's tenth birthday in four weeks time.

    Happy birthday to you...happy birthd......

  10. ProductMan

    We should look at the facts, before we panic!

    My name is Mike Rozlog and I’m the Product Manager for Delphi. I want to clear the air on some of the issues being put forward from the initial malware posting. Some of the first questions in the comments were around “Does anybody still use Delphi?” “People still program in it?” “… how many of us poor unfortunates are left working in Delphi?” Let me first say that the Delphi community is alive and very well, and depending on the industry analyst that is sited, the developer community ranges anywhere from 1 to 2 million in size worldwide. On that subject, there are a lot of applications used around the world that are written in Delphi or C++Builder for that matter. That being said, we at Embarcadero take threats of this nature very seriously and as stated before, the way the article is written, it could affect a large amount of people.

    The first thing I want to point out is that this isn’t any more or less dangerous to a developer than other viruses or trojans. If a developer acquires a virus on his or her developer machine it can easily affect applications the developer is compiling without having anything to do with the compiler or tools he or she is using. The article makes it sound like Delphi or IDEs in general are now “vulnerable,” but in actuality they are no more or less vulnerable than any other of the thousands of exe(s) and dll(s) on every developer’s machine. This has been true since the first viruses and trojans were created.

    The second point that should be made is that any language can have this type of attack propagated on it. One of the strengths of programming languages and libraries are that they can be modified to work better for the developer. This means that a programmer in C++, Java, C#, JavaScript, VB, Delphi, and almost any others could have this type of exposure. I could go into Java for example; adding methods to a system class that opens an exposure, and then put that tainted class into the .jar file and deploy application out to millions and it would have a backdoor exploit. The same could be said about software libraries out in the wild, once the exploit is coded, the only thing left is distribution of the library to unsuspecting users.

    So this is not just a Delphi issue! This is a programming and compliance issue; it is a very clever trick, but it’s nothing to be more worried about than any of the other ways the developer machine can be attacked by viruses and trojans. The best ways to combat these types of issues are to establish a deployment protocol that checks for viruses and trojans before shipping any applications. This approach goes for the individual developer to the large corporate entities, and as we all know it takes constant vigilance against these types of attacks.

    Mike

    michael.rozlog@embarcadero.com

  11. Dr. Vesselin Bontchev
    Pint

    Aw, cut the spin, willya?

    @ProductMan: Aw, cut the spin, man! First of all, don't take the author (John Leyden) too seriously. He's just yet another incompetent moron who hates the AV industry but is too stupid to write something creative and instead copies stuff from the blogs of the various AV companies.

    Yeah, this is just yet another silly little virus (buggy, too) - the only unusual thing is that it is, in a sense, a "compiler infector" instead of the usual variety of application infector. But even that is not original - there have been similar things for C (I think) years ago.

    "we at Embarcadero take threats of this nature very seriously" - aw, gimme a break, man! Whatcha gonna do, seriously, huh? A grand total of NOTHING. There is absolutely nothing you can do about threats like this (besides posting silly comments like that, I mean). You can't change anything in Delphi to make it more resistent to such viruses, you can't force people not to run as admins, you can't make the Delphi developers more security-conscious. So, just relax and enjoy the fun.

    "This is a programming and compliance issue" - no, it's a security issue. If you let your system become infected, you're running the risk of infecting others (like, your customers). Surprise!

    "The best ways to combat these types of issues are to establish a deployment protocol that checks for viruses and trojans before shipping any applications." Nonsense! This thing has been around for more than a year and it is only now that the AV programs have started to notice it. You could have scanned your applications before shipping them all you wanted - and you still would have shipped them infected.

    Instead, people should try to ensure the integrity of their development systems. Don't connect them to the 'net and don't play games on them (duh!). Don't have any foreign executables on them besides the OS and the compiler, transfer the sources there and compile them there. Run some kind of integrity checker to make sure that your compiler distribution hasn't been tampered with. That sort of stuff.

    Now, everybody, take a deep breadth and relax. This is another three-day wonder. In a month, everybody would have forgotten it.

  12. Jolyon Smith
    Flame

    Are you "Affected"...?

    You may well have an app written using an infected installation of Delphi, but:

    1) unless you also have a Delphi installation the "affect" on you is.... NIL. The virus's only payload action is to infect other Delphi installations (and then only versions 4 thru 7 I believe).

    2) If the application is deployed with the "vcl" runtime package then the infected SysConst unit code is not compiled or incorporated in the application. i.e. that application, even if compiled with an infected Delphi installation, will itself be clean.

