Now Linux Can Get Viruses, Via Wine

fsufitch writes "Wine has advanced enough to make Linux not immune to Windows viruses. However, just like many Wine applications, it takes a bit of effort to get the program off the ground. Also, just like some Windows programs running via Wine, not all features may work — in this case, the crippling of the system, immunity to the task manager, identity theft, etc."

Experiments

[Aquaseafoam]

I work as a sysadmin at a company making a slow switchover to Linux, and I've experimented with this a bit. You can greatly, greatly limit the damage any virus can cause through wine by unmapping it's Z drive from the wine configuration menu. By default, wine maps / to Z. I can see why they did this, (wine can only run applications within a mapped drive) but it likely needs to be undone across the board. The best alternative would be to create a unhidden wine folder in the user's home directory and map that in wine. If Z is left mapped to /, then a windows virus can run rampant all throughout your system.

Re:marketshare

[lukas84]

Infected copies of Apple's iWork are already floating around.

http://gizmodo.com/5139116/os-x-iwork-trojan-revamped-repackaged-rereleased-in-photoshop [gizmodo.com]

Re:marketshare

[cheftw]

That looks like Malware. Stuff that people install voluntarily because of social engineering.

I could put:
-
#!/bin/bash
sudo rm -rf /
-

I remember reading that it's better practice to write that

sudo rm / -rf

since putting your switches at the end (especially on rm) makes it easier to catch stupid mistakes (like hitting return early).

Not that in your case it's a huge deal.

Re:Parallels Virtual Machine

[cheftw]

You presume that it is impossible to break out of a virtualised environment.

A quick google will turn up papers which may diminish your naivety.

Also IMHO the way to go is VirtualBox (FOSS and made by Soracle).

Re:marketshare

[TheRaven64]

Except on BSD systems, which only accept arguments before other arguments. This prevents someone from putting a file called -rf in a directory, so when you run rm * the -rf won't be expanded and treated as an argument. If your system doesn't do this, then you should get into the habit of putting -- after the arguments and before the options.

Re:Experiments

[TheRaven64]

A virus that is Linux-aware can escape from a WINE sandbox like this very easily. WINE handles Windows library calls, but it can not intercept system calls. If you put a Linux system call number into eax and issue interrupt 80h then you get a Linux system call, irrespective of whether it's a programme running with WINE or a native Linux program. Remember, WINE is not an emulator, it is just a loader and a set of libraries. It doesn't provide any sandboxing. WINE even provides a mechanism for allowing programs to detect if they are running under WINE, so if you can persuade a Linux user to run a program under WINE (or infect another program running under WINE) then you can do anything that the user can do. Unless, of course, you combine WINE with SELinux or some other real sandboxing mechanism.

Re:marketshare

[Bert64]

The idea of multiuser is to protect one user from another... You wouldn't be able to keylog other users at least, and sending spam is something that identd on unix was supposed to deal with, tho the prevalence of single user systems has rendered ident pretty much totally worthless.

Also, nonroot malware is much easier to remove, especially on unix, because there are only a very limited number of places it can hide on the filesystem, it can't do neat tricks like mark areas of the disk corrupt and hide there, it can't hide in system directories amongst the thousands of other files already there, it cant modify the kernel to hide itself... It will show up in the process list when running, whereas with admin privileges it can easily hide itself to the point that you need to boot from clean media.

Re:Windows virus needs help to limp onto WINE

[Korin43]

His command is actually even more complicated than it needs to be (deleting wine and reinstalling it). rm -rf ~/.wine && wine will delete the wine folder and rebuild it without the added pointlessness of reinstalling the binaries.

Re:marketshare

[Anonymous Coward]

There are no know viruses currently available for Linux in the wild.
The last one was in 1989.
When people say that viruses exist for Linux, they are correct.
Those viruses are create in "labs" and were not released to public.
Main reason is because of root privledges, the viruses can not spread easily.

I've been running linux for 5 years with no anti-virus and still havne't gotten a virus yet!!!

Re:marketshare

[RocketRabbit]

You ought to read up on cloaked rootkits.

Interesting stuff there.

Re:Linux's distribution model helps though

[BikeHelmet]

The idea that a Linux user would download random stuff from a torrent or website is a pretty foreign concept. For me, and moth others, if it isn't in the repository, I don't bother - because there is probably something in the repository that suits my needs just as well or better anyway.

Correct - as an educated computer user.

Although there are two scenarios you're forgetting. One is repository/domain hijacking, and the other is something not being available except from an unknown website.

Ex 1: PlayOnLinux (simplifies working with Wine and installing some software - not in the repositories)
Ex 2: BackInTime (Gnome) - website disappeared a few weeks back. Domain name available for purchase.

Anyway, as an educated Windows user, I would check review sites like cnet or betanews(or a download site like filehippo) to see if software is legit or if it's going to pwn me. Then I'd download it - possibly from those central not-really-a-repository locations.

I hope I've drawn the parallel that user education matters a bit more than the specific type of central download location. ;)

Re:Linux's distribution model helps though

[reub2000]

su when invoked by an admin doesn't need the users password. And sudo can be used to run su without ever getting the root password, so he's basically gotten a root shell only using the password associated with his own loggin. Of course, 'sudo -s' is a much simpler way to get a root shell.

Re:marketshare

[Valdrax]

Did you actually read the links you provided?

The plural of virus is viruses. In reference to a computer virus, the plural is often believed to be virii or, less commonly, viri, but both forms are neologistic folk etymology and no major dictionary recognizes them as alternative forms.

(emphasis added)

The article then goes on to mention that virus was a mass noun that *had* no plural in Latin and then goes through every single way to pluralize a Latin word ending in -us, showing that -ii is never an appropriate way, and it mentions that as an English adopted word, there would be no obligation to use a Latin conjugation instead of adding -es for an English word.

In other words, "viruses" is the only valid pluralization because it's the only conjugation is can have in the absence of proper Latin pluralization.