Now Linux Can Get Viruses, Via Wine

fsufitch writes "Wine has advanced enough to make Linux not immune to Windows viruses. However, just like many Wine applications, it takes a bit of effort to get the program off the ground. Also, just like some Windows programs running via Wine, not all features may work — in this case, the crippling of the system, immunity to the task manager, identity theft, etc."

It's like a what?

[cjfs]

A virus run in Wine is akin to taking a ferocious tiger out of the jungle, paralyzing it, then hooking up all of its nerve endings to virtual jungle simulator. It's not a perfect simulation, though, so the jungle maybe doesn't look right, and plus there's an omnipotent power that can change anything that goes on in the simulation, or even destroy it and the tiger's consciousness with a few twitches of his fingers. Now that's power.

Power that's generated by feeding the dead tigers back to other tigers so we can use their body heat to generate MORE POWER!

On second thought, lets stick to car analogies.

Linux?

[niko9]

Preface: I'm Debian GNU/Linux user of 10 years, but not a professional computer geek. I use GNU/Linux to get work done.

I thought Linux was just a kernel? Should not the headline read "A Linux distribution that has Wine installed *might* be vulnerable to Windows viruses?"

Look to Apple users using VM

[Ilgaz]

If you look deeper to Apple users virtual machines (Sun Virtual Box etc.) , lots of them doesn't bother to install some free AV, a basic one saying "it is virtual anyway". When you talk about how evil things can be done while their virtual machine up and what kind of trouble they may get into if they have bad luck, they install a free AV to Windows.

If you have trouble convincing such people, just use plain logic: It can even run some games let alone a worm/trojan/virus.

It is not in the culture you know...

Re:marketshare

[Anonymous Coward]

But for that matter, Linux doesn't have malware only because it's desktop share is next to nothing

Then why do linux server not have viruses? Windows servers do, and Linux has a much bigger market share.

Re:Linux's distribution model helps though

[Anonymous Coward]

certified quite literally the repositories for most distros use package signing of some sort, so even mirrors of them are guaranteed to be unaltered.

Mac Office was a bigger headache for me

[Savior_on_a_Stick]

Users with Office installed seem to end up documents infected with a macro virus.

While the Macs are themselves unaffected, they pass along the infection to windows boxes.

That's usually the point where they are found and removed, but the general lack of av for Mac (few choices and most lack functionality/accuracy) along with the perception of macs as immune means that av is rarely installed on macs.

When it is, AV_App_X doesn't detect the malware, whereas AV_App_Y detects, but can't clean, and AV_App_Z has no realtime scanning.

not just marketshare

[RiotingPacifist]

Ubuntu 9.10 will start sandboxing desktop programs (starts with xpdf i think), other distros do already/will follow. I think that sandboxing can (and if required will) criple malwares abilities (e.g can't listen on network ports, can't insert itself to bootsequence, can't touch chrome tabs that are connected to https sites) leaving them unable to do most malwarey things without permission and can work like an AV that is designed right (e.g warn users that they are about to do something very stupid, only when they are not everytime they run a 3rd party app/widget, without having to scan binaries)

Re:marketshare

[cenc]

I have been running linux machines for going on 10 years now, including my home, all the computers in my office, dozens of servers with every imaginable piece of software and configuration possible (some secure some insecure) in that time, I as yet to ever find one virus, malware, or evidence that a serious attempt was ever made any progress.

The market share argument just does not cut it. You would think there would be at least one well know case in the wild by now of a linux virus spreading to other linux machines in a sustained and ongoing manner.

The best we have are 'just so' cases. The software, permissions, user, network, and so on had to be just so in order for virus or malware to work. But a general widespread linux virus? Where are they?

Re:marketshare

[dontmakemethink]

Think of it from a the perspective of the imps making the viruses (and no, it's not 'virii'). Pretend you're a spineless asshole that wants to cause as much damage as possible. Do you use widespread tools to make a Windows virus with relative ease and hit the biggest user base, or do you spend much more time finding vulerabilities in better OS's and hit a much smaller user base?

99 times out of 100 it's the former scenario that plays out. Doesn't mean you needn't run anti-virus software on OS X, for example, but you can have much more confidence that nothing will get past it. Running XP doesn't scare me, it's the number of viruses that Avast catches that scares me.

Re:marketshare

[zigmeister]

I mostly agree. However Linux (and Mac) are much more immune to what are strictly viruses. What they are not much more immune to are trojans*, which I think constitute ~80-90% of infected Windows desktops. Here's my theory to dispel the myth of how robust Linux is(when in the hands of a typical user): Write a malware program that is a variant on the dancing bunnies. Put it up for download. User must have dancing bunnies or else. User clicks to download, then selects Open with Package Manager. User enters root password to install then since security signature is missing must enter it again. Malware program now installed.

*I'm aware of least privilege. However with more and more of the total desktop market being in the home, most users will have their root passwords (i.e. not in a corporate environment) and see no difference between entering that and clicking continue on a bunch of UAC prompts. To make matters worse they will be conditioned to "Force install" since a decent amount of apps that are safe that they want don't provide security signatures either. E.G.: World of Goo, Hulu Desktop Client, commercial games if they ever come etc.

