Slashdot Mirror
WINE: A New Place for KLEZ to Play?
An anonymous submitter sends in this cautionary tale about Wine being maybe a little too good at emulating Windows. Update: 10/23 21:05 GMT by M : Better links: mirror 1, mirror 2.
← Back to Stories (view on slashdot.org)
If you go to webster
you'll easily find that plural from virus is viruses...
McAfee has a windows virus checker that works in linux. Genius idea. So you can run linux, protect Mickeysoft asshats from stupid virii, and even run their programs...and shut it off and scan for viruii when needed.
JoeLinux
the obvious solution would be not to run WINE as root. The filesystem permissions should prevent excessive damage.
On the footer of *every single page* at linuxguru.net, we specifically request that slashdot not link our stories because we can't handle the load.
I now have two dead machines because they linked us anyways.
-James Blackwell
Well, this article that I found here that discusses the limitations of Klez on WINE and how Sircam was able to run on WINE. All in all, it appears to be a limited threat.
Its not just "windows" that is susceptible to viruses. It is the API that is too trusting, and the file permissions. When you run wine, you generally own all of the files (default is ~/.wine/fake_windows). So you're going to be able to do anything you could on a windows box.
Its not all that surprising that a virus would run without problems. Many of them do exploit actual bugs in the Windows code, but most of them just make regular old crappy Win32 API calls.
SpamapS -- Undernet #Linuxhelp
ok, so i haven't seen the article. but this just goes to show that although running windows apps under linux using wine may be useful, what we are really wanting to do here is stop using that stuff anyway, by writing apps to replace them. isn't that why most of us run linux anyway, because we can't stand the alternative?
chris
CodeWeavers Wine and WineHQ CVS setup their initial configuration differently I think. You can alter what drives are mapped to what easily enough in the config file, or using the configuration GUI.
Whoa there cowboy! Wine is not an emulator (hence the name.) This is from their FAQ:
Is Wine an emulator?
Unfortunately, no. Wine provides low-level binary compatibility, but currently only for OSes running on Intel-compatible chips.
The WINE project is becoming increasingly popular and useful to those who would continue to use proprietary, free, and unported opensource software available only for Microsoft Windows. I've tested it with a few games I had purchased while I still used Windows, and it surprised me. The WINE project, and the two popular forks in the project, WineX, and Codeweavers WINE, have come along quite nicely, albeit it slowly, over the last few years. I give a lot of credit to the many developers that have poured a lot of their time into the project, but, with the good, the bad must be accepted.
Recently a friend of mine, proficient in Linux, and not what you would call a 'newbie' to computing, received an email from a customer. The email was vague and included an attachment. In KMail, he decided to view the attachment, thinking it was simply an image. He clicks it, nothing happens, no viewer, no error, nothing but a few seconds of milling around, and then more nothing. Then, the wine notification pops up. By this time he had realized the file was a Windows executable, and that he'd just executed it with wine because of the MIME typing capabilities of KDE, and WINE's integration with the desktop.
If he were running windows, I would've slapped him upside the head, everyone with any sense at all would've expected an odd email with an attachment to be a ready and willing virus or worm. Of course, this was no different, this attachment contained the worm known as WORM_KLEZ.H. However, because of the sense of security from worms of this nature bestowed to Linux users, by the same type of ignorance in assumption that spreads them amongst Windows users, he never expected the attachment to be a virus or worm that would infect and operate as it normally does. Unfortunately, this is exactly what happened... click, boom, Klez goes nuts, etc., etc., etc.
The virus itself is simply a worm, it's what you'd call a 'dumb virus', in the sense that it isn't extremely complex, doesn't change itself around much, and basically works as fast as it can before it is easily obliterated by common virus scanning software. The basic idea is that it infects you, spreads itself by emailing from your computer to as many contacts as possible, then does its damage, if you want more detailed information, Trend Micro has plentiful information about Klez and other viruses and worms available on http://www.antivirus.com/.
Now, you may be wondering how it infected and actually 'worked', I know I certainly was. In this particular case, our cool customer known from here on out as 'John' for 'John Doe', had wine installed, and you see, the default configuration for most wine installs, shares your root linux directory as a drive visible to the applications running inside of it. If you know anything about the Klez worm, you'll remember that not only does it search for address books, etc, it will search for many other common file formats on the entire system, searching for email addresses, dropping PE_ELKERN.D, and various other silly virus/worm/intrusive type things.
So far we have the first two parts of the Klez's basic operation, infection, and email address reaping. What is next? Let's say it together kids "PROP A GA TION" yay!!! Now, this is probably one of the most important parts of a worm's life cycle. If it doesn't propagate, it isn't really a worm or a virus. It's just a pointless, irritating program.
Propagation in wine, this was the part in this particular case that I found so amusing. The computer was running a secure MTA (Mail Transport Agent) and the fake Windows registry for WINE was configured to use the localhost as the SMTP server for internet applications. Otherwise, the Klez would not have known how to send itself. It is possible, that, the Klez worm defaults to 'localhost' for the SMTP server if it cannot find one in the registry, this I don't know and it doesn't seem to be covered in Trend Micro's technical description. Anyway, because of the MTA being localhost, the worm was able to queue all of its outgoing email quite quickly. I actually had the opportunity to remotely shell in as root and view `ps aux` output, showing the various smtpd instances sending this email, while I tried to help John find the spooled emails and remove them.
