LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-24-2009, 06:27 PM   #1
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,576

Rep: Reputation: 111Reputation: 111
Question Can Wine emulate Windows Malware?


Sort of an off the wall question but...

I saw a Usenet item on newzbin which had comments to the effect that the rar file had a trojan which infects the browser. Which got me thinking (generally a dangerous thing :-)

If I was to download the file with GrabIt (running under Wine) which will also extract the rar file to create the underlying binary and if I had Internet Explorer installed under Wine - would it be possible to infect the Internet Explorer install?

In general, can one Windows program running under Wine infect another program running under Wine or even the Wine environment itself?

TIA,

Ken
 
Old 05-24-2009, 06:34 PM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 356Reputation: 356Reputation: 356Reputation: 356
WINE has it's own "system32" directory where all of the various Windows files live, so if one program were to infect one of those files it would carry over to any others (this is assuming you don't give each application it's own system32 under WINE, that is).

That said, WINE does not replicate every single file and function of Windows, so it is possible (and very likely, I would think), that whatever arcane triggers and exploits a piece of Windows malware targets would either not be present, or at least not function as closely to the original to still get infected.

But again, to answer the core question, yes; one program under WINE could taint the environment enough to effect another.

Last edited by MS3FGX; 05-24-2009 at 06:35 PM.
 
Old 05-24-2009, 06:44 PM   #3
jamescondron
Member
 
Registered: Jul 2007
Location: Scunthorpe, UK
Distribution: Ubuntu 8.10; Gentoo; Debian Lenny
Posts: 961

Rep: Reputation: 69
Try it, see what happens. If it does infect anything, its not going to affect your box and you can replace the windows stuff.
 
Old 05-24-2009, 07:36 PM   #4
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 83
Umm, I'd take this advice:
Quote:
Try it, see what happens. If it does infect anything, its not going to affect your box and you can replace the windows stuff.
with a pinch of salt. I wouldn't recommend it! IF you wanna see what a virus does, create an ubuntu/wine installation on a virtual machine, and infect the virtual machine! At least it's completely sandboxed.
 
Old 05-24-2009, 07:44 PM   #5
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,362

Rep: Reputation: 172Reputation: 172
As long as you are not running wine as root, the most damage that the virus could do would be to the part of the system that the user (whoever ran wine) has write privileges to (usually just /home/user). Effectively the virus would be sandboxed to /home/user.
 
Old 05-24-2009, 07:55 PM   #6
DragonSlayer48DX
Registered User
 
Registered: Dec 2006
Posts: 1,454
Blog Entries: 1

Rep: Reputation: 74
Personally, I'm not so sure. Considering that certain Windows programs only work with certain versions of Wine, and some only with a lot of tweaking in the Wine config file, and yet further, some not at all, malware trashing your Wine/Windows directory would have a very low probability, IMHO.

But I wouldn't recommend intentionally installing Windows malware just to find out, especially if you have important software/data on 'that side'. You never know when it just might work.

Last edited by DragonSlayer48DX; 05-24-2009 at 08:01 PM.
 
Old 05-24-2009, 08:13 PM   #7
archShade
Member
 
Registered: Mar 2006
Location: Delft NL
Distribution: Debian; Slackware; windows 7
Posts: 218

Rep: Reputation: 53
I don't know about you but I keep a lot of stuff I'd really not like destroyed in my home directory (Personal config files, uni work, music, films and lots of other stuff) in fact it's the only thing I back up without specific call to. I can rebuild my OS in about 30mins and install all additional software in another 30.

Obviously a trojan getting access to root is worse than home but not a whole lot.

I would avoid installing viruses onto wine knowingly as they could still theoretically do damage. If you are gonna do this a VM would seem sensible.

Having said that I herd about someone who did this once about the time of the wine 1.0 release and they couldn't get a single piece of malware to run under wine. (I think this was brought up on slashdot but I'm too lazy to look for link)

Any way since I mentioned slashdot obligatory XKCD link [XKCD]

edit:
OK found the link or at least one on the same subject http://www.linux.com/archive/feature/42031

Last edited by archShade; 05-24-2009 at 09:12 PM. Reason: found link
 
Old 05-24-2009, 08:56 PM   #8
DragonSlayer48DX
Registered User
 
Registered: Dec 2006
Posts: 1,454
Blog Entries: 1

Rep: Reputation: 74
Quote:
Originally Posted by archShade View Post
I don't know about you but I keep a lot of stuff I'd really not like destroyed in my home directory (Personal config files, uni work, music, films and lots of other stuff).
If you follow SANS Internet Storm Center closely, you'll find on many occasions where they intentionally install Windows malware on a Linux box so they can reverse-engineer the code and determine the author's intentions. Your 'Linux side' is basically bullet-proof from Windows malware. Different OS, different code, different security strategies, etc, etc, etc. Otherwise, we would all need Symantec just like Windows users.

The original question is the only real issue- Windows malware on Wine.

While that can't harm your Linux system, it's still a valid question concerning the Wine installation and pseudo-Windows directory.

Last edited by DragonSlayer48DX; 05-24-2009 at 09:00 PM.
 
