Slashdot Mirror
WINE: A New Place for KLEZ to Play?
An anonymous submitter sends in this cautionary tale about Wine being maybe a little too good at emulating Windows. Update: 10/23 21:05 GMT by M : Better links: mirror 1, mirror 2.
← Back to Stories (view on slashdot.org)
Nice thing about WINE is: it can be shut OFF, then there is no environment to flourish in. ("/usr/local? Hell, I'm trying to find C:\windows\system")
JoeLinux
Only the things you don't use or want work well with Wine.
I know alot of software developers are anal retentive perfectionists, but this is going a little too far. What's next? EULA emulation?
?-|||-----x<*))))><
After seven posts!!?? Criminy people? how am I supposed to learn how windows sucks if you keep making IIS explode!?
I don't think so. I think it's pretty amazing that this could occur within Wine. I'd be VERY pleased if I were a Wine developer.
It's a linux implementation of windows apis. IT really shouldn't be suceptable to virii like windows is. I would really like to know more about this (the article has already been slashdoted)
procrastination is a way of life aka i'll think up a sig later
The server is apparently running IIS under Wine.
I've just recently done a wineinstall to clean out my wine settings, and I don't have a Z:. Does that happen if you're running as root?
The only potential issue I can see is that your whole home directory is 'shared' between Linux and Wine by default.
Maybe I just read ~/ as /
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
There was a story a year ago about sircam running on Wine.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
"If you go to webster [webster.com]
you'll easily find that plural from virus is viruses..."
I'm glad you clarified that. I was having trouble understanding what that guy said until you showed up.
If you lie down with dogs, you'll get up with fleas...
Does anyone know if Norton Anti-Virus runs under Wine?
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Hi folks!
The new version of WINE is available! It costs a mere $450 per seat, and after an extensive rewrite of the Windows ABI emulation exports NO functionality whatsoever!
BTW for optimum emulation, we recommend running WINE at nice -20.
COMING SOON - WINE SP1.
The all-new WINE Service Pack removes the ability to run MS-DOS programs, and stops you viewing any digital broadcast medium. This is to enhance your computing experience.
All of the advantages, none of the . . . oops.
"If being a geek means being passionate about something, then I pity those who aren't geeks." - Pike65
Understand some people don't have enough bandwidth to handle a thorough /.'ing. Sooner or later, the site is goign to stop responding simply because you run out of effective bandwidth. Also understand not everyone can afford what they talk about.
Kinda obvious but easily forgotten. Being able to run windows apps is a two edged sword in many different respects. Access to good applications versus potentially reduced interest in linux development. Ability to run applications not built for linux versus inconsistant ability to run some of those same apps. And now of course, access to Windows apps versus the viruses that often go with them. The good comes along with the bad and there are plenty of unintended consequences to go around. Any engineer will tell you that there are tradeoffs for any design decision. WINE is no exception. Caveat emptor...
Wine is supposed to run Windows apps... a virus is a Windows app as any other... If the Wine user is running Outlook what else he can wait for? The vulnerabilities still there...
the obvious solution would be not to run WINE as root. The filesystem permissions should prevent excessive damage.
On the footer of *every single page* at linuxguru.net, we specifically request that slashdot not link our stories because we can't handle the load.
I now have two dead machines because they linked us anyways.
-James Blackwell
There are a lot of smart, knowledgeable people out there who don't want a $500+/month hosting or bandwidth+power bill.
Sujal
politics, food, music, life: FatMixx
Well, this article that I found here that discusses the limitations of Klez on WINE and how Sircam was able to run on WINE. All in all, it appears to be a limited threat.
> If you go to webster [webster.com] you'll easily find that plural from virus is viruses...
What does it say about the plural for "anal retentive"?
Sheesh, evil *and* a jerk. -- Jade
Well, I haven't seen the article, cause it's been slashdotted, but to all that talk about wine virii execution - look at this (the author of the screenshot is C-Pro).
