Hi,
Fun article ... author tests various viruses with WINE.
http://os.newsforge.com/article.pl?sid=05/01/25/1430222&from=rss
Ciao, Marcus
Marcus Meissner wrote:
Hi,
Fun article ... author tests various viruses with WINE.
http://os.newsforge.com/article.pl?sid=05/01/25/1430222&from=rss
Ciao, Marcus
I actually have run across quite a few people who were quite worried about the ability of wine to run all of the viruses that windows does.
I took the time to explain to each person that many of the viruses that plague the windows users are simply because of the insecure OS and applications such as Outlook or Internet Explorer. If one managed to get a windows virus under wine - they would most likely have to do it manually, which is possible - but a lot easier to protect against. Just make sure you scan any file you download that you are unsure about. It won't hurt.
Many also seem to be worried that a virus under wine could do damage to their other partition with windows installed. I tell them that without an entry in Wine's configuration for that virtual drive - any pure windows application wouldn't even know that such a drive existed. On the other hand - if people start writing winelib viruses - we may have something to worry about.
Anyway - the only reason I'm bringing this up is because I think that making this knowledge about wine more publicly known would make quite a few possible wine users more comfortable. I'm not sure how that would be done - but I think it's a rather good idea that wouldn't hurt.
--Brad DeMorrow
On Thu, 27 Jan 2005 08:29:08 -0600, Brad DeMorrow wrote:
Many also seem to be worried that a virus under wine could do damage to their other partition with windows installed. I tell them that without an entry in Wine's configuration for that virtual drive - any pure windows application wouldn't even know that such a drive existed.
That's not quite right, some viruses just do a recursive search for all PE EXE/DLL files. They will find a real Windows drive eventually if it's mounted r/w as drive z: makes the whole system available.
thanks -mike
On Thu, 27 Jan 2005, Mike Hearn wrote:
On Thu, 27 Jan 2005 08:29:08 -0600, Brad DeMorrow wrote:
Many also seem to be worried that a virus under wine could do damage to their other partition with windows installed. I tell them that without an entry in Wine's configuration for that virtual drive - any pure windows application wouldn't even know that such a drive existed.
That's not quite right, some viruses just do a recursive search for all PE EXE/DLL files. They will find a real Windows drive eventually if it's mounted r/w as drive z: makes the whole system available.
Yes but that's an important point. As you are not running as root, you may not have write access to the files in that Windows partition. And thus it would be safe.
Of course this depends on how your system is configured but I know this is how mine is configured and I don't think it is an unusual setup (but I don't have hard statistics to back it up so I may be wrong).
--- Francois Gouget fgouget@free.fr wrote:
On Thu, 27 Jan 2005, Mike Hearn wrote:
On Thu, 27 Jan 2005 08:29:08 -0600, Brad DeMorrow
wrote:
Many also seem to be worried that a virus under
wine could do damage to
their other partition with windows installed. I
tell them that without
an entry in Wine's configuration for that virtual
drive - any pure
windows application wouldn't even know that such
a drive existed.
That's not quite right, some viruses just do a
recursive search for all PE
EXE/DLL files. They will find a real Windows drive
eventually if it's
mounted r/w as drive z: makes the whole system
available.
Yes but that's an important point. As you are not running as root, you may not have write access to the files in that Windows partition. And thus it would be safe.
Of course this depends on how your system is configured but I know this is how mine is configured and I don't think it is an unusual setup (but I don't have hard statistics to back it up so I may be wrong).
Here's something to add into the mix...
I'm not quite sure how other Linux distros work, but Sun's JDS mounts any Windows partitions under /windows/[drive letter] . IIRC, Wine makes drive Z the root. So, a virus theoretically could go through each drive, eventually hit Z drive, and then from there, get to the Windows partitions -- that is, if the partitions are Fat32, it can do damage.
Hiji
__________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
On Thu, 27 Jan 2005, Hiji wrote: [...]
Here's something to add into the mix...
I'm not quite sure how other Linux distros work, but Sun's JDS mounts any Windows partitions under /windows/[drive letter] . IIRC, Wine makes drive Z the root. So, a virus theoretically could go through each drive, eventually hit Z drive, and then from there, get to the Windows partitions -- that is, if the partitions are Fat32, it can do damage.