Re:marketshare

[Stupendoussteve]

OS X Snow Leopard notices the two trojans which are in the wild.

They didn't do anything extreme, and they were installed by stupid users pirating software, but they do exist.

Re:Experiments

[Kenz0r]

I'm a linux noob, but wouldn't using SELinux eliminate the entire problem?
Only give the files and folders you want Wine to access the corresponding SELinux context and nothing Wine does can hurt the rest of the system.

Re:marketshare

[MichaelSmith]

My wife runs ubuntu on her laptop. He is away in Malaysia at the moment taking care of family business and she needed to get online. So she goes to this internet cafe and they give her a CAT5 cable which she plugs in. I have set her up with a VPN so comms are secure. She thinks something is wrong so she asks for help. The internet cafe people start stuffing around with network interfaces and she types her password in for them. So now all I know is that she gave these people root access when she had no idea what was going on.

She is a non-technical person and she will do the stupidest things, regardless of the OS she runs.

Somewhat

[HomelessInLaJolla]

There are multiplatform viruses but not in the way that is immediately obvious. Any particular virus would be much too large if it included all of the code necessary to first determine which set of appropriate function calls are available, where they are located, and then behave accordingly.

So fork it.

The conceptual function of a virus has expanded. The same dirty webmaster who is using IE exploits to turn visitors into part-time as needed distributed computing zombies is also using firefox/iceweasel/moz exploits, and opera exploits, and maybe even lynx/links and whatever other exploits. It is much easier for that sort of determination and selection to be made from the server side than in the actual viral packet itself.

The same dirty webmaster who is infecting visitors to become part-time as needed distributed computing zombies is sharing his database with his associate webmasters. Those webmasters likely have associates who work in ISPs with varying levels of access to information. Just imagine the database of online browsing habits linked with personal information that a group of webmasters... say Slashdot, Gmail, SF.net, and MSN... could compile, completely legally within EULA terms.

Identity theft isn't just for the CIA and some maladjusted kid living in mom's basement. It's part of the corporate profit margin.

So yes. The overall function of the system of computer exploitation has long been free of platform dependency. Now add in java.

Re:not just marketshare

[RiotingPacifist]

To an extent yes, (seriously mods, moding funny because you disagree?), however AFAIK IEs implementation is in IE not at system level, so it cannot be applied to anything but IE & plugins. OFC this isn't to say that it can't rigorous sandboxing can't be implemented in windows, just that the tech is already in Linux, it just needs the configuration and UI to move it to the dekstop, IMO this would come if there was demand.

Re:not just marketshare

[coryking]

however AFAIK IEs implementation is in IE not at system level

You would be incorrect [microsoft.com]. IE uses an OS level service known as Windows Integrity Mechanism [microsoft.com]. Same mechanism used by UAC or Silverlight.

Re:marketshare

[fluffy99]

Just having SELinux install and enforcing is useless, unless someone has gone through and written proper policies that define the mandatory-access-control limitations. Policies have been written for many service such as Apache, but there is still a dearth of appropriate policies for user apps.

Re:Linux's distribution model helps though

[the_womble]

A hijacker would also have to forge signatures.

The other is a problem, but:

1) It tends to be obscure stuff than only slightly geeky users want (i..e. the sort of people who know how to check things)
2) It often comes with some way of checking (e.g. checksums) that you get the real download.
3) A user who has downloaded one app from an untrusted site is much less likely to have downloaded malware than someone who has downloaded fifty.

Re:Experiments

[TheRaven64]

Assuming that the user has access t this, yes. If you call open(), then the WINE loader will fix up the address so that you are calling the WINE open() function, rather than the libc one. On Linux, however, open() is a wrapper around system call 5. If you put 5 in eax, a pointer to the filename in ebx, and the correct flags in ecx and edx, then issue interrupt 80h, then you will open the file. WINE doesn't run with any more privileges than the user (unless you've done something stupid, like set the setuid flag on the root-owned wine binary), so it can't access any files that the user can't access, but it can do anything that the user can. If you write a little assembly function that does this (or just copy it from glibc) and then link it into your Windows binary, then you can call it and get back the file descriptor. You'll also need to copy, at a minimum, wrappers around the read and write system calls.

Note that this kind of sandboxing would be much easier on a microkernel. With something like HURD, open() is serviced by a userspace program that the program communicates with via a Mach port. WINE could trivially run a daemon on such systems and have the loader replace the port reference to the system server with one to this daemon, which could validate things like this to ensure that they remained in the sandbox. Unfortunately, WINE can't use chroot, because it needs to be able to map several different drives. In theory, it could if you only wanted a single C: drive in ~/.wine/drive_c and no other drives (e.g. DVD/network). It might be nice for someone security conscious to create a distribution of WINE that was configured like this for running not-so-trusted Windows programs.