Comments on: Delphi developer virus exposes weakness in anti-virus defences

By: SautinSoft

SautinSoft — Mon, 24 Aug 2009 06:33:34 +0000

Eric, Thanks for noticing about this virus, we've fixed the problem. Use this link to download the fixed version of the RTF-to-HTML DLL component. SautinSoft team

By: Eric Fookes

Eric Fookes — Sat, 22 Aug 2009 19:42:24 +0000

Well, we caught the virus after testing the trial version of SautinSoft RTF-to-HTML (www.sautinsoft.com). The date stamp of their demo program was April 1, 2009. It then infected an update of a retail product we released in mid-July.

Of course, our system is well protected and we had scanned our product through an array of anti-virus products before releasing it (www.virustotal.com). At that time, it was a perfectly safe executable. Now we’re flooded with mail from concerned customers getting virus warnings on our reputable software. Although the virus may be harmless, it certainly manages to damage reputation.

Would we have been safer using an offline computer for our development? No, because we rely on third-party components and testing the SautinSoft RTF-to-HTML product on our offline computer would have infected it just the same.

By: Sig

Sig — Fri, 21 Aug 2009 14:47:58 +0000

yes i found an older project on my VM date 19.02.09.

By: Craig

Craig — Fri, 21 Aug 2009 05:12:20 +0000

“The versions of that “Induc” crap only affects old Delphi versions, not the users machines at all.”

One of our biggest banks here (in Australia) are still on Delphi 6. They are (slowly) replacing their Delphi apps with Java. But with 4000+ workstations to look after, it takes them a long time to do anything.

By: tim

tim — Thu, 20 Aug 2009 20:32:54 +0000

@Javier well, the problem is a real one even though it won’t affect most users. It’s surprising in a way that Sophos has given so much publicity to its own failure – this malware was around for ages undetected by its software.

Tim

By: Javier Santo Domingo

Javier Santo Domingo — Thu, 20 Aug 2009 20:11:25 +0000

I think you are so mild with SOPHOS, its more than “scaremongering”. SOPHOS report lacks of knowledge, literally. Richard Cohen and Graham Cluley are inventing an issue for the users where there is none. The versions of that “Induc” crap only affects old Delphi versions, not the users machines at all. Its almost defamatory for the Delphi brandname (read the articles). Its a shame, and there is no email to complain to them. Thats coward.
Anyway may be it ends up like free adverstising for Embarcadero heh, but i dont know how good it is…

By: Uwe Raabe

Uwe Raabe — Thu, 20 Aug 2009 17:46:11 +0000

One solution is to deploy only executables that are built on a “clean” build system. It may be easier to keep such a system clean than the actual developer system.

By: tim

tim — Thu, 20 Aug 2009 13:33:31 +0000

@Alex @Martin all valid issues. In the case I know, there is an isolated 2nd internal network for development – though there must be some manual traffic between that and Internet connected machines. I am not arguing for it, but I can see that is helps reduce some risks.

Tim

By: Alex Atkin UK

Alex Atkin UK — Thu, 20 Aug 2009 11:07:51 +0000

So how much hassle is doing software updates if the machine is not connected to the net?

Also, how would that work anyway? If the code is being developed on a machine that IS on the net (by that I mean any network as even a private LAN increases the risk considerably as any one machine on that LAN may be infected with something), there is always chance of infection from whatever media you are using between that box and the compiler box.

The fact you are switching files between a net connected box and an isolated box just means your isolated box is open to anything the net box is subjected to, with the added catch it wont have virus protection or the latest OS updates. Surely that negates the benefit of it being isolated to begin with?

Sure you can probably request all these updates on disk but you are still trusting the source of those disks do not have any infection themselves.

So at the end of the day, is there as much benefit of having an isolated machine as first thought?

By: Martin

Martin — Thu, 20 Aug 2009 11:04:08 +0000

One of our business applications was infected. The .exe was built in May this year. It would seem that one of the development systems was compromised so only .exes built on that machine were shipped with the malicious code in. No one here develops in Delphi so we haven’t suffered any damage, only the inability to use the app after Sophos started picking it up.

As for not connecting development machines to the net – what if you want updates to e.g. subversion, anti-virus, etc? I guess you could have them only on an internal network, but…