It seems you're just repeating what Mike Hearn said and ignoring what he and I said about non-root users not necessarily having write access to the Windows partition. It's a bit irritating because that last part is exactly what I was trying to pointing out. Apparently I failed :-(
Now you may have been confused by the fat32 thing. But under Linux if you mount a fat32 partition with all defaults then only root can write to it. If you want other users to have write to it, then you have to use the appropriate mount options to set the umask, user and group just right.
Do man mount and look for uid, gid and umask in the 'Mount options for fat' section.
--- Francois Gouget fgouget@free.fr wrote:
On Thu, 27 Jan 2005, Hiji wrote: [...]
Here's something to add into the mix...
I'm not quite sure how other Linux distros work,
but
Sun's JDS mounts any Windows partitions under /windows/[drive letter] . IIRC, Wine makes drive
Z
the root. So, a virus theoretically could go
through
each drive, eventually hit Z drive, and then from there, get to the Windows partitions -- that is,
if
the partitions are Fat32, it can do damage.
It seems you're just repeating what Mike Hearn said and ignoring what he and I said about non-root users not necessarily having write access to the Windows partition. It's a bit irritating because that last part is exactly what I was trying to pointing out. Apparently I failed :-(
Now you may have been confused by the fat32 thing. But under Linux if you mount a fat32 partition with all defaults then only root can write to it. If you want other users to have write to it, then you have to use the appropriate mount options to set the umask, user and group just right.
Do man mount and look for uid, gid and umask in the 'Mount options for fat' section.
No need to get irritated. I did read the posts, and was reconfirming the topic about Z drive. My appologies as I probably wasn't as clear as I should have been. So, let me elaborate.
Sun's JDS R2 (based on a hybrid of Suse 8.1/8.2 -- essentially Suse SLEC) is marketed and created for the basic end-user. Essentially, someone who doesn't know anything about Linux, but needs the basics of an office setting: word processing, email client, browser, etc.
That said, the JDS does a lot of stuff for you. By default, it automounts windows partitions so basically anyone can write to them (root or not). In this case, with this specific distro, a virus would have write access to that partition. I don't mount anything, the distro does...
Not only that, chances are that a general JDS user out there in the real world wouldn't know where to start to change permissions ... much less know what "man" is. ;)
Hope that helps! Hiji
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Thu, 2005-01-27 at 13:45 -0800, Hiji wrote:
That said, the JDS does a lot of stuff for you. By default, it automounts windows partitions so basically anyone can write to them (root or not). In this case, with this specific distro, a virus would have write access to that partition. I don't mount anything, the distro does...
Yeah, but there's no point in exaggerating this. Is it a technical possibility with some setups? Yes. Have I ever heard of it happening? No.
The biggest potential entrypoint for viruses in Wine is probably Internet Explorer. People who use that should know the risks involved, and it's massively unlikely anybody would use IE as their default browser on Linux.
While you can run a few other viruses if you explicitly try:
a) Why would you do that?
b) Very few viruses these days scan your entire hard disk looking for binaries to infect, in fact very few do polymorphic infection at all. That's very old fashioned. These days they just dump themselves in c:\windows\system and start blatting other machines with bad packets (or they go and say hi to their master)
My original email was to correct a slight factual inaccuracy in the text, not to get anybody worried. The chances of this actually being a problem are so close to zero that it's not worth thinking about.
thanks -mike
--- Mike Hearn mh@codeweavers.com wrote:
On Thu, 2005-01-27 at 13:45 -0800, Hiji wrote:
That said, the JDS does a lot of stuff for you.
By
default, it automounts windows partitions so
basically
anyone can write to them (root or not). In this
case,
with this specific distro, a virus would have
write
access to that partition. I don't mount anything,
the
distro does...
Yeah, but there's no point in exaggerating this. Is it a technical possibility with some setups? Yes. Have I ever heard of it happening? No.
No exaggeration intended here; I understood this thread was following a hypothetical scenerios. My appologies. I was trying to raise awareness about a default entry-point on a specific distro. I was in the mindset that its better to share this information to not share it at all.
