Now Linux Can Get Viruses, Via Wine

fsufitch writes "Wine has advanced enough to make Linux not immune to Windows viruses. However, just like many Wine applications, it takes a bit of effort to get the program off the ground. Also, just like some Windows programs running via Wine, not all features may work — in this case, the crippling of the system, immunity to the task manager, identity theft, etc."

marketshare

[sopssa]

Haven't it always been pretty clear that Wine could run Windows viruses, as long as they don't use some weird low-level tricks (which admittedly many do)?

But for that matter, Linux doesn't have malware only because it's desktop share is next to nothing (not the same amount atleast, there are Linux viruses out too). Mac OSX has been getting more and more viruses lately as it's marketshare has been growing. So would Linux aswell if it ever gained more users.

As long as the OS isn't completely locked down from the user, there will be malware. Windows, Mac, or Linux cant defend you from that. But none of us really want a locked down OS. And as long as the users are stupid their computers will get infected.

It's just about the marketshare.

Re:marketshare

[sakdoctor]

But none of us really want a locked down OS

WTF?
Microsoft totally fucked up the principle of least privilege from day one. If they hadn't, the damage done by viruses/worms in the history of personal computing, would have been an order of magnitude less.

Re:marketshare

[wizardforce]

So what you're saying is that Linux should be just riddled with various types of malware in the server market because it is both the dominant player in that market and is a significant target considering the server market's importance. Reality seems to disagree with you.

Re:marketshare

To be fair, there's a significant effort to install backdoors/trojans on poorly configured linux machines, but the issue is that they're a much more difficult target as servers do not browse websites with IE nor do they open every attachment you send them via email.

What makes most machines insecure is the users, and since a server normally has only 1 very tech-saavy user, the only openings are in poorly configured services. I know that I had phpbb for a long time, and one day I put in a game playing mod (had some goofy things like achievements and little trophies), and I got hacked via a google search.

Fortunately the guy who installed it didn't finish off his attack by clearing his own history, and the server wasn't running as root, so he only got as far as screwing with the main page.

To say that the server market isn't continually targeted is disingenuous. It's just harder because it isn't operated by a ton of idiots (well, most of the time anyway).

Re:marketshare

[0100010001010011]

A link to all those hundreds of OS X viruses that are coming out?

Re:marketshare

[wintersdark]

Thinking that you're safe running OSX is very foolish. It IS more secure than Windows, but it can get viruses too. As OSX increases in market share, you will find more viruses appearing for it too. It'll take a little longer to get started - Everyone got great Intro Virus Production 101 classes in grossly insecure older versions of Windows, after all. OS X is indeed a more secure operating system, but it is not an invincible one. Assuming you are and will always be safe because you're running it is a very bad idea.

Re:marketshare

[bhtooefr]

The problem is, for a home computer, you are your own sysadmin.

And then the dancing bunnies problem comes into play.

User: "Oooh, I can download this to see dancing bunnies." *downloads and executes malware*
Malware: *tries to install*
OS: "Malware needs root access to install. Please enter your root password." (Windows version of this would be "Cancel or Allow.")
User: *enters root password*
Malware: *infects system*
OS: *pwned*
User: *pwned*

Re:marketshare

[shentino]

Windows, however, is bigger overall.

And you don't really need a beefy server in your botnet. A desktop will do just fine.

Re:marketshare

[Runaway1956]

"But for that matter, Linux doesn't have malware only because it's desktop share is next to nothing"

I keep hearing that. Everyone says it so it must be true. But, I'm mindful of the fact that only a handful of viruses have EVER been written for Linux, and that the User can't infect the underlying system. It takes Root access to do so, something that is only now beginning to be true for Windows.

It seems that Windows is improving it's security model - but they still haven't caught up with Linux, despite what the fanboys might have to say. Unlike XP, it has always been possible to lock the User down pretty tightly, but still allow User to play any game on the system. More, it has almost always been possible to allow a User to install his games and applications in User Space. That isn't possible with Windows, even with Win 7. When I can create a dozen users, each of whom allows serious infections WITHIN HIS OWN ACCOUNT, but the Admin account remains untouched and unharmed, THEN Windows will be well on the road to having a meaningful security model.

Whatever - I'll believe the basic premise that Linux would be just as vulnerable as Windows if it had market share when I see it. To me, it seems the structure and the philosophy of Linux contradicts what common "wisdom" says.

Re:marketshare

[evilviper]

As long as the OS isn't completely locked down from the user, there will be malware.

If you operate as a non-privileged user, and there aren't gaping local root exploits, malware is pretty damn toothless.

