Thursday, August 20, 2009

A Tempest in a Teapot or something more sinister?

If you’re a well connected internet maven who also happens to be a Delphi user, you’re probably no doubt aware of some of the recent reports about a new virus/trojan threat that hits pretty close to home. There are many reports among the mainstream internet press that are discussing the emergence of a virus affectionately known as the “Compile-a-virus” or by the more mundane and sanitary name, W32/Induc-A. It seems that this particular virus is targeting older versions of Delphi (specifically Delphi 4-7) and replicates itself by rebuilding a new version of SysConst.dcu and placing in back in your <root>\Lib folder. Ironically, it doesn’t simply overwrite the existing SysConst.dcu without first backing up the original, called SysConst.bak. It does use the existence of this .bak file as a signal that it’s already done its job and it should just leave that installation alone. Because it doesn’t actually delete anything, it is a gentleman among viruses ;-). Once Delphi is infected, every executable and dll that is built which links in the code in SysConst.dcu will now carry the virus which when run will seek out any Delphi installation and the process repeats.

Aside from the pure mechanics of how this thing works, there are also a lot of response among the community and press from “OMG, the sky is falling” to “nothing to see here, move along.” Fear mongering is just as bad of a response as ignoring the problem. At this point, here at Embarcadero, we’re actively analyzing situation and overall impact to our community. We’re also working on recommendations about how to find out if you’re infected and what to do once you see that you are. Throughout all this we’re working on recommended steps can you take to guard against re-infections. Rest assured that we’re neither ignoring this threat, nor are we going to do anything to blow it out of proportion. All signs indicate this is a serious and credible threat and users should remain diligent in ensuring that they either install or update their virus scanners. Many of the popular freely available scanners are now able to detect this threat, both in compiled binaries and are able to detect an infected SysConst.dcu.

As we get more information and have more recommendations, we’ll make it available. Moving forward we’re brainstorming about possible solutions that you, the customer, can use to be not only guard against future similar threats, but also if a new threat were found there can be a prescribed mechanism to detect and correct the problem.

27 comments:

  1. For my 2c, submitting the dcu to virusTotal.com if you are at all unsure of your AV SW is the best bet. Testing 41 AV engines.

    Thanks for the post, dev's will be glad to be able to say to clients that EMBC is on the case.
    JAC

    ReplyDelete
  2. Um, could you just explain again... what precisely is the "serious and credible threat" ?

    Simply calling it that is, imho, blowing it "out of proportion", and you said you weren't going to do that. ;)

    This virus is an annoyance, not a threat. Put another way, it's a Common Cold, not Swine Flu.

    Even calling it "malware" is stretching a point beyond breaking. It doesn't do anything "malicious", it just does something utterly pointless and inconsequential beyond achieving it's own, very, very limited ambition - reproducing.

    I haven't seen any reports of this virus doing anything other than replicating itself, i.e. "infecting" other Delphi installations.

    Other than that the impact is NIL (Null if you prefer to use a variant), other than to trigger a virus alert if your AV software detects it.

    Which strikes me as the software equivalent of a domestic cat setting off a home burglar alarm by entering a room that someone didn't realise the cat could get into ... sure, the cat shouldn't be there, but the only "damage" (disruption) is caused by the alarm itself going off.

    The more anti-virus suites start detecting this thing, the greater the disruption, because unless/until you can disinfect *every* infected machine, they will keep churning out "infected" apps from their compilers, triggering virus alerts!

    WARNING! WARNING! THE CAT IS IN THE STUDY! THIS IS NOT A DRILL! THE CAT *IS* IN THE STUDY!!

    Sheesh.

    So anyone looking to CREATE an annoying virus needs only get themselves deliberately infected and then start distributing apps compiled on their machine.

    As far as I can tell, by escalating the significance of this virus WAY beyond the level that it warrants, we simply created a vehicle for "virus writers" to disrupt everyone's lives without having to write a single line of virus code themselves.


    Just as there is a whole industry and economy now building itself around the "terror" economy, it seems that was just following the template established by the AntiVirus industry.

    And don't tell me that *I'm* needlessly inflaming things by drawing parallels with anti-terrorism .... it's the ONLY other "industry" where you'll hear the term "serious and credible threat", and *I'm* not the one that started throwing THAT term around in relation to this minor annoyance.