Hiji
__________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250
On Thu, Jan 27, 2005 at 07:36:54PM +0000, Mike Hearn wrote:
On Thu, 27 Jan 2005 08:29:08 -0600, Brad DeMorrow wrote:
Many also seem to be worried that a virus under wine could do damage to their other partition with windows installed. I tell them that without an entry in Wine's configuration for that virtual drive - any pure windows application wouldn't even know that such a drive existed.
That's not quite right, some viruses just do a recursive search for all PE EXE/DLL files. They will find a real Windows drive eventually if it's mounted r/w as drive z: makes the whole system available.
However, the "Z:" drive in Wine is just a suggested feature; it's quite possible to run Wine without it. Something like Knoppix will automount all drives, but a sane, secure distribution generally requires manual intervention (as root) to even access non-Linux partitions.
On Fri, 28 Jan 2005 01:29, Brad DeMorrow wrote:
I took the time to explain to each person that many of the viruses that plague the windows users are simply because of the insecure OS and applications such as Outlook or Internet Explorer. If one managed to get a windows virus under wine - they would most likely have to do it manually, which is possible - but a lot easier to protect against. Just
If they're running Outlook Express under Wine as their email client it's just as easy to get a Windows virus or worm as it is under real Windows. Whether there are any permanent effects depends only on how the virus or worm hooks into the system and whether the user runs wineboot.
Even if they don't run Outlook Express, with Linux 2.6 there is a facility to have the kernel recognise foreign executable file formats and run them by means of another executable. If used to run Wine executables (and somebody on /. yesterday indicated they had done this), it makes Windows executables as easy to run as native Linux executables ("program.exe" works just as well as "wine program.exe" in such a case).
On 01/27/2005 03:03 PM, Troy Rollo wrote:
Even if they don't run Outlook Express, with Linux 2.6 there is a facility to have the kernel recognise foreign executable file formats and run them by means of another executable. If used to run Wine executables (and somebody on /. yesterday indicated they had done this), it makes Windows executables as easy to run as native Linux executables ("program.exe" works just as well as "wine program.exe" in such a case).
Yes, but then the kernel will only execute the file IF it has execute permissions - so when the worm drops BackOriface.exe on your drive and tries to run it, it won't as it won't have had the +x bit set.
And a worm smart enough to realize it is running under Wine and able to make the syscall to set the +x bit probably will be smart enough to get a native executable for the infection.
David D. Hagood wrote:
On 01/27/2005 03:03 PM, Troy Rollo wrote:
Even if they don't run Outlook Express, with Linux 2.6 there is a facility to have the kernel recognise foreign executable file formats and run them by means of another executable. If used to run Wine executables (and somebody on /. yesterday indicated they had done this), it makes Windows executables as easy to run as native Linux executables ("program.exe" works just as well as "wine program.exe" in such a case).
Yes, but then the kernel will only execute the file IF it has execute permissions - so when the worm drops BackOriface.exe on your drive and tries to run it, it won't as it won't have had the +x bit set.
And a worm smart enough to realize it is running under Wine and able to make the syscall to set the +x bit probably will be smart enough to get a native executable for the infection.
I see I've stirred up a lot of different opinions and interesting points regarding this particular topic :)
Anyway - I can see that a few of my statements weren't completely true. More of my intention was to make it a point that such information should probably be made more publicly known. I'm well aware that the status of wine is constantly changing - and that the more windows applications we are able to run - the more viruses we are also able to run, however, I have explained the current status of wine's potential risk of being infected by a virus to more than a few people - and it appears to be very important information(which it should be) to many businesses and the like.
I know there is a lot of things currently going on with wine, and such a task is not a top priority - especially for the developers, however, I'd be happy to work with someone to put together a summary of this information that could be put on the site - if it's at all feasible to do such a thing.
Thank you all who took the time to read my post and reply - I appreciate it.
--Brad DeMorrow
-
Brad DeMorrow -
David D. Hagood -
David Lee Lambert -
Francois Gouget -
Hiji -
Marcus Meissner -
Mike Hearn -
Troy Rollo