Sure, it could still send out some e-mails, record your keystrokes, etc., but it will show up in `ps` just like any other process, and it will have to launch itself from a few standard few locations available, where it will be easy to find, and stop from running.

So, yes, Linux could have malware, but it would be the minor nuisance type, rather than the "everyone's infected, it's impossible to remove, and the internet is being brought to its knees" type.

Additionally, the problem with Linux viruses is that people get their software from a central repository, with cryptographic checksums and the like. The world would be very different if Windows users got all their software through WindowsUpdate, instead of constantly downloading crap from random websites.

Re:marketshare

[1s44c]

But for that matter, Linux doesn't have malware only because it's desktop share is next to nothing (not the same amount atleast, there are Linux viruses out too). Mac OSX has been getting more and more viruses lately as it's marketshare has been growing.

There are more than enough unix and linux machines on the net to make them a viable target yet these machines don't seem have the same problems. They do get cracked but normally due to bad PHP code or people setting guessable passwords.

Windows doesn't get viruses because lots of people use it, it gets viruses because it has a thrown together design and it's poorly implemented.

Re:marketshare

[Zancarius]

Except on BSD systems, which only accept arguments before other arguments. This prevents someone from putting a file called -rf in a directory, so when you run rm * the -rf won't be expanded and treated as an argument.

Which BSD?

FreeBSD:

[vbox:example]$ ls -l
total 0
[vbox:example]$ touch -- file1 file2 file3 file4 -rf
[vbox:example]$ mkdir dir
[vbox:example]$ ls -l
total 2
-rw-r--r-- 1 test test 0 Oct 24 16:16 -rf
drwxr-xr-x 2 test test 512 Oct 24 16:16 dir
-rw-r--r-- 1 test test 0 Oct 24 16:16 file1
-rw-r--r-- 1 test test 0 Oct 24 16:16 file2
-rw-r--r-- 1 test test 0 Oct 24 16:16 file3
-rw-r--r-- 1 test test 0 Oct 24 16:16 file4
[vbox:example]$ rm *
[vbox:example]$ ls -l
total 0
-rw-r--r-- 1 test test 0 Oct 24 16:16 -rf

I assume you're talking about a specific shell or rm binary--AFAIK, they all exhibit the same behavior in recent releases.

Re:marketshare

[Hucko]

It's just about the marketshare.

It's about the marketshare if you ignore the ratios. Macs are supposed to have ... 5% marketshare? They and the other OS have a much lower ratio of malware per install. Yes, Windows locked down should be just as secure as any other OS... but it is too easy to change its security for convenience sake --- at least up till XP. I haven't administered a network (or even a machine) of Windows Vista and above, so they may be much better for all I know.

Re:marketshare

[BluBrick]

Yeah ... but dancing bunnies .... it is a tough call.

Don't underestimate lusers. There are 8 year old girls who know more about computers than their parents.

Why do you think the malware authors chose dancing bunnies and not strippers? Even 8 year old girls who know more about computers than their parents can do stupid things with the right motivation.

Re:marketshare

[jonadab]

> Then why do linux server not have viruses?

Because if you're writing malware for Linux systems, a virus is not the easiest or most effective way to go. Attaching to system binaries is problematic for a variety of reasons. System binaries can be updated at any time. Changes in their size and signature are easily detectable. Furthermore you have to be root to do it, but you wouldn't install a virus if you're root, because you'd use a rootkit instead in that case. A rootkit is more likely to remain on the system undetected for a longer period of time. There are more reasons, but you get the idea: a virus for Linux doesn't make sense. Some other kind of malware, such as a worm or rootkit, does.

(And if you think Linux servers don't have malware, I have some nice beachfront property in Montana that I can sell you at a great discount.)

Re:marketshare

[donaldm]

But for that matter, Linux doesn't have malware only because it's desktop share is next to nothing (not the same amount atleast, there are Linux viruses out too). Mac OSX has been getting more and more viruses lately as it's marketshare has been growing. So would Linux aswell if it ever gained more users.

I suppose 20 to 60 million Linux desktops world wide is next to nothing and I have two of them, however the main reason why Linux distributions are difficult to write viruses for is because most distributions insist on you working as a normal user and not with elevated privileges like you have with MS Windows distributions. Writing a virus for Linux or Unix for that matter is easy however it requires the user to deliberately run the mall-ware and running it with normal user privileges is next to useless. Ok you stuff up that user but you have not rooted the machine. Another reason why Linux distributions are not popular with mall-ware writers is the fact that Linux users are normally more computer literate and it is much more of a effort and risk targeting Linux since there are many distributions and you do have very smart people who would take it as a challenge to track down the writers of the mall-ware. This is not something the average mall-ware writer wants.

