Slashdot Mirror

← Back to Stories (view on slashdot.org)

WINE: A New Place for KLEZ to Play?

Posted by michael on from the playing-with-fire dept.

An anonymous submitter sends in this cautionary tale about Wine being maybe a little too good at emulating Windows. Update: 10/23 21:05 GMT by M : Better links: mirror 1, mirror 2.

14 of 318 comments (clear)

  1. Wine and / mounted as Z: ? by Havokmon · · Score: 5, Interesting
    I swear when I read the article earlier today (It was posted on Desktoplinux and NewsForge already), that the guy said that by default, "/" was mounted a Z:.

    I've just recently done a wineinstall to clean out my wine settings, and I don't have a Z:. Does that happen if you're running as root?

    The only potential issue I can see is that your whole home directory is 'shared' between Linux and Wine by default.

    Maybe I just read ~/ as /

    --
    "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
  2. Old Story, Kinda by GigsVT · · Score: 5, Interesting

    There was a story a year ago about sircam running on Wine.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  3. The good comes with the bad by sjbe · · Score: 5, Interesting

    Kinda obvious but easily forgotten. Being able to run windows apps is a two edged sword in many different respects. Access to good applications versus potentially reduced interest in linux development. Ability to run applications not built for linux versus inconsistant ability to run some of those same apps. And now of course, access to Windows apps versus the viruses that often go with them. The good comes along with the bad and there are plenty of unintended consequences to go around. Any engineer will tell you that there are tradeoffs for any design decision. WINE is no exception. Caveat emptor...

  4. Re:Too good at emulating? by L33t-Geek · · Score: 1, Interesting

    Yes this is the ultimate complement for a developer of wine. When somthing as complex as klez (find out how it works at http:\\www.sarc.com) can run. Thats pretty impressive. I wonder what kind of effects it can have? Could this even be a new target audience for the lamerz that write viruses? -Geek

  5. Re:I'll say this only once... by Ed+Avis · · Score: 5, Interesting

    There was recently some discussion on the Wine newsgroup about limiting emulated applications' access to the system. This could be handy for dealing with semi-malware or just programs that don't fully like the emulated environment (and might need to be prevented from doing too many suspicious is-it-really-Windows checks). The reply was that since a Wine emulated program is running as an ordinary executable, it could call Unix system calls anyway, so there would be little point (from a strict security point of view).

    However, something like NetBSD's and OpenBSD's recently added feature to monitor system calls and define policies could potentially be very handy for running binary-only programs you don't fully trust: and of course most such programs are on the Windows platform.

    --
    -- Ed Avis ed@membled.com
  6. Re:I'll say this only once... by alienw · · Score: 3, Interesting

    As much as I hate to shatter your imaginary world, I have to say that NAV is a completely useless program designed to suck money out of your pocket. There are no more viruses on Windows than there are on Linux. What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook. Run Outlook under wine, and you will get the same worms. It's not a fault of the OS, be it Linux+Wine or Windows, but a problem of the Outlook application.

  7. Speaking of Wine... by dcuny · · Score: 2, Interesting
    I was just looking at the latest WINE news and saw an interesting comment regarding Xandros and CodeWeavers that didn't seem to appear in yesterday's discussion of Xandros:
    • There's a little more behind this than meets the eye. Both Xandros and CodeWeavers have a significant share owned by a holding company, Linux Global Partners . Other companies in their portfolio include Ximian, Gobe, Metro Link, and GNU Cash. All of the companies are fully independent, but as Linux Global Partner's web site states,
    • Our operating strategy is to integrate our partner companies into a collaborative network that leverages our collective knowledge and resources. With the goal of holding our partner company interests for the long-term, we use our collective resources to actively develop the business strategies, operations and management teams of our partner companies.

    Maybe I'm being paraniod here, but it looks like Linux Global Partners is buying up lots of Linux technology. And given that Xandros doesn't follow the "free as in beer" model, I've got to wonder how this bodes for the future of Linux. I mean, the projects are still under GPL, but that doesn't mean it will be released for free. Clearly they are in this to turn a profit.

