Running Windows Viruses Under Linux

ResQuad writes "Everyone loves Windows viruses, right? Well, the crazy people over at NewsForge (owned by the same people that own Slashdot) decided to try running Windows viruses with Wine. So next time you receive an email virus, strike up Wine and see what you can do (or not)."

Obligatory

Will this run on a Lexus?

Re:Obligatory

Don't give them any ideas. Next thing you know we'll see Norton antivirus:Auto 2005 - guaranteed to keep your system virus free AND improve your gas mileage!

Re:Obligatory

Along with my 3-month oil changes, six month tire rotations, and annual checkup, I need to buy a new LiveUpdate license so my car won't crash?

To be fair, if I spent that much on a Lexus I should expect to see pictures of Anna Kournikova.

Re:Obligatory

For that amount of money, I'd expect to see her in the passenger seat.

Although, I'm sure my wife would not agree.

Re:Obligatory

For that amount of money, I'd expect to see her in the passenger seat.

For that amount of money, I'd expect her in the back seat. And while my girlfriend might not agree, she could certainly join.

Re:Obligatory

I'm willing to bet that upon looking back, this statement is going to be much less funny in 10 years.

If you do this,

If you do this - run the exploit code - can you spell it Whine?

Whine is Hazardous, even If Not and Emulator

Wine is not an Emulator.

Lets see just how non emulator wine is... If the virii own it, its an emulator, if not, its telling the truth.

Bwhahahh...

Re:Wine is not an Emulator.

Mod parent up and insightful

Re:Wine is not an Emulator.

Mod parent up Informative. Mod this post Funny.

Re:Wine is not an Emulator.

Yeah, just like lame ain't an mp3 encoder. Names aren't always the full story. Wine definitely is an emulator in that it emulates, it just does it on a different level than most emulators, so it doesn't have many of their drawbacks, like the slowness.

Re:Wine is not an Emulator.

Just because that's what the developer's claim, it doesn't make it so.

If it quacks like a duck, walks like a duck, and looks like a duck, it's gonna be a duck.

Wine, acronym or not, is an emulator.

Dinivin

Re:Wine is not an Emulator.

You are correct.

We have "bling bling" and "ain't" in dictionaries. Marijuana is legally classified as a "narcotic", when in pharmacology only opiates can be narcotics.

The language changes. It may suck, but it's reality.

LK

Native ports now!

Oh my god, how many times do we have to say it? People, running Windows software under WINE is not a solution. I say all Slashdotters should boycott these software vendors until we get a serious commitment from them to do true, native Linux ports of their products.

And for that matter, why aren't their open source alternatives to this software already? The open source community won't stay competitive by resting on its laurels.

Re:Native ports now!

<sarcasm>

Yes, I demand that there be open source native Linux ports of all Windows viruses!

</sarcasm>

Re:Native ports now!

Yes, it is a solution. Especially in situations where you have persuaded your friends and relatives to use Linux, but they still want to use some crappy Windows software because they are used to it, and there are no free/open-source ones.

Furthermore, the 2% of Linux users don't really constitute a meaningful profit motive for these companies. We need to do more to get Linux on the desktop before they'll jump off the MS ship.

No desire

It's simple. A lot of specialty software is very boring, and there just isn't any interest in the OSS community in developing similar software.

Many businesses, especially real estate, banking, auto repair, fast food, and hotel management, rely on software written for windows many years ago that, for them, functions just fine.

They're not techies: computers are not their business. Their business is their business. They're not going to invest resources in developing what they already have just so it can run on "another kind of computer." WINE is the perfect solution for these applications.

Maybe, years from now, when they're running -ALL- of their software under WINE, they might realize that there's a better way.

Until then, good luck finding good programmers who are psyched to write hotel reservation management software that will interface an archaic database platform for free.

Projects like Open Office and The GIMP don't suffer from this problem largely because they're applications that Linux users need on a regular basis. When was the last time you needed to track your fast food orders?

Re:Native ports now!

I used to work for a 5-person company. We easily ported our main ap to linux, but a critical tool we used to build our code was developed for windows. It was gui-centric, so a port would be difficult, and besides, all the programmers were algorithm people, not gui people. Wine was a godsend - our old tool just worked, and it saved us a lot of time. Boycotting ourselves wouldn't have gotten us the needed people to port it.

Combatibility! Yes!

The last barrier between widows and linux is slowly but surely being eroded by the WINE engineers.

Brilliant work guys!

Yes, but

What would RMS say?

Is that virus Free Software?

Re:Yes, but

That's GNU/MyDoom

Or maybe MyGNUUM?