Old 05-24-2009, 09:06 PM   #9
archShade
Member
 
Registered: Mar 2006
Location: Delft NL
Distribution: Debian; Slackware; windows 7
Posts: 218

Rep: Reputation: 53
I was replying to lazlow's point that if you run wine as a user you are effectively sandboxing it to home/user/ I'm just saying that I don't like the idea of purposefully running a virus on the same computer as my important files and was supporting irishbittes point that running in a VM seemed a safer way to do this.

After all I can edit all the files I have in my home directory from inside a program run under wine.

I suppose you could havea special user for doing this as well

Last edited by archShade; 05-24-2009 at 09:09 PM.
 
Old 05-24-2009, 09:49 PM   #10
DragonSlayer48DX
Registered User
 
Registered: Dec 2006
Posts: 1,454
Blog Entries: 1

Rep: Reputation: 74
Quote:
Originally Posted by archShade View Post
I was replying to lazlow's point that if you run wine as a user you are effectively sandboxing it to home/user/ I'm just saying that I don't like the idea of purposefully running a virus on the same computer as my important files and was supporting irishbittes point that running in a VM seemed a safer way to do this.
Very true. The VM would provide yet another hurdle for the malware.

FWIW- I only quoted a portion of your post to introduce my , not to say I disagree with you. Personally, I wouldn't recommend intentionally installing malware on any machine under any circumstances, unless you are a security analyst, of course.

Cheers
 
Old 05-25-2009, 05:48 AM   #11
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1287Reputation: 1287Reputation: 1287Reputation: 1287Reputation: 1287Reputation: 1287Reputation: 1287Reputation: 1287Reputation: 1287
Quote:
Originally Posted by lazlow View Post
As long as you are not running wine as root, the most damage that the virus could do would be to the part of the system that the user (whoever ran wine) has write privileges to (usually just /home/user). Effectively the virus would be sandboxed to /home/user.
I agree, even if the virus could run, which it usually can't, it can't really hurt you unless you're running wine as root, which is a very bad idea either way.
 
Old 05-25-2009, 06:03 PM   #12
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 83
I still say I would not do this, I think it's a bad idea. But if you're crazy enough to purposely introduce malware no matter what the flavour, you have been warned. Linux is not invincible, more it has, to quote dragonslayer:
Quote:
Your 'Linux side' is basically bullet-proof from Windows malware. Different OS, different code, different security strategies, etc, etc, etc. Otherwise, we would all need Symantec just like Windows users.
different strategies for dealing with such things. If you are silly enough to have compromised your system, don't say you have not been warned.
 
Old 05-25-2009, 08:40 PM   #13
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,072

Rep: Reputation: 384Reputation: 384Reputation: 384Reputation: 384
Quote:
Originally Posted by H_TeXMeX_H View Post
I agree, even if the virus could run, which it usually can't, it can't really hurt you unless you're running wine as root, which is a very bad idea either way.
Wine (and anything that runs inside wine) can hurt all the files that your user is able to write. To sum up: all your data. If that's not to hurt, then I don't know what is.

The system can be reinstalled, the data can't (however, we all do backups, don't we ).

That's one of the reasons why it's a good thing to run wine on a separate user account.

I wouldn't be relying in the simple fact that "bah! it won't work". Even if that's true today, you might find *tomorrow* that some stupid program with a trojan inside has massacred all your data after updating wine to a newest and better version which implemented a new obscure part of the windows api.
 
Old 05-26-2009, 04:29 AM   #14
rogerkk
LQ Newbie
 
Registered: May 2009
Posts: 4

Rep: Reputation: 0
ok...anything happened ?

i see many reply here based on the assumption or some reading from some page, actually what happened, has any one tried this before ?
 
Old 05-26-2009, 05:38 AM   #15
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,072

Rep: Reputation: 384Reputation: 384Reputation: 384Reputation: 384
Quote:
Originally Posted by rogerkk View Post
i see many reply here based on the assumption or some reading from some page, actually what happened, has any one tried this before ?
I don't know what page do you talk about, but the question was:

Quote:
would it be possible to infect the Internet Explorer install?
And I answered that. The question wasn't whether we have tried it, and it wasn't either whether we have succeed to be infected. It's about the possibility, and yes, it's possible. A trojan is not a lich, it's not magic or divine, it's just a program, and that what wine does: to run windows programs. The IE install is on your home dir, so it's writable, unlike system files under /usr (to put a random example).

Whether a concrete program (a trojan or whatever in this case) will work or not will only depends on how it's designed and the concrete subset of the windows api that it uses. But it's perfectly possible that it works, just like any other program. And it's also possible that if it doesn't work today, it will work tomorrow when you update wine to the next version.

Last edited by i92guboj; 05-26-2009 at 05:40 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 22 08-17-2008 01:05 PM
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 1 06-12-2008 05:10 AM
How do I emulate loopback adapter behaviour in wine halfhaggis Linux - Software 2 09-18-2005 05:57 AM
Emulate Windows XP on Linux Garibaldi3489 Linux - Software 20 08-20-2005 11:31 PM


All times are GMT -5. The time now is 06:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration