New virus infects programs built with Delphi

Discussion in 'malware problems & news' started by ronjor, Aug 18, 2009.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,722
    Location:
    Texas
    Story
     
  2. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    451
    Location:
    Cleveland, Ohio USA
    I came across a sample about 3 days ago. About 23 anti virus venders seem to detect the sample I have, according to virustotal.
     
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    If I'm reading this correctly, this is a pretty interesting virus. It doesn't seem to infect existing executable files at all, or do anything except mess with some Delphi versions installed on the system so that anything compiled with them also gets infected. Basically, it does nothing that any normal user needs to care about, except that it shows they're running code from developers who are obviously very careless with their security.

    Almost as if someone was trying to prove a point that some developers aren't exactly running secure systems and are placing their clients and users of their software at risk.
     
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Article on SecurityFocus:
    http://www.securityfocus.com/brief/999

    May I quote this part:

     
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    FanJ

    I don't see why not, and Thanx for doing so.
     
  6. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Interesting info Ken Thompson hack about here.

     
  7. Securon

    Securon Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    1,935
    Location:
    London On
    Good Morning! In running a deep scan with Vipre, this virus .w32 induc.a(v) was detected with a high rating on the infection chart on Vipre. It states that it was detected on C:\PROGRAM FILES\GLARY UTILITIES\ENCRYPTEXE.EXE. I submitted this to Sunbelt's Tech Support last night,fri.08/21/09,and they'll probably respond back with some definitive info on Monday. I suspected this to be a False Positive,but based on your info this might not be so. So in summation what exactly is this? And as a footnote when trying to eliminate the infection inacting Clean and Remove,this action failed. So am I still infected,because my P.C.still seems to be o.k. from an operational standpoint. And I Forgot to add when submitting the file to Threat Net it merely stated Cannot Find Threat! So I'm partially relieved in knowing fellow Wilderites have encountered this problem,it seems before Sunbelt Labs have. Sincerely...Securon
     
  8. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Here's a funny thing !

    A lot of Malware is written in Delphi, so it's ( possible ) that this Malware could infect other Malware that might be on, or get on, peoples PC's. That would be interesting lol.

    -

    Securon

    Lots of hits for Glary Utilities encryptexe.exe in various flavours, eg -

    The unsafe files using this name are associated with the malware group: * Cloaked Malware

    http://www.prevx.com/filenames/39266582711070222-X1/ENCRYPTEXE.EXE.html


    So until you hear back from Sunbelt i would play safe and keep alert. Try to rename it to .exex to block it.

    And/or use MBAM etc to scan it, and upload it to http://www.virustotal.com etc
     
  9. Securon

    Securon Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    1,935
    Location:
    London On
    Hello! Many thanks for your input Stevie O! Ironically I ran a scan with Prevx 3.0 just after the Vipre scan and nothing found, but will scan with MBAM and see what materializes. Sincerely...Securon
     
  10. demonon

    demonon Guest

    Besides for the money and the fame, allot of hackers and malware writers make their malware for this purpose.
     
  11. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Glary Utilities version 2.15.0.728 was actually infected with this virus, AFAIK. Update to the newest version 2.15.0.738 which should be a clean one. Clean, at least from this particular virus...

    Other than that, this virus isn't a real threat to regular users. It doesn't do anything except try to infect some Delphi files, and unless you have one of the targeted Delphi versions installed, it does nothing except make AVs give alerts on it. So, no reason to panic or anything.
     
  12. Securon

    Securon Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    1,935
    Location:
    London On
    Good Evening! Thanks for the timely info Windchild! I'll submit the Virus in mention to Sunbelt Sandboxie so their Tech's can evaluate it! Once again many thanks. Sincerely...Securon
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Some thoughts...

    This particular infection was harmless for end-users.
    But what if it wasn't or a newer one will not be so harmless?

    Let's think about it for a moment.

    As noted above:
    For example Ken Thompson has already in 1984 pointed to possible dangers for compiling environments.
    And for example Vesselin Bontchev already in 1992 pointed to the Compiler virus and how dangerous it is for relying on integity checkers (integrity checkers were the topic of that paper).

    Who can you trust?

    You download and install a program from a well known and trusted company.
    The company that makes programs, has to make absolutely sure that its developping environment is clean and cannot get infected in anyway.
    Maybe that company uses a programming tool from another company, so the same goes for that other company, etc.

    Let's say that nevertheless the installed program is still infected.
    The first problem arises when your AV (AT, AS, etc) doesn't flag it as infected.
    Depending on your security tools and on how clear the results of that infection are, you might not notice it.
    You trusted that program, so you clicked 'yes' when you got questions from your security tools to allow it.
    No black/white listing, HIPS, integrity checker, firewall, cloud-whatever, etc., helps you here; it is game-over.
    Well, you could say against this: there is no infection when there is not any other suspicious thing happening....

    Another worrying thing in this particular 'Induc.A' case is:
    For how long did this thing already existed?
    Was it really that dormant?
    Couldn't the AV's detect it earlier? Some AV's posted excuses why it was not earlier detected.....
    More worrying:
    AV companies 'laughing' at developping companies (saying they are now accusing us of false positives.....), while that same AV was used at that developping company.
    Even more worrying:
    AV companies refusing to answer questions when they're being asked to have a closer look at such a flagged file, while the developping company states it is not infected, and to report back.
     
  14. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Good post, FanJ. :thumb:

    Then you'd be in trouble, obviously. ;) Which is really a good thing to acknowledge. People these days, even supposedly security-conscious people like posters in a security forum, will execute all kinds of stuff, thinking it's clean if some AV didn't say it is infected. People will trust, seemingly without any consideration, the most shady "anti-rootkit" coded by nameless people who go by unimaginative aliases and live in some undisclosed location with complete and full control of their system - loading drivers, fiddling with kernel hooks, everything. Has it ever occurred to these people that this might not be the smartest thing to do? What is to prevent, for example, some guy from coding a new malicious "anti-rootkit" and setting up a "legit" looking web page and discussion forum for it? The product could start with some very primitive detection and perhaps one promising feature, and it would appear to do nothing malicious on the systems it was executed on, except perhaps cause a bit of stability issues (and we all know that happens with these things). But perhaps there is very well hidden and obfuscated code inside this "product" that just waits for a certain date to come, like 1.1.2010, and then it turns all those computers into happy little zombies, perhaps stealing confidential data from those systems. And the fun part? It will be hard to detect, considering it's in the kernel and can do anything it pleases like send encrypted traffic past software firewalls (and call that a "check for updates", perhaps, for maximum irony) or mess with security software. And people already expect some other products to detect it as a "false positive" "hidden rootkit driver" or something like this, since it's supposed to hide itself from the rootkits it is supposedly trying to detect! :D Unlikely? You tell me. Impossible? No, certainly not. Are there good guys making nearly any given type of software? Yeah. Could some devs be black hats? Yes. How can you tell?

    That depends on what one is trying to protect. Protecting a system that never has any important data like credit card numbers entered into it? You can trust a lot of devs and companies, because even when they mess up it won't be that big a deal. Protecting a system that contains all kinds of important data? You can trust much fewer parties. Protecting systems with data of national security level of importance? You can't trust anyone except your agency, and you need to do a lot of research into the third party code you're planning on running.

    Yep. Makes one think twice about executing some random utility from some random company, doesn't it?

    One could always say that this is exactly why they use HIPS - to inform them of trusted programs doing strange things. But then, how effective is that really? Fool proof? For example, you install an advanced text editor of some sort. It happens to be infected with some data-stealing and very clever malware. Will you really be suspicious if your HIPS tells you that this text editor wants to access "potentially confidential" files in your My Documents folder, especially if it does this when you yourself are trying to open a text file from that folder so you can edit it with this text editor? Are you really going to say no? What will you do when the text editor tells you it can't open the file you were trying to edit because something blocked it from doing so? Yeah, you're going to just click yes to those HIPS prompts, and make sure it doesn't ask again. And are you going to be suspicious if two days later, the text editor tells you it wants to check for updates, and then does, and the HIPS warns you it's trying to connect to the internet and send data? Are you really going to say no? Probably not. And at this point, your confidential data is going to be uploaded to the bad guys' server. Owned. The shotgun attacks aren't the bad part here. If you're making a malware that you intend to infect ten million people with, you're possibly not going to bother with trying to make it clever enough to evade HIPS and other such things. If you're making a targeted attack against some organization, or aim to infect only limited amount of users to stay under the radar for a while longer, you might just do that. So, it would be foolish to rely on some HIPS or behavior blocker to tell you when a trusted file is no longer trusted. Sometimes they may be able to do that. Sometimes, they fail. If one executes untrustworthy stuff and believes HIPS will save them if something suspicious is done by the program, they might end up disappointed at some point.

