http://wearenixed.blogspot.com/2008/03/you-only-know-good-when-youve-seen-ba...
"I had set her up with a perfect Wine install. She had a bit of software that needed to run under wine and I had shown her how to install within that environment. Apparently, I wasn't specific enough. It never occurred to Paula that the .exe programs she had used on her XP machine were the vehicles for many of her present viruses. To her, it was perfectly fine to use those same .exe's...after all, she was in Linux, right?
I got there within the same hour and checked her machine. Yep...Windows viruses will reside and create the same havoc within a Wine environment. Now, I've seen it with my own eyes. This time I reinstalled for her and made sure I found all the infected .exe's on the Windows side and deleted them."
Quoting Dan Kegel dank@kegel.com:
http://wearenixed.blogspot.com/2008/03/you-only-know-good-when-youve-seen-ba...
"I had set her up with a perfect Wine install. She had a bit of software that needed to run under wine and I had shown her how to install within that environment. Apparently, I wasn't specific enough. It never occurred to Paula that the .exe programs she had used on her XP machine were the vehicles for many of her present viruses. To her, it was perfectly fine to use those same .exe's...after all, she was in Linux, right?
I got there within the same hour and checked her machine. Yep...Windows viruses will reside and create the same havoc within a Wine environment. Now, I've seen it with my own eyes. This time I reinstalled for her and made sure I found all the infected .exe's on the Windows side and deleted them."
Windows virus infecting Linux machines are a huge success for Wine.
Take that one Microsoft! Windows viruses run better on Linux than on Windows Vista!
On Thu, Mar 13, 2008 at 08:32:23AM -0700, Dan Kegel wrote:
http://wearenixed.blogspot.com/2008/03/you-only-know-good-when-youve-seen-ba...
"I had set her up with a perfect Wine install. She had a bit of software that needed to run under wine and I had shown her how to install within that environment. Apparently, I wasn't specific enough. It never occurred to Paula that the .exe programs she had used on her XP machine were the vehicles for many of her present viruses. To her, it was perfectly fine to use those same .exe's...after all, she was in Linux, right?
I got there within the same hour and checked her machine. Yep...Windows viruses will reside and create the same havoc within a Wine environment. Now, I've seen it with my own eyes. This time I reinstalled for her and made sure I found all the infected .exe's on the Windows side and deleted them."
Fortunately you can run clamscan -r ~/.wine/ without much fear for rootkits hiding the virii.
Ciao, Marcus
I remember my last attempt to run a virus under wine caused a total loss of my .wine structure but didn't manage to cause any damage to my sandbox (including a juicy fake address list). I was really let down as I expected carnage.
Just as a silly outside thought; would it be worth keeping track of some of the bigger windows virus so we can see how good wine compatibiliy with all of the nitty gritty bugs of windows really is? Also this would allow us to identify dangerous areas in wine were the ability to affect the linux environment cross over.
On Fri, Mar 14, 2008 at 3:27 AM, Marcus Meissner meissner@suse.de wrote:
On Thu, Mar 13, 2008 at 08:32:23AM -0700, Dan Kegel wrote:
http://wearenixed.blogspot.com/2008/03/you-only-know-good-when-youve-seen-ba...
"I had set her up with a perfect Wine install. She had a bit of software that needed to run under wine and I had shown her how to install within that environment. Apparently, I wasn't specific enough. It never occurred to Paula that the .exe programs she had used on her XP machine were the vehicles for many of her present viruses. To her, it was perfectly fine to use those same .exe's...after all, she was in Linux, right?
I got there within the same hour and checked her machine. Yep...Windows viruses will reside and create the same havoc within a Wine environment. Now, I've seen it with my own eyes. This time I reinstalled for her and made sure I found all the infected .exe's on the Windows side and deleted them."
Fortunately you can run clamscan -r ~/.wine/ without much fear for rootkits hiding the virii.
Ciao, Marcus
On 3/13/08, Edward Savage epssyis@gmail.com wrote:
Just as a silly outside thought; would it be worth keeping track of some of the bigger windows virus so we can see how good wine compatibiliy with all of the nitty gritty bugs of windows really is? Also this would allow us to identify dangerous areas in wine were the ability to affect the linux environment cross over.
Yes, it would be good to keep an eye on that.
Ideally we'd have an automated script to set up a petri dish, try out a bunch of known infectious agents, and see which one of them reproduce.
I haven't done anything like that myself, but I imagine a good place to start might be to script an instance of mozilla or ies4linux visiting the top sites listed at http://www.stopbadware.org/home/topsites and see if they're able to modify the system at all. - Dan
This sounds like some thing I'd be able to do though I'm not sure of the best way to sand box wine away from the system. What is the best way to go about this, would simply creating a new user be enough to protect a system, or does a vm have to be used?
I have a bit of free time tomorrow so I'll make a start and see where I get.
On Fri, Mar 14, 2008 at 6:11 AM, Dan Kegel dank@kegel.com wrote:
On 3/13/08, Edward Savage epssyis@gmail.com wrote:
Just as a silly outside thought; would it be worth keeping track of some of the bigger windows virus so we can see how good wine compatibiliy with all of the nitty gritty bugs of windows really is? Also this would allow us to identify dangerous areas in wine were the ability to affect the linux environment cross over.
Yes, it would be good to keep an eye on that.
