Slashdot Mirror
WINE: A New Place for KLEZ to Play?
An anonymous submitter sends in this cautionary tale about Wine being maybe a little too good at emulating Windows. Update: 10/23 21:05 GMT by M : Better links: mirror 1, mirror 2.
← Back to Stories (view on slashdot.org)
Nice thing about WINE is: it can be shut OFF, then there is no environment to flourish in. ("/usr/local? Hell, I'm trying to find C:\windows\system")
JoeLinux
Only the things you don't use or want work well with Wine.
I know alot of software developers are anal retentive perfectionists, but this is going a little too far. What's next? EULA emulation?
?-|||-----x<*))))><
I don't think so. I think it's pretty amazing that this could occur within Wine. I'd be VERY pleased if I were a Wine developer.
It's a linux implementation of windows apis. IT really shouldn't be suceptable to virii like windows is. I would really like to know more about this (the article has already been slashdoted)
procrastination is a way of life aka i'll think up a sig later
The server is apparently running IIS under Wine.
I've just recently done a wineinstall to clean out my wine settings, and I don't have a Z:. Does that happen if you're running as root?
The only potential issue I can see is that your whole home directory is 'shared' between Linux and Wine by default.
Maybe I just read ~/ as /
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
There was a story a year ago about sircam running on Wine.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
If you lie down with dogs, you'll get up with fleas...
Does anyone know if Norton Anti-Virus runs under Wine?
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Hi folks!
The new version of WINE is available! It costs a mere $450 per seat, and after an extensive rewrite of the Windows ABI emulation exports NO functionality whatsoever!
BTW for optimum emulation, we recommend running WINE at nice -20.
COMING SOON - WINE SP1.
The all-new WINE Service Pack removes the ability to run MS-DOS programs, and stops you viewing any digital broadcast medium. This is to enhance your computing experience.
All of the advantages, none of the . . . oops.
"If being a geek means being passionate about something, then I pity those who aren't geeks." - Pike65
Understand some people don't have enough bandwidth to handle a thorough /.'ing. Sooner or later, the site is goign to stop responding simply because you run out of effective bandwidth. Also understand not everyone can afford what they talk about.
Kinda obvious but easily forgotten. Being able to run windows apps is a two edged sword in many different respects. Access to good applications versus potentially reduced interest in linux development. Ability to run applications not built for linux versus inconsistant ability to run some of those same apps. And now of course, access to Windows apps versus the viruses that often go with them. The good comes along with the bad and there are plenty of unintended consequences to go around. Any engineer will tell you that there are tradeoffs for any design decision. WINE is no exception. Caveat emptor...
Wine is supposed to run Windows apps... a virus is a Windows app as any other... If the Wine user is running Outlook what else he can wait for? The vulnerabilities still there...
On the footer of *every single page* at linuxguru.net, we specifically request that slashdot not link our stories because we can't handle the load.
I now have two dead machines because they linked us anyways.
-James Blackwell
There are a lot of smart, knowledgeable people out there who don't want a $500+/month hosting or bandwidth+power bill.
Sujal
politics, food, music, life: FatMixx
Well, this article that I found here that discusses the limitations of Klez on WINE and how Sircam was able to run on WINE. All in all, it appears to be a limited threat.
> If you go to webster [webster.com] you'll easily find that plural from virus is viruses...
What does it say about the plural for "anal retentive"?
Sheesh, evil *and* a jerk. -- Jade
2 words: static webpages.
I know for a fact that if my ass was getting slashdotted, I'd be setting up static webpages faster than you can say "holy fucking shit where's my bandwidth?" I personally make a static archive of all my dynamic pages automatically just in case something like that happens. The problem lies in the fact that slashdot doesn't archive sites, nor do they give any type of notice before bringing the hordes of lamers from all over the internet to that site's front door. That's a "bad" thing.
I wonder if anyone's brought a lawsuit against slashdot(or their parent company, OSDN) for effectively destroying their servers.
It's a security bug, a security hole, just like the ones in LookOut, and it ain't a Wine problem. This one belongs on bugtraq.
The WINE project is becoming increasingly popular and useful to those who would continue to use proprietary, free, and unported opensource software available only for Microsoft Windows. I've tested it with a few games I had purchased while I still used Windows, and it surprised me. The WINE project, and the two popular forks in the project, WineX, and Codeweavers WINE, have come along quite nicely, albeit it slowly, over the last few years. I give a lot of credit to the many developers that have poured a lot of their time into the project, but, with the good, the bad must be accepted.
Recently a friend of mine, proficient in Linux, and not what you would call a 'newbie' to computing, received an email from a customer. The email was vague and included an attachment. In KMail, he decided to view the attachment, thinking it was simply an image. He clicks it, nothing happens, no viewer, no error, nothing but a few seconds of milling around, and then more nothing. Then, the wine notification pops up. By this time he had realized the file was a Windows executable, and that he'd just executed it with wine because of the MIME typing capabilities of KDE, and WINE's integration with the desktop.
If he were running windows, I would've slapped him upside the head, everyone with any sense at all would've expected an odd email with an attachment to be a ready and willing virus or worm. Of course, this was no different, this attachment contained the worm known as WORM_KLEZ.H. However, because of the sense of security from worms of this nature bestowed to Linux users, by the same type of ignorance in assumption that spreads them amongst Windows users, he never expected the attachment to be a virus or worm that would infect and operate as it normally does. Unfortunately, this is exactly what happened... click, boom, Klez goes nuts, etc., etc., etc.