Now, a few things must be noted about this particular situation. KLEZ is not a high risk worm, so by no means was this a massive problem for this person. Also, the infection did not include files that were not Windows exectuables, so the native filesystem was left unharmed. The spooled emails were taken care of and the effects overall were minimal, if not simply classified as an 'annoyance.'
The reason this is such an important subject to cover, isn't this instance of infection, but, the possible vulnerability that using WINE in such an insecure (and default) way can provide. For example, a knowledgeable virus programmer could use this situation to make multi-platform viruses, that could detect files by their 'magic file type' similar to the way the tool 'file' does, and infect them through wine. I understand, that this is highly unlikely to occur any time soon, but, I think you can probably imagine many other ways that this opens doors for virus problems to the relatively virus-clean environment of Linux.
The main points I'd like to make are: WINE is obviously mature enough to handle the more advanced code that a virus usually contains. Even if only KLEZ for now, others will in the future, be compatible. The other is: I am willing to bet that 90% of you WINE users out there, can view drive Z, or something similar and get your root file system tree, and something like drive Y provides your home directory READ-WRITE. Please, don't do this, unless it is absolutely necessary, minimize the interaction between your WINE environment, and the real linux environment, specify a directory for wine shared files and keep them separate from your linux home files, etc. This will help to minimize the post-infection damage a virus can accomplish.
Finally, the most important 'bug' most distributions have, is allowing a Windows executable to be run with wine without an obvious chance for interception, by default. Sure, it comes up with a window, telling you that wine is running, and allowing you to disable the notice, however, it does NOT warn you about the application being executed in such a way that you could stop it before it was started. Even Java does this with code that is signed for permissions; it still asks you if you are sure you want to give it permissions.
As it goes, I was unable to easily obtain any previously written information on securing WINE properly, and I am no security expert. Some basic tips would include, configuring the program, read all of the options, don't let it set itself up completely for you.If anyone has any tips they would like to share, please do.
It worked just because of the way it would run a jpeg viewer. The MIME type instructs kmail that windows executables are supposed to be executed using the "wine" executable (e.g. wine sol.exe). So KMail isn't executing the program, it's executing a "viewer" that "views" (runs) Windows executables. The fact that this opens up a huge security hole just shows how careful you have to be.
The antivirus industry will love this. Who knows, they may even contribute to WINE. You see, so many Linux users have this false sense of security, assuming that since Linux hasn't been significantly targeted by virus writers that, Linux is virus proof. Big mistake, as demonstrated by this story.
;)
Now, Linux users will catch and spread a long list of old Windows favorites making the demand for commercial antivirus software go up again. This John Doe caught Klez a rather non descript worm. Imaging Anna Korunikova in the inboxes of most Linux geeks.
Better see about Norton Command Line Scanner or perhaps...
rpm -e wine-*
wine doesnt start the routine windows boot files, win.ini etc... so once offed the virus wont return unless the user starts it again.
Not to burst any bubbles, but Outlook is quite safe once you've got the security update, which has been out for some time now. Of course this does nothing for the installed base that have never been updated, but I suppose that's why MS is trying to buildup the autoupdate features more. (Moreso for the OS than Office, but still...)
No it isn't. While a reasonably intelligent person with some experience with windows should easily be able to keep his windows box free of viruses, most users are not.
If you've ever been administering windows boxes for others, NAV corporate edition, or some other corporate antivirus software is really a life-saver.
There are no more viruses on Windows than there are on Linux. What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook.
Last time I checked, there was about 3 viruses for Linux. I have heard some stories about new ones, so now there might be 10-15. The number of viruses on Windows increases with over 50 per month. As for the frequencies of those viruses: I've yet to actually discover a virus for linux (other than reading about it). On the other hand, with my windows box, I actually have to be careful.
What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook. Run Outlook under wine, and you will get the same worms. It's not a fault of the OS, be it Linux+Wine or Windows, but a problem of the Outlook application.
Or outlook express, which is distributed as a part of the Windows OS. There are also problems with permissions (most linux distributions have somewhat sane permissions, most Windows installations have not (because after installing it, they are anything but sane).
And while there are few reasons to run anything as root under linux (except for the occasional sudo), the only practical way to use Windows is to be logged in with administrator rights (e.g. autocad requires this).
On the other hand, it is true that linux is susceptible to viruses just like Windows. The main thing going against that now is lack of popularity, and an educated user-base. But there are also lots of good technical reasons why it would be harder on linux. And the lack of outlook, default shares, IIS, and over-user-friendlyness certainly also help :-)
Remember that Linux doesn't see .exe as an executable, it sees it as just another data type. How can KMail tell the difference between opening a JPEG with GIMP and opening an EXE with WINE?
It's hard to be religious when certain people are never incinerated by bolts of lightning.
to
...
Of course it could still mess up some of your Windows-/Wine-related stuff. But I don't see how it could obtain addresses to spread itself to, unless of course you have Windows Address Book, Outlook, or something installed with Wine.
One mitigating factor: codeweavers do built in a protection against executable attachments in their winex product.