    ReplyDelete
  3. Robert Horbury-SmithAugust 20, 2009 at 7:47 AM

    Nice post Allen.

    The community at large needs to be cognisant of the need to "manage" this instance, in case it is used by the poorly informed to beat Delphi about the head.

    Good to see you guys are taking the initiative.

    Rob

    ReplyDelete
  4. I think that the real problem here is not this especific virus, that looks harmless, but the others that surely will come on the same way and may be a real threat. So all of us must be more careful from now on.

    ReplyDelete
  5. Jolyon,

    So we should simply ignore it and hope it will go away? It is only serious and credible in the sense that someone could decide to mutate the payload and and distribute a much more malicious version. I also see this as a cautionary tale of the fact that even though everyone is calling this a "proof-of-concept"; The concept has now been proven. So it is not *this* virus that is what is scary… it is the *next* one.

    ReplyDelete
  6. Allen,

    It is *those* viruses that should be reported to virus scanner databases. *They* will, by definition, have a different signature than *this* one. Reporting this one doesn't stop the next one. It won't even slow it down.

    It might even actually accelerate the process - nothing gets a hacker motivated like a challenge to their ability!

    "We'll stop you!".... "Oh, yeah...? Watch this!".


    When there *is* a serious and credible threat, by all means treat it as one. Talking this one up as something it isn't (even when, and perhaps especially when, you try and say you aren't doing that, when you are) just makes it a bigger threat than it ever really was.

    Transparently unnecessary superlatives also potentially raises suspicion about motives.... i.e., why would XYZ deliberately misrepresent something utterly benign as some critical "threat" when it's quite clear to anyone - including XYZ - that it isn't any such thing? They must be up to something....

    I've already had it suggested to me that Embarcadero may have put this into circulation themselves in order to finally shift D7 luddites into the age of Galileo... utterly preposterous of course.


    I don't see that this incident "proves" anything new at all. The basis for this sort of code was established back as early as 1984 (http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf) and arguably before then because even without Turing's example, the theory in this case didn't *need* to be proved as it was based on a simple fact based analysis of the way in which compilers work. It just needed someone bored enough to actually do it.

    Anyone with more malicious intent could have done the same thing, and they didn't need this virus to prove that they could.

    The fact that such a stink has been made about it might now inspire someone with delusions of grandeur to show just how much better they are than the miscreant that came up with this benign piece of trash.

    Had we just ignored it, it may very well have "just gone away" (OK, it wouldn't have "gone away", but it's existence, would never have amounted to anything).

    Too late now tho.

    ReplyDelete
  7. Ignore Jolyon and his SHOUTING. You're absolutely doing the right thing by reporting and analysing it and taking a balanced approach between, as you say, “OMG, the sky is falling” to “nothing to see here, move along.” Love your expressiveness.

    EMBC is looking a more and more responsible and mature company by the minute. And D2010 looks terrific, BTW. Congrats.

    ReplyDelete
  8. I see the real problem being the reputation of Delphi becoming viewed in corporate world as not the one you want in your company or any application written with it as after all as mentioned in the media it is the one that creates applications that contain a built in virus.
    I worked for a large corporation and those who are descendents of the pilgrims who burned people at the stake because they thought they were witches will not use logic and knowledge.
    What an opportunity for a Delphi users competition to say if you had used vs and .net you would not have put company’s data at risk with your applications . I am not talking here about MSoft but the guys down the hall who did not get the assignment and can now tell management I told you so.
    I hope it does not reach the level of fear I say above but the door is open for that train of thought.

    ReplyDelete
  9. What tom says is precisely what i thought when i first heard about the virus. The virus it self, might be harmless for now, but it surely affect what people think about Delphi now as developer tools, because there is a new way to distribute viruses and Delphi responsible to it.

    Iwan

    ReplyDelete
  10. I disagree with Jolyon most of the time, but I am afraid that this time he is completely correct. Producing fear will get you nowhere. Yes it is possible that a new virus based on this one would be created even if nobody new about this one, but now that it got attention, the odds for that are much higher.

    Also I agree on antivirus point of view. They annoy me. Reporting false positives all of the time. But in the end if we were a little more cautious we would not need AV programs to begin with.

    And the battle with viruses is lost for them before it even began. Scanning for signatures means they are always a step behind and heuristics do not work very well in some cases. They should take a firewall route, reporting unknown executables trying to execute code or other action of such magnitude.

    ReplyDelete
  11. Jolyon,

    Who said anything about reporting anything. As far as I'm aware, the virus scanner companies are already detecting this threat. But to attack and call into question the intelligence of the customers is also not any way to garner support for your view of how things are. Acknowledge that there is a problem and that you understand the fear. Then reassure them that this only affects products over 8 years old, is not malicious in any way, is easy to correct.

    I'm totally aware of the *idea* of this code being established over 2 decades ago. What this proves is that someone has actually now gone an *done* it.

    What we're working on is a response that includes ways that our customers can appropriately guard against any future attacks. Maybe this will include code and utilities for them to use, or maybe it will only be a set of guidelines and steps. The point of this post was to merely state that we've *seen* the reports. We've quarantined and observed the virus and its behavior. We've verified that it does *not* affect any recent versions of Delphi (any version > 7).

    ReplyDelete
  12. i guess, one of ways could be adding option to IDE 'Disable command-line compiling'.

    this would be ok for users like me, because i don't compile sources from command line.

    not sure about how to do that, but this option would be appreciated.

    other thing i'm thinking about is smth. like checksums of all files from Sources folder.

    ReplyDelete
  13. @Michael: this virus affects both the command-line compiler and the compiler inside the IDE.

    @Allen: good post; I'll make sure to blog about your final response.

    --jeroen

    ReplyDelete
  14. [...] بخوانید: A Tempest in a Teapot or something more sinister Delphi developer virus exposes weakness in anti-virus defences More on the Delphi Virus [...]

    ReplyDelete
  15. [...] releases in between. Delphi 2010 will be the 6th release. And still the guys from Embarcadero are aware of this and will handle the matter. So, anyone which has a (by a wide margin) up to date Delphi [...]

    ReplyDelete
  16. Allen - "proof" is only important when there's a question of doubt over the validity of a theory. There was never any doubt that this could be done. That simple fact is what was established 20 years ago.

    And who's to say that it hasn't been done before now but that there was no knee jerk hysterical reaction that made it to the headlines?

    The "reporting" comment related to the fact that people have been urging other people to submit reports to their respective AV software providers.

    So that more alarms can be triggered by the cat entering the study!!

    ReplyDelete
  17. .... and your responses are becoming inconsistent...

    "Be afraid, this proves that more serious problems could develop .... but this only affects product over 8 years old so no real need to worry."

    Where's the concern that this theory proves a more damaging attack that might now manifest itself in CURRENT products?

    The way that the product(s) work has not changed and the theory established 20+ years ago applies as much to Delphi 2010 as it does to Delphi 4 thru 7.


    That latter sentiment is the one that should have been dominant. Words like "serious and credible threat" should never have been used, because it simply was never any such thing.

    More appropriate would have been to talk about of "perceived threat being unfounded... nature of this virus is entirely benign..." journalists making misguided claims about the level of threat without fully understanding the nature of the thing etc etc, accompanied by something like "it demonstrates that the theoretical basis for this attack is now being exploited and we, along with other tools vendors, shall be investigating means by which the attack vector can be closed. In the meantime, we advise that ...."

    etc etc

    It was primarily the use of inflammatory and disproportionate language that I took issue with.

    And never, Richard, at any time "SHOUTED". Merely put my view, in a reasoned and argued fashion.

    ReplyDelete
  18. Jolyon,

    I’m afraid your message is getting lost among the frantic pacing, hand waving and shouting. It seems that you’re trying to extend your hyperbole by vilifying every word I write. You point out apparent inconsistencies that are merely arising from the fact that we know more now than we did even two hours ago.

    The fact that you are downplaying that this *is* "malware" is also irresponsible and hyperbole in the opposite direction. It is "malware" by the sheer fact that it makes an unauthorized modification to one’s machine. That fact alone qualifies it as malware. The fact that it *replicates* qualifies it as a virus. Would you not still feel violated if a stranger entered your home, rummaged through a few things and then left, even if no "real" damage was done? You would be furious if when you called the police and all they said was "Yeah, there is a serial ‘rummager’ doing this throughout the neighborhood. No need to worry about it, they never do any damage." I think any reasonable person would seek to discover ways in which they can protect their family and property just in case said "rummager" decided to bring along an axe next time...

    Yes, that is hyperbole. But it also clearly demonstrates what even "harmless" malware and viruses do. So my life and my family were never put into harm’s way… does that somehow excuse the cretin that created this garbage piece of software? Does that mean we should just blithely go on as if nothing is happening?

    All we're doing is working on helping our customers both recover from a "rummaging" and to help them take steps to better protect from future "rummagings."

    Wow, we try and be up front and proactive about this, and this is what we get? Damned if we do damned if we don't... and people wonder why we are reluctant to even attempt to say anything sometime. Oh and if we don't "wordsmith" things just the right way, our words are parsed into minute little shards.

    Of course, does that reflect more negatively on the messenger or the one seeking to point out the folly of the message? Hmmm...

    ReplyDelete
  19. Well we got burned by this virus as it landed in an update of one of our commercial products, which was released in mid July. Now we're flooded with mail from concerned customers getting virus warnings on our reputable software. Although the virus may be harmless, it certainly manages to damage reputation.

    After some frantic scanning, we discovered that the virus came from a demo program bundled with the trial version of SautinSoft RTF-to-HTML (www.sautinsoft.com). The file was dated April 1, 2009. So this virus has been on the loose undetected for more than 4 months!

    We fixed our software as soon as we discovered the virus and released the update on August 19. We also notified SautinSoft that their product is infected. But damage has been done...

    ReplyDelete
  20. I don't think that only delphi will be affected by this kind of virus.Sooner or later other compilers will be targgeted too. So some kind of defense must be found as soon as possible.

    ReplyDelete
  21. @Jolyon,
    The simple fact that this thing **EXIST** is a serious and credible threat. So Embarcadero is doing right.

    @Allen,
    Ok, guys. Do what you need to do. But remember: sensationalism exists and is very entrenched on many journalists (since they are always seeking for the next "stop the machines" news). Distortion of what are said is not uncommon.
    Jolyon is right on saying that wording on these cases needs to be measured tighly. I do not know, but sometimes is better to centralize on one people (in this case, maybe the right ones could be Nick, Mr Rozlog - or even David I, since he is a known face of Delphi team for so many years and is a charismatic person ) and let the talk be through that person.

    ReplyDelete
  22. I think EMBC is doing fine, find a "solution" to an existent problem, but there should be an statement explaining this could (might) be implemented in any compiler out there and not just a Delphi thing.

    ReplyDelete
  23. Hmmm, lots of denial in some of these posts ...

    As Allen said, unauthorised changes are made to your code base, and the thing is self replicating. What's to stop a kiddy scripter from adding code to a different core pas file that DOES do malicious damage ? Nothing AFAICS - so Embarcadero are right to treat it as a "serious and credible threat"

    ReplyDelete
  24. Oh, for Christ's sake Jolyon, STFU! Your constant histrionics are as predictable as they are tedious. You actually write an interesting blog most of the time, but hectoring is your least unattractive quality.

    ReplyDelete
  25. To avoid infection with specific virus just make a place a file named sysconst.bak in delphi's lib directory

    ReplyDelete
  26. GSA has developed a freeware tool that could remove the Win32/Induc.A virus completely from executables and let you start them again without your anti virus complaining about it.

    http://www.gsa-online.de/eng/delphi_induc_cleaner.html

    ReplyDelete
  27. You’d better go to large and medium-sized bazaar with standard feather quality prestige, after-sales service to choose and buy a down jacket.canada goose parkas jackets All the above may help you when you try to purchase a down jacket. I believe you can have a good time in your shopping time.moncler jackets sale cheap Nevertheless when I began functioning, like most adult males, I wore these shitty small winter season coats if you can contact them that), which ended up quite probably the worst coats you could imagine wearing in the thirty beneath-zero weather.So I ultimately invested in a correct coat, a North Confront parka jacket.

    ReplyDelete

Please keep your comments related to the post on which you are commenting. No spam, personal attacks, or general nastiness. I will be watching and will delete comments I find irrelevant, offensive and unnecessary.