What is MyGNUUM? MyGNUUM is a port of the popular Windows mass-mailer "MyDoom." It is licensed under the GNU GPL, which some have criticized as a "viral" license.

Damn worm writers...

Programmers these days, don't they even CARE about cross-platform compatability!?

Re:Damn worm writers...

Programmers these days, don't they even CARE about cross-platform compatability!?

Right. At least the Morris Worm was distributed with the Source Code and was cross-platform. Go look for something like this today.

That's awhole lot of differences

True AV and AT (anti-trojan) SW engineers uses VMWARE [vmware.com] for their studies and dissemination of malacious flotsam of codes floating around the internet.

But the article is "A Good Thing" because it shows EITHER that Wine isn't 100% Microcrap or is more robust against viruses.

Take your pick.

about time. I almost forgot what a virus was

Its nice to see someone finally exploited this long missing aspect of linux. What better way to make a windozer user feel more at home than with their old virus friends.

Nice article, and congrats matt [mailto] on your first article.

-Craig

Done it. It works. Kinda.

This past December, one of the engineers at my workplace gave a presentation on WINE. Since I'm the security guy, somone asked me if Windows viruses ran under WINE. So I tried three: Lovgate, a Mydoom variant, and a Netsky variant.

Lovgate simply exited without doing anything. Mydoom actually crashed WINE into its debugger. The Netsky variant, as the article describes (SomeFool is Netsky) actually ran. Moreover, it did a passel of DNS queries and actually tried to send e-mail (which was rejected). So, if that e-mail had been accepted, Netsky would have been able to propagate under WINE. As in the article, Ctrl-C proved necessary and effective.

To make a long story short, yes, some Windows viruses do run under WINE. Of course, you have to tell WINE to run them -- not exactly the social engineering that viruses are intended to do. However, as WINE gets more popular and reliable, I would expect that this will be more of a problem for people who choose to (e.g.) run Outlook in WINE.

(For what it's worth, WINE isn't the only way to run Windows viruses and worms on your non-Windows system. I've had to explain to users that yes, their VMware or Virtual PC system is quite capable of getting wormed, and that yes, they did need to do their Windows Update on that "virtual" Windows system, too.)

Re:Done it. It works. Kinda.

Not 'kinda' here.

Propogated.

I executed a viral attachment once about 4 months ago, and then forgot about it ("Haha! That can't possibly work."). A couple hours later, my 'abuse' address had a complaint. Source IP was my SuSE workstation. Thunderbird even deep-sixed a spam that was sent by my own machine to me. D'oh!

How long before..

The wine developers get a non-compliance notice from Bill forcing them to comply??

Now, how can you claim full compliance unless you run my viruses too..goddamn it!!

Discussed in Ask Slashdot

Oddly enough, this was discussed in an Ask Slashdot [slashdot.org] in October 2003.

- Greg

What about spyware?

I run Windows spyware under Wine. I also emulate IE6 so I can use CoolWebSearch and other cool searchbars! I have this cute Bonzi Buddy and a system tray icon which tells me the weather!

How many times do I have to tell you k|dd|35...

...to stop Wine-ing

Geeze!

Secret APIs

Running Microsoft programs is the hardest for Wine because they use secret function calls. The Virus writers (presumably) aren't insiders so don't know about the secret APIs. Should be easy for Wine.

Re:Secret APIs

Running Microsoft programs is the hardest for Wine because they use secret function calls

Current CVS versions of Wine can install and run the major MS applications, including MS office and Internet Explorer. Why would you do such a thing, I hear you ask? Because users still use Windows and as developers we still have to write code that interfaces with those applications. Absent that, OpenOffice and Konqueror or Mozilla work perfectly well.

Isn't this story

a couple years old? I'm sure I've seen it before, and I'm pretty sure it was on slashdot.

PE on linux

Linux kernel now supports foriegn binaries. IIRC, some patches are available to enable support for PE binaries (Windows native binaries). If dependencies are kept low, with some clever programming, virii that run on multiple platforms are possible without something like wine or java.

Why?

Though it's good to know that WINE will do what it's supposed to do--execute code written for Windows, it's kinda silly to think it wouldn't.

Maybe they'll post a story about, "Why do dumb users get to have all the fun? Why shouldn't Linux admins get in on all the insanity, too? Today we'll be doing rm -rf / to see what happens!"

Let's not go to Camelot. 'Tis a silly place..."

Evaluation

This article ran fine under firefox and delivered interesting content. The methodology was fundimentally flawed as viruses use obscure problems in Windows. Nevertheless, I'll give this article four meta-penguins, for a score of 4/5.

Been there, done that '99

Right before Y2K, there was a worm/virus/whatever called Happy99.exe. If you secured your wine installation prior execution, you could watch the pretty fireworks it produced without harming your installation.

Old-school virus propogation...

From the article:

Oh sure, I could manually forward these viruses to the folks in my address book, but where's the fun in that?

This reminds me of the old standby text-based, system agnostic viruses, some of which can be seen here [nerdherd.com].

Wine devs test for this

At the last WineConf (almost exactly one year ago) some of the Wine developers were testing the hot mail virus of the day to make sure it ran. That was the one that activated as a DDoS on www.sco.com. It ran, and after putting making www.sco.com resolve to 127.0.0.1 in /etc/hosts it attempted to take down the local machine.

We also found the back door, and came close to getting arbitrary programs to run from it, but supper came before we got that part working. We think it would have worked if a free meal hadn't gotten in the way.

So now you know. If a windows virus doesn't run under wine you can thank CodeWeavers for buying everyone a meal before we got it implimented.

The Sound of One Hand Clapping

So, if WINE fails to properly run a Windows virus under Linux, is it considered a bug or a feature?

Re:The Sound of One Hand Clapping

Yes

Wine - could do better

Obviously work is still needed on Wine to make it more Windows compatible :-)

Am I Missing Something?

Hello, fellow Slashdotters,

I use Microsoft Windows XP, Professional Edition, Service Pack 2; yet my computer is missing the viruses mentioned in this article. Where did I go wrong? My Web browser is Mozilla Firefox 1.0, and my e-mail client is Mozilla Thunderbird 1.0. Should I change these? Microsoft Internet Explorer 6.0 SP-2 is resident on my computer for testing my websites in this popular program. Should I browse more freely with it? I prefer to use open-source-licensed software on my computer when possible (except the OS itself, although I do have an underutilized Debian partition). Should I start downloading random programs without being sure they do not contain any kind of malware?

I just want to get along better with my fellow Windows users! Please, help!

Linux viruses already exist!

I suspect I may have a virus on my Linux system. The other day I switched the computer on, and it took a very long time to boot - and kept spewing out all this cryptic text as it did. After I logged in, I noticed that my desktop menu had a lot of strange, poorly documented programs in it, some of which didn't seem to do anything useful. The configuration system was strangely flakey, popping up tabbed windows that wouldn't go away when I clicked on other options. Various programs worked partially, but in some of them the clipboard didn't work properly and in others the windows widgets and controls looked wrong. A few would randomly open shell windows when I tried running them, even though they were GUI programs. The windows theming/skinning system worked partially, at best. I tried running a graphics program, but it just opened up lots of windows all over the screen and I couldn't get it to do anything reasonable, so I gave up. I suspect it was the cause of the virus infection, in fact, because it was called some insulting and childish name that had nothing to do with Graphics or Image Manipulation Programs or anything else. Oh, and there's this picture that shows up everywhere, of some kind of anatomically improbable cartoon bird with an eating disorder, which is either a symptom of virus infection or else a failed attempt at coordinated branding by a lot of uncoordinated programmers.

In general, my Linux system seems to be totally hosed. I think I'll go back to Windows.

Re:His point?

The point being its not a zip file to begin with. its simply disguised as one.

Re:Running Linux Games Under Windows

Solitare. It's the only game I care about.

Because it didn't execute the not-zip file

When a zip file on Linux is not a zip file, you get an error.

When a zip file on Windows is not a zip file, you get some system enhancemnets you may not have wished for (or would even wish on your worst enemy).

Re:Because it didn't execute the not-zip file

No you don't, extensions have always been handled by the associated application. If you change an .exe to .zip and try to run it, you get a corrupted zip file error message.

File Associations, RH 7.2 and Windows Viruses

When a zip file on Windows is not a zip file, you get some system enhancemnets you may not have wished for (or would even wish on your worst enemy).

Uhhh... no. File associations are based on extensions. It's probable that you've forgotten to turn off the Explorer "feature" of hiding extensions for known filetypes. This way, you get sexygirls.jpg.exe which appears as sexygirls.jpg, or xxx.zip.scr which appears as xxx.zip. Most people are ignorant enough to leave that "feature" enabled as per Microsoft's negligent default; furthermore, most users who are pseudo-capable with computers will click on it with the flawed reasoning that, "Well, it's a JPEG, so it can't be a virus".

Furthermore, years ago I ranted on my website [glowingplate.com] that it was *very* possible to run Windows e-mail viruses, etc. under Wine. So easy that, with Red Hat 7.2's default associations which launch Wine to run DOS/Windows apps, I accidentally infected my Wine directory while demonstrating Linux freedom from virii... "Moving right along, you can see how well Linux can emulate Windows well enough to run many programs..."