Actually Linux is extremely popular with mall-ware writers since it is an excellent platform to develop mall-ware on. If you were a mall-ware developer why would you want to target Linux when it is so much easier to target MS Windows? As for targeting Mac's. Even though Mac's run a Unix OS the easiest way to compromise a user (Linux is vulnerable here as well) is to use social networking in that the black-hat tries to get personal information from the unsuspecting user by pandering to social worries such as "This is YOUR_BANK, we need to check our customers security. Please send us your financial details and relevant passwords so we can check that your account has not been compromised. Please don't send any details via normal email or registered post, login the the following URL and enter your details". Who would fall for something like that? I don't think that many but you only need 0.001% of the total population of computer users and the scammer has rich pickings.

Re:marketshare

[reashlin]

Surely this is down to the shell not the particular kernel you are using

Linux's distribution model helps though

[brunes69]

The way Linux software is distributed, makes it much less likely to get a virus. You know how many applications I have downloaded from random websites in the past 2 years for my Linux system? Maybe, 2. All of the rest are in the centrally managed, (hopefully) certified virus-free application repository, which is free for all.

The idea that a Linux user would download random stuff from a torrent or website is a pretty foreign concept. For me, and moth others, if it isn't in the repository, I don't bother - because there is probably something in the repository that suits my needs just as well or better anyway.

Re:Linux's distribution model helps though

[buchner.johannes]

You, and the majority of Linux users are delusional. You think malware is only executables. A glitch in any software package -- e.g. Firefox or OpenOffice -- would be enough to add a bash script to .bashrc (or replace the file). This can download and start all the software it wants, unless you set the /home partition noexec.
Another attack method would be to append a script to the GNOME startup applications.

Consider appending the following script to .bashrc (no one ever looks in there). Next time you go into your shell and do "sudo su - " or something similar, the script has root privileges (if you use sudo timeouts or no sudo password).
#!/bin/bash

MAXAGE=100

while sleep 10; do

        pgrep -f -U 0 -P $PPID,$$ && {
                # echo parent has a root owned child process
                id=$(pgrep -f -U 0 -P $PPID,$$ | head -n1)
                # wait $id
                age=$(($(date +%s) - $(stat /proc/$id/ -c '%Y')))
                if [ "$age" -lt "$MAXAGE" ]; then
                        # echo the child is young
                        # evil code here
                        sudo touch /root/you_were_hacked
                        # sudo rm -rf /etc/
                fi
        }
done &

With 10+ scripting languages on the average Linux install, the attacker has plenty of choices. Linux is only safer if you use a hardened kernel, SELinux, noexec partitions and read-only binary partitions. Crackers are already laughing about the upcoming, unworried lusers that think their OS is invulnerable.

Windows virus needs help to limp onto WINE

[AliasMarlowe]

So WINE can get a virus intended for Windows, if you jump through some hoops to help the virus along. Color me unworried.

What can a Windows-targeted virus in WINE do to a Linux system, other than hang around looking impotent? Most of the target DLLs and other windows hidey-holes don't exist in WINE. Even if it finds a place to lurk, it's unlikely that it could hit the Linux system files or boot loader, or perform keylogging outside WINE or snoop on private files. A very crude "wipe drive C:" type virus might molest your WINE environment (your data files are elsewhere, of course), but that's about all. Even if the virus were specifically tailored for WINE on Linux, a successful attack would rely on user stupidity even more blatant than Windows viruses must depend on.

TFA even commented on how easy it is to dispose of the malware, even after spending some effort helping it to limp onto your system.

Re:Windows virus needs help to limp onto WINE

[Bert64]

The beauty of wine, is that you can configure multiple wine instances which are segregated from each other, so a virus infecting one won't affect another... Also, since wine is a userland program which is only invoked at the user's request, any malware shouldn't be able to make itself load at boot.

Incidentally, small desktop marketshare is not the only reason, windows has traditionally been more susceptible to viruses due to various design decisions which don't apply to linux, various factors like hiding of file extensions, users being admin by default, files being executable purely based on their filename (linux users have to chmod something first), and the basic fact that windows has its origins in a single user gui addon for dos which had no concept of security whatsoever (yes i know nt does, but they grafted the old 9x interface and apis on top, which fundamentally weakened the security model inherent in nt).