    As far as I know, it's existed for over a year, and never was dormant in any way. All that time, it was slowly infecting Delphi installations and getting compiled into apps that would then also be infected and spread it further. The only way in which it was dormant is that it didn't do anything that even AVs would have noticed. ;)

    They could have detected it much earlier if they were as good at their jobs as many people unwisely hope and trust they are. But in reality, detecting something like this is often pretty much an accident. How would the AV guys have detected this? Perhaps they randomly come by an infected file but don't know it's infected, maybe it was reported as suspicious because it was packed with UPX or something. Maybe they test it a little in some custom virtual machine. It doesn't do anything malicious - there's no Delphi installed on their test virtual machines. They won't seriously research it, most likely, and won't notice what it wants to do. I'm afraid the way stuff like this is detected is that some vigilant and/or paranoid user notices some of his Delphi files just strangely changed after running some program that isn't supposed to affect them - checksums don't match any longer - or perhaps someone tried to compile a really small and simple piece of software and then looked at it to check how it turned out, and got surprised by finding stuff inside it that he didn't mean to put there. They report this to an AV company. AV company does research, adds detection and writes scary hype articles about a very threatening virus that they fortunately detect (yeah, they detect it now, after it's been out for months and infected thousands) and urge everyone to immediately buy their AV.

    Business as usual, unfortunately.
     
  15. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    ... I know its a trojan, I know it shouldnt be there, I know this method of infection *can* cause major issues for consumers and companies, but the code is clean.
    Why are AVs detecting it if it doesnt do anything and is not malicious? Isn't it considered a FP if AVs detect code which is not malicious? - there are no dangers in running these files are there?
     
    Last edited: Aug 23, 2009
  16. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    It's not a trojan - it's a virus. That's why AVs detect it now. The code is not clean. The code is infected with a virus that replicates silently, without permission from the user, by spreading itself to files that only exist on systems that have Delphi installed. Silent spreading by modifying other files without permission is bad, and it's classic virus behaviour - it's just not very dangerous in this case. So, AVs should definitely detect this and everyone who has been infected with this virus should acknowledge that they got infected and take measures to correct matters - consider tightening security, reconsider who you trust, at least delete or replace infected files and such things. Fortunately, the virus does nothing but spread, and it spreads in a very unusual way that viruses seldom use. It poses no real threat to people, since it doesn't do anything truly destructive or dangerous: it doesn't destroy code, doesn't steal data, doesn't create backdoors or initiate spam campaigns or denial of service attacks.

    In short, it's a harmless virus, but it still is a virus, and should be treated as such - it's certainly not a false positive to detect it as a virus, because it is a virus. If you're a home user and one of the programs you use is infected, you don't need to panic or do anything much. Just delete the infected program and perhaps replace it with a newer, clean version - or don't, and accept that you have a harmless virus in your system that won't do anything if you don't have Delphi installed. If you're a developer, then you need to man up and realize that even though this virus you were infected with was harmless, it could have been something much worse and your security policy failed to prevent it - so you need to learn from it and secure your development environment so that stuff like this doesn't so easily happen.
     
  17. Securon

    Securon Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    1,935
    Location:
    London On
    Good Morning! Many thanks Windchild. I Contacted Sunbelt and fully explained to one of their tech reps the nature of my problem. Their tech's reply was to forward the threat to Sunbelt's Sandbox so their Research people can exam it. Thing is I already did so immediately after the Virus was detected by Vipre,and the response was a no Threat Found. Question being how is my submitting the sample going too be of any use if the virus doesn't register with Sunbelt. As a footnote your explanation is far more comprehensive then anything coming from Sunbelt. I know they monitor Wilders on a regular basis,and was surprised at their non response regarding the Virus. Once again Windchild many thanks for your knowledgable reply. Sincerely...Securon
     
  18. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    This seems to be a very real current issue: ? Avast might have been onto it first
    interesting scan results in thread here -check the dates:
    http://www.dslreports.com/forum/r22885958-Free-Glary-Utilities-2150738
    Avast blog: http://blog.avast.com/2009/08/19/win32induc-new-concept-of-file-infector/
    ? Kaspersky had some positive detections Aug 15
    Sophos:
    http://www.sophos.com/blogs/sophoslabs/?p=6117 (already linked above)
    http://www.sophos.com/blogs/sophoslabs/v/post/6189
    http://www.sophos.com/blogs/sophoslabs/v/post/6195
    I'm sure there are others...
     
