Running Windows Viruses Under Linux

ResQuad writes "Everyone loves Windows viruses, right? Well, the crazy people over at NewsForge (owned by the same people that own Slashdot) decided to try running Windows viruses with Wine. So next time you receive an email virus, strike up Wine and see what you can do (or not)."

That's awhole lot of differences

[Dark+Coder]

True AV and AT (anti-trojan) SW engineers uses VMWARE for their studies and dissemination of malacious flotsam of codes floating around the internet.

But the article is "A Good Thing" because it shows EITHER that Wine isn't 100% Microcrap or is more robust against viruses.

Take your pick.

Done it. It works. Kinda.

[Frater+219]

This past December, one of the engineers at my workplace gave a presentation on WINE. Since I'm the security guy, somone asked me if Windows viruses ran under WINE. So I tried three: Lovgate, a Mydoom variant, and a Netsky variant.

Lovgate simply exited without doing anything. Mydoom actually crashed WINE into its debugger. The Netsky variant, as the article describes (SomeFool is Netsky) actually ran. Moreover, it did a passel of DNS queries and actually tried to send e-mail (which was rejected). So, if that e-mail had been accepted, Netsky would have been able to propagate under WINE. As in the article, Ctrl-C proved necessary and effective.

To make a long story short, yes, some Windows viruses do run under WINE. Of course, you have to tell WINE to run them -- not exactly the social engineering that viruses are intended to do. However, as WINE gets more popular and reliable, I would expect that this will be more of a problem for people who choose to (e.g.) run Outlook in WINE.

(For what it's worth, WINE isn't the only way to run Windows viruses and worms on your non-Windows system. I've had to explain to users that yes, their VMware or Virtual PC system is quite capable of getting wormed, and that yes, they did need to do their Windows Update on that "virtual" Windows system, too.)

Re:Done it. It works. Kinda.

[einhverfr]

Of course, you have to tell WINE to run them -- not exactly the social engineering that viruses are intended to do.

You can tell Mozilla to open .exe's with Wine ;-). Maybe you can add the same mime-types to Gnome and/or KDE!

Re:Done it. It works. Kinda.

[kevcol]

Not 'kinda' here.

Propogated.

I executed a viral attachment once about 4 months ago, and then forgot about it ("Haha! That can't possibly work."). A couple hours later, my 'abuse' address had a complaint. Source IP was my SuSE workstation. Thunderbird even deep-sixed a spam that was sent by my own machine to me. D'oh!

404 Error

[Eberlin]

I tried clicking on the link and got a 404 out of it. Wondering if Timothy decided to check out that whole wine thing on a slashdot server.

I guess it would be interesting to see if a virus/worm would work under WINE but in the end, what would it really mean if it does?

Compatibility jokes aside, it would mean that the way the operating system handles things is inherently insecure. It really couldn't be blamed on a WINE implementation because the virus/worm worked on the original OS. (If it didn't work on windows but worked on WINE, then that's completely different).

It's definitely a bizarre practice and not one I'd personally try -- but for those who want to decompile and make sandboxed studies of viruses, it may be worth something. Not as much as studying it live on a controlled win32 network but I bet it has its merits.

Re:Wine is not an Emulator.

[m50d]

Or it could just be an emulator that doesn't work very well. If you try an early version of bochs/vmware/etc. from before they had networking support, the viruses won't be able to own that either.

Re:Native ports now!

[morcheeba]

I used to work for a 5-person company. We easily ported our main ap to linux, but a critical tool we used to build our code was developed for windows. It was gui-centric, so a port would be difficult, and besides, all the programmers were algorithm people, not gui people. Wine was a godsend - our old tool just worked, and it saved us a lot of time. Boycotting ourselves wouldn't have gotten us the needed people to port it.

Secret APIs

[hey]

Running Microsoft programs is the hardest for Wine because they use secret function calls. The Virus writers (presumably) aren't insiders so don't know about the secret APIs. Should be easy for Wine.

Re:Secret APIs

[TekPolitik]

Running Microsoft programs is the hardest for Wine because they use secret function calls

Current CVS versions of Wine can install and run the major MS applications, including MS office and Internet Explorer. Why would you do such a thing, I hear you ask? Because users still use Windows and as developers we still have to write code that interfaces with those applications. Absent that, OpenOffice and Konqueror or Mozilla work perfectly well.

Been there, done that '99

[wertarbyte]

Right before Y2K, there was a worm/virus/whatever called Happy99.exe. If you secured your wine installation prior execution, you could watch the pretty fireworks it produced without harming your installation.

Wine devs test for this

[bluGill]

At the last WineConf (almost exactly one year ago) some of the Wine developers were testing the hot mail virus of the day to make sure it ran. That was the one that activated as a DDoS on www.sco.com. It ran, and after putting making www.sco.com resolve to 127.0.0.1 in /etc/hosts it attempted to take down the local machine.

We also found the back door, and came close to getting arbitrary programs to run from it, but supper came before we got that part working. We think it would have worked if a free meal hadn't gotten in the way.

So now you know. If a windows virus doesn't run under wine you can thank CodeWeavers for buying everyone a meal before we got it implimented.

The Sound of One Hand Clapping

[4of12]

So, if WINE fails to properly run a Windows virus under Linux, is it considered a bug or a feature?

Re:The Sound of One Hand Clapping

[XO]

My roommate's laptop had only previously ever been connected to an Internet via either the NAT/firewall box on our home network, or via her work network.

She got an AT&T Wireless Air-card type thing, and almost immediatly upon logging into it, her computer started counting down the seconds to rebooting. Don't remember what virus that was, but it's STILL going around like a year or two later. And it is infecting virtually ANYTHING that connects to the Internet if it's vulnerable. Also picked up several others that had never touched her laptop before that within hours of being connected without a NAT/firewall in the way.

Re:The Sound of One Hand Clapping

[/dev/trash]

a bug. WINE is supposed to do exactly what Windows would.

Re:Obligatory

[dJCL]

Well, I went with before major computer systems were installed in systems...

a '93 eagle, it does have some electronics, but nothing your going to infect vio bluetooth, except maybe the very aftermarket mp3 player...(I wish I'd thought to get a bluetooth enabled player!)

I also agree, that you will have issues with old parts. I'm on my 2nd engine, 3 alternator(or rebuild), 2nd battery, 2nd catalytic converter, 300th set of belts(tensioner is not working right on it) and the right hand windwhield wiper does not actually clear the windows properly...

But it drives, and the last shop I had it in tweaked the engine(brushless, mitsubishi engine) to get a little more performance out of it.(I have a heavy accelerator, once got pulled over for excessive acceleration - by a copy on a bike, I don't speed that badly).

Anyway, just my 2c on that comment.

JC

Re:Wine is not an Emulator.

[hunterx11]

This isn't an English class, it's Slashdot. Slang exists. Deal with it. I don't say "alright" but I've come to terms with the fact that it will inevitably become an accepted word.