    I guess the free ride has to end at some point.

  8. SAMBA is also vunerable by Anonymous Coward · · Score: 2, Interesting

    I've said it before, and I'll say it again:

    Klez crawls network shares. So if you saved a few bucks by setting up samba servers, you'd better be running antivirus on them.

    If you've got an ftp site that Windows users are uploading files to, you'd better be running antivirus on them.

    Sure, the virus won't run on Linux, but it'll still spread as soon as someone on a Windows box uses one of these files.

    That is all.

  9. Re:It's not a Wine problem... by kasperd · · Score: 5, Interesting
    • How is KMail supposed to know if it is safe to "run" the attachment?
    • How is KMail supposed to know how to "run" the attachment?
    It is two different questions, but the answer is the same. You give KMail a list of filetypes, and tell it what to do with them. The list could contain a flag specifying dangerous filetypes. If that feature does not exist in KMail, the filetype should be ommited from the list.

    To me this sounds like a bug in the configuration rather than the software. And it does sound like a configuration mistake in the default install of this distribution.
    --

    Do you care about the security of your wireless mouse?
  10. Re:It's not a Wine problem... by gmarceau · · Score: 4, Interesting

    Why did Wine accepted to run a file which didn't have +X permissions? That would be Wine's contribution to bugtrack.

    --
    This post was compiled with `% gec -O`. email me if you need the sources
  11. WINE FAQ argument backfires by jdkane · · Score: 2, Interesting
    This is an interesting find ... In the following excerpt taken from the WINE FAQs, the author tries to make an argument that diversification is needed in the Windows world (thus WINE) so that Windows viruses can't take out as much of the computer population. Well, looks like that argument for WINE just backfired.

    Excerpt:
    [snip]Code Red did what any "virus" presented with a large homogeneous population would do: it infected more than 359.000 computers in just the first day.[snip]

    It is only a matter of time before a more virulent worm appears. The only way to decrease its impact is to diversify the OS population. Because it is an alternate implementation of the Win32 API and runs on top of a completely different OS, Wine does not have the same flaws and thus can provide this needed diversity.

  12. Re:i would think by Sloppy · · Score: 3, Interesting
    Amusingly, this is sort of a case where the filesystem permissions failed. It sounds like this guy had WINE set up as a "viewer" for .EXE files, so KMail "viewed" the attachment with WINE. If you think about how this was probably implemented (speculating and analoquizing is so much more fun than actually looking up the answer ;-), then KMail probably wrote the attachment as a file somewhere under /tmp and without executable permission (both because it wouldn't make sense for KMail to +x it, and also maybe because of how the admin would probably mount /tmp). And then ran WINE with the temp file as argument.

    And WINE executed it anyway. Major blunder.

    Which just sort of goes to show, Unix's executable permission bit, is really mostly just "advisory" and not really enforced by kernel. (How could it?) Filesystem permissions, feh.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  13. Re:Slashdot crashed my machines by Anonymous Coward · · Score: 1, Interesting

    Yes. I'm the same James.What's more is if you check with me tomorrow, I'll probably still be James.

    I still think that a polite note on the bottom of a page that's been there for two and a half years is and should be sufficient.I naively thought that this would be sufficient for slashdot to not link. Checking the referrer would mean a twelve character regex being performed every single time the page is viewed.

    This is a small site we're talking about with an average of 1200 hits a day and 4,000 hits on an excellent day. Do the math: 1200 * 365 * 2.5 * 12 = 13 million character comparisons, not including php overhead, for one link once in two and a half years.

    Introducing checks into mainline code is something that should not be done trivially Tet. Don't take my word for it. Search in the LKML archives about it. Linus talks about it with the Linux kernel often

  14. Detailed Klez Analysis by sheriff_p · · Score: 3, Interesting

    If you want to know how exactly klez works, there's a very detailed analysis here:

    http://www.virusbtn.com/resources/viruses/indepth/ klez.xml

    --
    Score:-1, Funny