The virus itself is simply a worm, it's what you'd call a 'dumb virus', in the sense that it isn't extremely complex, doesn't change itself around much, and basically works as fast as it can before it is easily obliterated by common virus scanning software. The basic idea is that it infects you, spreads itself by emailing from your computer to as many contacts as possible, then does its damage, if you want more detailed information, Trend Micro has plentiful information about Klez and other viruses and worms available on http://www.antivirus.com/.
Now, you may be wondering how it infected and actually 'worked', I know I certainly was. In this particular case, our cool customer known from here on out as 'John' for 'John Doe', had wine installed, and you see, the default configuration for most wine installs, shares your root linux directory as a drive visible to the applications running inside of it. If you know anything about the Klez worm, you'll remember that not only does it search for address books, etc, it will search for many other common file formats on the entire system, searching for email addresses, dropping PE_ELKERN.D, and various other silly virus/worm/intrusive type things.
So far we have the first two parts of the Klez's basic operation, infection, and email address reaping. What is next? Let's say it together kids "PROP A GA TION" yay!!! Now, this is probably one of the most important parts of a worm's life cycle. If it doesn't propagate, it isn't really a worm or a virus. It's just a pointless, irritating program.
Propagation in wine, this was the part in this particular case that I found so amusing. The computer was running a secure MTA (Mail Transport Agent) and the fake Windows registry for WINE was configured to use the localhost as the SMTP server for internet applications. Otherwise, the Klez would not have known how to send itself. It is possible, that, the Klez worm defaults to 'localhost' for the SMTP server if it cannot find one in the registry, this I don't know and it doesn't seem to be covered in Trend Micro's technical description. Anyway, because of the MTA being localhost, the worm was able to queue all of its outgoing email quite quickly. I actually had the opportunity to remotely shell in as root and view `ps aux` output, showing the various smtpd instances sending this email, while I tried to help John find the spooled emails and remove them.
Now, a few things must be noted about this particular situation. KLEZ is not a high risk worm, so by no means was this a massive problem for this person. Also, the infection did not include files that were not Windows exectuables, so the native filesystem was left unharmed. The spooled emails were taken care of and the effects overall were minimal, if not simply classified as an 'annoyance.'
The reason this is such an important subject to cover, isn't this instance of infection, but, the possible vulnerability that using WINE in such an insecure (and default) way can provide. For example, a knowledgeable virus programmer could use this situation to make multi-platform viruses, that could detect files by their 'magic file type' similar to the way the tool 'file' does, and infect them through wine. I understand, that this is highly unlikely to occur any time soon, but, I think you can probably imagine many other ways that this opens doors for virus problems to the relatively virus-clean environment of Linux.
The main points I'd like to make are: WINE is obviously mature enough to handle the more advanced code that a virus usually contains. Even if only KLEZ for now, others will in the future, be compatible. The other is: I am willing to bet that 90% of you WINE users out there, can view drive Z, or something similar and get your root file system tree, and something like drive Y provides your home directory READ-WRITE. Please, don't do this, unless it is absolutely necessary, minimize the interaction between your WINE environment, and the real linux environment, specify a directory for wine shared files and keep them separate from your linux home files, etc. This will help to minimize the post-infection damage a virus can accomplish.
Finally, the most important 'bug' most distributions have, is allowing a Windows executable to be run with wine without an obvious chance for interception, by default. Sure, it comes up with a window, telling you that wine is running, and allowing you to disable the notice, however, it does NOT warn you about the application being executed in such a way that you could stop it before it was started. Even Java does this with code that is signed for permissions; it still asks you if you are sure you want to give it permissions.
As it goes, I was unable to easily obtain any previously written information on securing WINE properly, and I am no security expert. Some basic tips would include, configuring the program, read all of the options, don't let it set itself up completely for you.If anyone has any tips they would like to share, please do.
What does it say about the plural for "anal retentive"?
Well, for one, anal-retentive is hyphenated...
Quidquid latine dictum sit, altum sonatur.
The antivirus industry will love this. Who knows, they may even contribute to WINE. You see, so many Linux users have this false sense of security, assuming that since Linux hasn't been significantly targeted by virus writers that, Linux is virus proof. Big mistake, as demonstrated by this story.
;)
Now, Linux users will catch and spread a long list of old Windows favorites making the demand for commercial antivirus software go up again. This John Doe caught Klez a rather non descript worm. Imaging Anna Korunikova in the inboxes of most Linux geeks.
Better see about Norton Command Line Scanner or perhaps...
rpm -e wine-*
This is relatively tame.
...and this is one of the few times where my sig doesn't apply.
As much as I hate saying this, I fear it's going to get a lot worse. As/If Linux gains popularity on all systems, including desktops, you can expect there are going to be a lot of disgruntled windows people out there who will become unemployed because they can't grow with technology. I'm expecting to see a lot of linux software start getting messed with and drastic increase of linux trojans and viruses.
don't believe me?
Look at how much software has been backdoored lately- bitchx, ssh, and sendmail. That's a BIG FUCKING DEAL. As we continue, expect the crosshairs to be levelled towards us. There's gonna be a conspiracy. I'm not making any accusations, but keep in mind that the opensource movement is putting pressure on a group of companies that aren't exactly known for their ethical behavior.
of course I know I'm probably just a paranoid nut, but hey, that's a good thing to be in our field..
Looking for Book Reviews? Check out Literary Escapism.
This isn't just limited to WINE, it can hit real Linux mail programs too if anyone ever writes a Linux/ELF virus attachment. Repeat after me, kids:
Executable MIME types have no place in a mail program!
None, never, no way. Mail program doesn't matter. OS doesn't matter. No mail program should ever, under any circumstances, execute anything attached to an e-mail message, period full stop. You should only execute things from people you trust, and one attribute of e-mail is that you don't even know if the From address is the real sender so how can you trust the message?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.