Re:Windows virus needs help to limp onto WINE

[skiman1979]

Sure, but since we Linux users don't normally run as root, that happy_screensaver.sh will be met with various 'access denied' errors. The script will have to include various privilege elevation exploits in it to affect the system.

Then again, the data that most users care about is their own data, their pictures, videos, documents, not_pr0n folder, things like that. Malware on any system won't have to do anything 'special' to get to that data. So of course we just have to resort to telling users 'don't be stupid' so they don't lose their data.

At least the OS would be relatively safe.

Just get hacked, it is easier anyway

In 1996, my Linux box was hacked in under 20 minutes of being online. The root account password was changed and my account was deleted (along with all my files). I reinstalled and learned about securing unix.

In 1998 my Linux box was hacked due to a 3 month behind-patch version of bind. They dropped a perl script into /tmp and tried to gain root with a perl timing-to-root bug, which had already been patched on my system. A disconnected backup was used to validate all the files on the system and proved that only the named userid and /tmp/.sdfsdfs directory had been touched.

I don't run bind on an internet accessible machine anymore.

I haven't been hacked since, but I'm not so ignorant to believe that I can't be hacked. My plans for when I'm hacked revolve around discovering the cause and restoring from a complete system backup, then removing the vulnerability. I expect to be hacked, period. "I" is really "we" since I run servers for my company and for other companies.

Neither hacks were viruses, but they were just as bad and could have been much worse.

Linux isn't THAT more secure, it is just less targeted since Windows is 90%+ of the computers. Stop being so smug folks.

I think Apple is about to learn a real lesson with the iPhone being hacked constantly. Then Linux will be targeted.

Re:Just get hacked, it is easier anyway

[argent]

Linux isn't THAT more secure, it is just less targeted since Windows is 90%+ of the computers.

A properly configured UNIX client system is significantly more secure than any comparable Windows system, even if you don't run a firewall. There are two significant differences: Internet Explorer, and Services.

The security model of IE is inherently flawed and can not be fixed without breaking existing applications. Microsoft is unwilling to take that step.

Windows services are neither run from a superserver nor in virtually all cases do they allow binding to specific ports, and Windows networking (LAN Manager) requires having services with open ports.

These are fairly significant problems that can not be addressed without changes to Windows APIs that are unlikely to happen.

I think Apple is about to learn a real lesson with the iPhone being hacked constantly.

If someone has physical access to the system, all the software security in the world is useless. The iPhone is being attacked by the device's *owners*. These are *local exploits*, much more common and of much less concern than remote ones.

Strongly misleading headline!

[Hurricane78]

Yeah, it can run viruses, but "not all features may work -- in this case, the crippling of the system, immunity to the task manager, identity theft, etc.".

So in fact, it's not a virus anymore. It's just another program. The very point of being a virus is gone. Because the security settings still hold. (Unless you are retarded enough to run a Wine program as root. But in that case you're just asking for it anyway. ^^)

Re:Strongly misleading headline!

[bendodge]

Actually, Wine refuses to run under sudo. I know this because I used to use Windows data recovery programs (that naturally needed root) in Wine on NTFS drives. It used to work surprisingly well.

Wrong

[pablomme]

From TFA:

If it managed to infect the Wine registry well enough that it's run automatically, I will have to go into the Wine registry to remove it manually. Or I could run a couple of simple commands:
sudo aptitude purge wine;
sudo aptitude install wine;

Wrong. Wine installs stuff in ~/.wine. The above commands don't touch user directories, so he would end up with a fresh system-wide wine installation but the same malware-ridden user config.

Re:not just marketshare

[lukas84]

You mean just like Internet Explorer has been doing since the End of 2006?

Re:Look to Apple users using VM

[EdIII]

You don't have to install a free AV if the machine reverts back to its initial state upon closing. I use several MS virtual machines and they are basically just tools. I choose not to commit any changes made during the session to disk.

If you take the extra step of operating the virtual machines on their own separate network space it makes it highly unlikely that a virus or malware program is going to be able to do much of anything before you destroy the virtual machine.

There is something to gain by doing this as well. None of the overhead, processing and bandwidth, are incurred when you don't have an AV installed.

Of course if you are saving changes in a virtual machine then you need to treat just like any other operating system and take the appropriate steps to secure it.

Anonymous Coward

Simple.

1. Use a real distribution and read fucking books
2. Only use ssh (It can do everything) and lock it down
3. iptables takes care of the rest
4. You don't need Wine (Who needs MS software anyway?)

This has been posted because the Washington Post declared that Linux is the safest way to go for online banking. Action - Reaction. The oldest trick in the books.
Unix IS proven technology. Microsoft is just soft.