Besides, I mean, just as with any other tool, you need caution. If you run wine as root with the whole tree as e: then sooner or later you're gonna regret it. The level achieved by wine emulation is amazing, so there are going to be security flaws if you don't know what you are doing, just as with any product with functionality as extensive as wine's
Join the elite! Post at score:2! Ghostwheel is online.
between being able to set up a server that can take a Slashdotting and being able to afford a setup that can take a Slashdotting there is quite a difference (esp. in your bank account after you get the bandwidth bill...)
-- the cake is a lie
2 words: static webpages.
I know for a fact that if my ass was getting slashdotted, I'd be setting up static webpages faster than you can say "holy fucking shit where's my bandwidth?" I personally make a static archive of all my dynamic pages automatically just in case something like that happens. The problem lies in the fact that slashdot doesn't archive sites, nor do they give any type of notice before bringing the hordes of lamers from all over the internet to that site's front door. That's a "bad" thing.
I wonder if anyone's brought a lawsuit against slashdot(or their parent company, OSDN) for effectively destroying their servers.
ok, so i haven't seen the article. but this just goes to show that although running windows apps under linux using wine may be useful, what we are really wanting to do here is stop using that stuff anyway, by writing apps to replace them. isn't that why most of us run linux anyway, because we can't stand the alternative?
chris
It's a security bug, a security hole, just like the ones in LookOut, and it ain't a Wine problem. This one belongs on bugtraq.
The WINE project is becoming increasingly popular and useful to those who would continue to use proprietary, free, and unported opensource software available only for Microsoft Windows. I've tested it with a few games I had purchased while I still used Windows, and it surprised me. The WINE project, and the two popular forks in the project, WineX, and Codeweavers WINE, have come along quite nicely, albeit it slowly, over the last few years. I give a lot of credit to the many developers that have poured a lot of their time into the project, but, with the good, the bad must be accepted.
Recently a friend of mine, proficient in Linux, and not what you would call a 'newbie' to computing, received an email from a customer. The email was vague and included an attachment. In KMail, he decided to view the attachment, thinking it was simply an image. He clicks it, nothing happens, no viewer, no error, nothing but a few seconds of milling around, and then more nothing. Then, the wine notification pops up. By this time he had realized the file was a Windows executable, and that he'd just executed it with wine because of the MIME typing capabilities of KDE, and WINE's integration with the desktop.
If he were running windows, I would've slapped him upside the head, everyone with any sense at all would've expected an odd email with an attachment to be a ready and willing virus or worm. Of course, this was no different, this attachment contained the worm known as WORM_KLEZ.H. However, because of the sense of security from worms of this nature bestowed to Linux users, by the same type of ignorance in assumption that spreads them amongst Windows users, he never expected the attachment to be a virus or worm that would infect and operate as it normally does. Unfortunately, this is exactly what happened... click, boom, Klez goes nuts, etc., etc., etc.
The virus itself is simply a worm, it's what you'd call a 'dumb virus', in the sense that it isn't extremely complex, doesn't change itself around much, and basically works as fast as it can before it is easily obliterated by common virus scanning software. The basic idea is that it infects you, spreads itself by emailing from your computer to as many contacts as possible, then does its damage, if you want more detailed information, Trend Micro has plentiful information about Klez and other viruses and worms available on http://www.antivirus.com/.
Now, you may be wondering how it infected and actually 'worked', I know I certainly was. In this particular case, our cool customer known from here on out as 'John' for 'John Doe', had wine installed, and you see, the default configuration for most wine installs, shares your root linux directory as a drive visible to the applications running inside of it. If you know anything about the Klez worm, you'll remember that not only does it search for address books, etc, it will search for many other common file formats on the entire system, searching for email addresses, dropping PE_ELKERN.D, and various other silly virus/worm/intrusive type things.
So far we have the first two parts of the Klez's basic operation, infection, and email address reaping. What is next? Let's say it together kids "PROP A GA TION" yay!!! Now, this is probably one of the most important parts of a worm's life cycle. If it doesn't propagate, it isn't really a worm or a virus. It's just a pointless, irritating program.
Propagation in wine, this was the part in this particular case that I found so amusing. The computer was running a secure MTA (Mail Transport Agent) and the fake Windows registry for WINE was configured to use the localhost as the SMTP server for internet applications. Otherwise, the Klez would not have known how to send itself. It is possible, that, the Klez worm defaults to 'localhost' for the SMTP server if it cannot find one in the registry, this I don't know and it doesn't seem to be covered in Trend Micro's technical description. Anyway, because of the MTA being localhost, the worm was able to queue all of its outgoing email quite quickly. I actually had the opportunity to remotely shell in as root and view `ps aux` output, showing the various smtpd instances sending this email, while I tried to help John find the spooled emails and remove them.
Now, a few things must be noted about this particular situation. KLEZ is not a high risk worm, so by no means was this a massive problem for this person. Also, the infection did not include files that were not Windows exectuables, so the native filesystem was left unharmed. The spooled emails were taken care of and the effects overall were minimal, if not simply classified as an 'annoyance.'
The reason this is such an important subject to cover, isn't this instance of infection, but, the possible vulnerability that using WINE in such an insecure (and default) way can provide. For example, a knowledgeable virus programmer could use this situation to make multi-platform viruses, that could detect files by their 'magic file type' similar to the way the tool 'file' does, and infect them through wine. I understand, that this is highly unlikely to occur any time soon, but, I think you can probably imagine many other ways that this opens doors for virus problems to the relatively virus-clean environment of Linux.
The main points I'd like to make are: WINE is obviously mature enough to handle the more advanced code that a virus usually contains. Even if only KLEZ for now, others will in the future, be compatible. The other is: I am willing to bet that 90% of you WINE users out there, can view drive Z, or something similar and get your root file system tree, and something like drive Y provides your home directory READ-WRITE. Please, don't do this, unless it is absolutely necessary, minimize the interaction between your WINE environment, and the real linux environment, specify a directory for wine shared files and keep them separate from your linux home files, etc. This will help to minimize the post-infection damage a virus can accomplish.
Finally, the most important 'bug' most distributions have, is allowing a Windows executable to be run with wine without an obvious chance for interception, by default. Sure, it comes up with a window, telling you that wine is running, and allowing you to disable the notice, however, it does NOT warn you about the application being executed in such a way that you could stop it before it was started. Even Java does this with code that is signed for permissions; it still asks you if you are sure you want to give it permissions.
As it goes, I was unable to easily obtain any previously written information on securing WINE properly, and I am no security expert. Some basic tips would include, configuring the program, read all of the options, don't let it set itself up completely for you.If anyone has any tips they would like to share, please do.
Is it really such a big surprise that something based on Bill's produce quickly turns into vinegar? Storing it somewhere cool (Linux) isn't sufficient to make a good wine, you know.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
What does it say about the plural for "anal retentive"?
Well, for one, anal-retentive is hyphenated...
Quidquid latine dictum sit, altum sonatur.
The antivirus industry will love this. Who knows, they may even contribute to WINE. You see, so many Linux users have this false sense of security, assuming that since Linux hasn't been significantly targeted by virus writers that, Linux is virus proof. Big mistake, as demonstrated by this story.
;)
Now, Linux users will catch and spread a long list of old Windows favorites making the demand for commercial antivirus software go up again. This John Doe caught Klez a rather non descript worm. Imaging Anna Korunikova in the inboxes of most Linux geeks.
Better see about Norton Command Line Scanner or perhaps...
rpm -e wine-*
This is relatively tame.
...and this is one of the few times where my sig doesn't apply.
As much as I hate saying this, I fear it's going to get a lot worse. As/If Linux gains popularity on all systems, including desktops, you can expect there are going to be a lot of disgruntled windows people out there who will become unemployed because they can't grow with technology. I'm expecting to see a lot of linux software start getting messed with and drastic increase of linux trojans and viruses.
don't believe me?
Look at how much software has been backdoored lately- bitchx, ssh, and sendmail. That's a BIG FUCKING DEAL. As we continue, expect the crosshairs to be levelled towards us. There's gonna be a conspiracy. I'm not making any accusations, but keep in mind that the opensource movement is putting pressure on a group of companies that aren't exactly known for their ethical behavior.
of course I know I'm probably just a paranoid nut, but hey, that's a good thing to be in our field..
Looking for Book Reviews? Check out Literary Escapism.
I've got a 5-gallon carboy in the closet with 12-day old merlot in secondary fermenation. It took me two bloody hours to santize all of my siphoning gear just to make sure i wouldn't skunk on me . . . and now you're saying I have to worry about KLEZ in my wine??
Christ, this homebrew thing just isn't worth it.
trustedworlds.net - gaming, security, and the gunk that lives in between
This isn't just limited to WINE, it can hit real Linux mail programs too if anyone ever writes a Linux/ELF virus attachment. Repeat after me, kids:
Executable MIME types have no place in a mail program!
None, never, no way. Mail program doesn't matter. OS doesn't matter. No mail program should ever, under any circumstances, execute anything attached to an e-mail message, period full stop. You should only execute things from people you trust, and one attribute of e-mail is that you don't even know if the From address is the real sender so how can you trust the message?
looks like John was running linux for everyday tasks as his root account.... should we feel sorry? Hey, just as an example, i'll give you all my root account password so you can rape my computer all you want. sound good?
WTPOUAWYHTTOTWPA
What's the point of using acronyms when you have to type out the whole phrase anyways?
In my case, for example, consider this: having done this for a few years now, I can set up one Linux or BSD based machine as a great web server capable of fully loading a T-1 or larger data pipe. Static pages, images, streaming software, dynamic pages, the whole nine yards. Could probably do a passable job setting up a set of machines to act as a transparent site even if it took setting up a small cluster of machines to handle the load (images on one machine, data on another, apps, etc. on the main web server, email somewhere else, etc.). I won't say that I could do it with half my brain tied behind my back, no sleep in a couple of days, one hand in a cast, or some big brag, but it's just not that difficult once you have done it a few times and hung around the security conscious folks enough to learn what it takes to secure a machine or set of machines from malicious outsiders. [Give me a couple decent developers and together we'd could make any site you wanted really scream in just a few days].
With my average or better web server setup skills, does this mean I am using my own server setup? No, and I don't plan to any time soon, because none of my skills can prevent a wonderfully configured site from getting /.'ed because the bottleneck isn't usually in the machine, but the size of the data pipe connected to it.
Consider this as well: I usually locate my sites at one of a few good web hosting companies that have good co-location points and massive datas pipe to/from their server farm(s). So the server and the data pipe can handle it, if I want. However, for most sites I set up, I don't want or need the risk of getting a surprise high dollar bandwidth bill because /. or similar is suddenly pointing at my site and hogging all of the hosting company's bandwidth? No. Do I want have or want to spend the money to set up my own data center? No.
Why not? Because IMHO one of the best things about the 'net is that it gives many people who would not otherwise be "heard" a place to give voice to whatever message they deem important. One of the worst things about the net is that some people confuse tech savvy with message, just as the previous poster did.
Do I have something worthwhile to say? Occasionally. Should you respect what I or another writer has to say, when it is worthwhile, no matter what bandwidth they have available to them? I hope so, and for myself I would rather listen to and support the person with one wise voice pushing text messages on a slow data pipe than spend my time and money on a thousand fools pushing worthless content on a fat one.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If you want to know how exactly klez works, there's a very detailed analysis here:
/ klez.xml
http://www.virusbtn.com/resources/viruses/indepth
Score:-1, Funny