  19. NickHSunbelt

    NickHSunbelt Support Specialist

    Joined:
    Apr 13, 2009
    Posts:
    177
    Location:
    Clearwater, Florida

    I'm not sure who it was you may have spoken with but at this point I know all of our support techs are aware of this threat. It's really nothing to be too concerned about. Yes, it is a virus by definition and VIPRE will detect it. Since this virus causes no actual harm, VIPRE is set to report only with this threat and will not remove infected files. The real harm caused by this virus is when the infected files are ripped out causing whatever software the files are associated with to not work correctly. In the cases we've seen with this threat we have just been advising customers to uninstall the software related to the infected files and install a clean version as most software carrying this virus has released new versions that are clean.

    When you contacted someone here, did you contact our support department or someone from another department? If you contacted support, I'd be happy to look into what went on with your ticket and be sure the tech you spoke with is up to date with this issue.
     
  20. Securon

    Securon Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    1,935
    Location:
    London On
    Dear Nick! Many thanks for your response and concern. My ticket #313064. The support tech stated that they weren't sure if it was a false positive or not, and couldn't find much else as to whether it was a threat or not. As a footnote Sophos, Prevx and Avast we're all aware of the threat,if that's what it is. Once again thanks for your response. Sincerely...Securon
     
  21. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    It boils down to levels of trust. When you install your OS from scratch, how certain are you that the code *and* the compiler is clean? We can take it even further: when you buy a new CPU or motherboard, how sure are you that the microcode or BIOS code was not coded by some malicious Chinese hacker?

    At some point we have to trust the hardware manufacturers and the OS devs. I don't care who you are, no one has the expertise in the required languages to go through all the hardware code, firmware, BIOS, OS kernels, compilers, etc. and be able to spot all possible security flaws. A skilled hacker could always put a backdoor in one or more of those domains. As was stated above, Ken Thompson did just that -- he actually had compromised most UNIX systems (through an invisible compiler trojan) for over 15 years before he admitted his naughty deed at his Turing award speech in 1984. He essentially had backdoor root access to any machine compiled with his compiler -- and even if one examined the compiler code itself, one would not see his backdoor.

    So, the way I see it: the best we can do as private citizens is to trust the hardware, and trust the base OS. Open-source OS's will typically be better because they are transparent (at least they allow anyone to look at code). Anything beyond the base OS we can do something about and AV software is not the answer.
     
  22. Aberrant

    Aberrant Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    5
    Location:
    Downunder
    Well 'said/expressed'. I could not have expressed any better myself. This is exactly what my thoughts are on the matter aswell.

    Open source OSs are also less likely to be targeted due to the psychological mindset that it is free, whereas, commercial OSs are normally targeted due to the 'higher' stakes and many having it in their heart to ruin any developer whom chooses to sell their software. But, then you have the few minority anarchist whom only have it in their heart to destroy with little or no motivation, irregardless of fame or fortune.

    It comes down to this; every person should have at least two computers, one for the internet, and one for their personal data and software in general. Making sure not to network the two and/or swap files to and fro (i.e. to avoid the classic USB transfer). :doubt:

    This is a never ending battle people. So long as the current standards are used, such as software on *NIX systems (incl: M$). I propose that we design a totally new OS that is more secure and does not use the typical methods of today's computers. Well, at least IPv6 is one step towards eliminating threat and malicious acts (long story).

    On a hind note, though I am an advocate of privacy, I also believe in order to bring to justice people responsible for releasing malicious code on the internet there has to be some kind of transparency from the ISPs to hand over details of such people to the local authorities. Also more censoring ought to be done, such as; blocking all proxy sites (a typical gate for malicious people).
     
Loading...
Thread Status:
Not open for further replies.