    This is a whole lot of fuss about nothing.

    As for Delphi being dead/dying. The only people saying that are people who WISH it were true, which in the main are insecure Microsoft developer tool users who wish Delphi would die so they could feel less stupid for making their lives harder than they need to be and less enjoyable than they could be.

  13. Dr Patrick J R Harkin

    @Doug Is SysConst.pas normally required to be writable by

    Don't use Delphi, but as SysConst.pas is a source code file on a development machine, I'd expect the logged in user to be able to edit it regardless of whether they have admin rights or not.

  14. Dr. Vesselin Bontchev
    Boffin

    Protecting SysConst.pas

    @Dr Patrick J R Harkin: "SysConst.pas is a source code file on a development machine, I'd expect the logged in user to be able to edit it regardless of whether they have admin rights or not."

    Haven in mind that:

    1) Development has nothing to do with this. The file SysConst.pas is the source code of one of the libraries. Developer or not, there is no need to modify this file yourself - ever.

    2) If Delphi is installed by the admin and the user is running with non-admin privileges, the (infected) user won't have the rights to modify this file (which will be owned by the admin), if the system is properly set up. Note that this also means that the user won't be able to update Delphi.

    3) Using ACS, it is possible to deny write access to this file to all - including to its owner (admin or not). Again, this means that Delphi won't be able to update itself. In addition, the owner (or a virus running with his credentials) will be able to re-enable write access to the file - but this virus doesn't try to do so.

  15. Rune Moberg
    Welcome

    Old-school development tools

    Jolyon,

    I was a die-hard Delphi user until last year. I first started in 1995, before which I mostly used Turbo Pascal.

    Delphi was and still is pure brilliant. The compiler is stunningly _FAST_ (infinitely sweeter than any C/C++ compiler out there) and the language is among the nicest.

    But.

    Unicode support was added a year ago. The product managers back in the day had severe problems understanding the needs of the developers. Imagine that... Waiting to offer unicode support until 2008... It is... An ID ten-T mistake.

    They were late to implement generics. They stalled on inlining. They STILL do not have a 64-bit version out there.

    Compared to Java, Delphi shines. It shines so bright it is hard to understand why there are so many Java projects out there. But of course, with limited (or non-existing) cross-platform support, Delphi is a hard sell.

    Delphi on .net makes little sense as far as I can tell. C# is 'good enough' (far from nice, but 'good enough' certainly). WPF is key. Without proper WPF support, Delphi is just not an option. There are few reasons to use Delphi.net.

    Given the track record of the Delphi team, I see very few improvements the last ten years. They stalled. They owe the Delphi community a huge apology. They played around with that Eco-cræp, and forgot about improving the compiler and their core component library. Big mistake.

    As for the virus; Who cares? Just avoid installing viruses, and you'll be fine.

  16. Dick Emery
    Stop

    False positives

    Just got a warning by Mcafee that it had blocked this virus (and a number of other AV software so I read). Unfortunately it was a false positive in an exe called Gamebooster (An app that sets certain system services to stop state when playing games for an extra speed boost). The developer had to make an updated version just to get around it as they swear it's not got the virus.

  17. alien anthropologist
    Flame

    Missing the point...

    Delphi is such an awesome language (even C# is a poor imitation), that said virus would equally likely be an awesome looking virus too...

    And there's so few those around, we should be more appreciative of a virus written is such a kewl and gnarly language.

    Delphi Rules! C#/java sucks snot. (as I overhead a hardcore Delphi programmer in a dev team meeting telling the Java heads many years ago)

    Miss using in Delphi.. cannot say the same of Windows though.

  18. Anonymous Coward
    Anonymous Coward

    Agree, lot of fuss about nothing

    This is just yet another virus among millions that you have to worry about. There is nothing special about a virus that attacks runtime source code other than it's an interesting twist on the genre - but the net effect is the same as if you caught a virus on any Windows system file, or PDF plugin, notepad.exe, browser, SCM, profiler, or anything on your dev machine. They can all infect the apps you build and distribute regardless of what programming language or tools you're using. Delphi is pretty popular despite the dumb comments otherwise. Its used by about 1.7m developers today and is consistently highly ranked on the TIOBE prog lang "noise" meter. Best advice is to run a secure dev machine, run anti-virus regularly and keep it updated. If you catch this thing then revert the infected file and make it readonly. Viruses are always an issue but the focus on Delphi as a vulverability is like a drop of water in the ocean of virus things to worry about.

This topic is closed for new posts.

Other stories you might like