Ideally we'd have an automated script to set up a petri dish, try out a bunch of known infectious agents, and see which one of them reproduce.
I haven't done anything like that myself, but I imagine a good place to start might be to script an instance of mozilla or ies4linux visiting the top sites listed at http://www.stopbadware.org/home/topsites and see if they're able to modify the system at all.
- Dan
On 3/13/08, Edward Savage epssyis@gmail.com wrote:
This sounds like some thing I'd be able to do though I'm not sure of the best way to sand box wine away from the system. What is the best way to go about this, would simply creating a new user be enough to protect a system, or does a vm have to be used?
I would totally do it in a virtual machine.
On Thursday March 13 2008 19:31:49 Edward Savage wrote:
This sounds like some thing I'd be able to do though I'm not sure of the best way to sand box wine away from the system. What is the best way to go about this, would simply creating a new user be enough to protect a system, or does a vm have to be used?
Separate user is enough if you don't have world writable files in your system. And of course user for such purpose shouldn't be in group(s) that have write access to your personal or system files. If you are unsure use VirtualBox ( http://virtualbox.org/ ) - it's free and open-source, or VMWare ( http://vmware.com/ ) - it's not free. On Debian (and probably Ubuntu) you can install VirtualBox by running "sudo apt-get install virtualbox". I do not recommend to use QEmu because it's less user friendly than VirtualBox (BTW, VirtualBox is based on QEmu).
On 3/13/08, L. Rahyen research@science.su wrote:
Separate user is enough if you don't have world writable files in yoursystem.
No, because the malware could root your Linux system using a local priv escalation exploit. You really want a totally isolated sandbox. - Dan
On 13/03/2008, Dan Kegel dank@kegel.com wrote:
On 3/13/08, L. Rahyen research@science.su wrote:
Separate user is enough if you don't have world writable files in yoursystem.
No, because the malware could root your Linux system using a local priv escalation exploit. You really want a totally isolated sandbox.
Do you know what the status of the ClamAv support is for malware detection through the Windows API?
Also, should this really map the Windows API to use Linux API for malware detection (http://lwn.net/Articles/260918/), or the Mac API, or other OS APIs if available? If none is provided, the Windows calls could use ClamAv as a fallback if available.
Also, should an effort be made to get Windows AV products working on Wine? This has the problem that they would likely require Windows kernel APIs that Wine isn't providing. It would also require testing.
In addition to AV support, should Wine use the Windows API to use a firewall if one is available on the OS that Wine is running?
- Reece
On Fri, Mar 14, 2008 at 05:19:39PM +0000, Reece Dunn wrote:
On 13/03/2008, Dan Kegel dank@kegel.com wrote:
On 3/13/08, L. Rahyen research@science.su wrote:
Separate user is enough if you don't have world writable files in yoursystem.
No, because the malware could root your Linux system using a local priv escalation exploit. You really want a totally isolated sandbox.
Do you know what the status of the ClamAv support is for malware detection through the Windows API?
Also, should this really map the Windows API to use Linux API for malware detection (http://lwn.net/Articles/260918/), or the Mac API, or other OS APIs if available? If none is provided, the Windows calls could use ClamAv as a fallback if available.
Also, should an effort be made to get Windows AV products working on Wine? This has the problem that they would likely require Windows kernel APIs that Wine isn't providing. It would also require testing.
In addition to AV support, should Wine use the Windows API to use a firewall if one is available on the OS that Wine is running?
The Windows firewalls usually plugins in at kernel level.
One of our 2006 Summer of Code students wrote an on-access scanner for Wine, but it was never integrated.
http://www.christoph-probst.com/soc2006/wine/
Ciao, Marcus
On Thu, Mar 13, 2008 at 12:49 PM, L. Rahyen research@science.su wrote:
Separate user is enough if you don't have world writable files in yoursystem. And of course user for such purpose shouldn't be in group(s) that have write access to your personal or system files. If you are unsure use VirtualBox ( http://virtualbox.org/ ) - it's free and open-source, or VMWare ( http://vmware.com/ ) - it's not free. On Debian (and probably Ubuntu) you can install VirtualBox by running "sudo apt-get install virtualbox". I do not recommend to use QEmu because it's less user friendly than VirtualBox (BTW, VirtualBox is based on QEmu).
VMWare workstation is not free, but you can get both VMWare server and VMWare player at no charge. It's available from the Canonical repositories as well: http://archive.canonical.com/ubuntu/pool/partner/v/vmware-server/
I've made a good start on a script that grabs a list of virus from around the internet and attempts to run each one and then reports changes in wine and then resets the wine structure. I'll be testing with the above two file change tools to see which one works best (I was just using a small one from freshmeat) though I'm interested as to what else I should be looking for in results? At the moment I'm just reporting crash details and file changes then using human inspection to see how well it did.
I just thought it might be a good idea to build a mailing list that goes to the local (vm) system then check if the local systems mail was spammed and report that. Looking for more suggestions like this.
Also I'm using qemu running debian at the moment. Of course the script wont care which vm you use. For those thinking that qemu is painful to use install qemulator and the kqemu kernel package and you're set. Though I'm not really sure this is the sort of thing we want new users to be attempting so easy of use of the vm shouldn't be important.
For those interested I've tested the top five virus listed on symantec and none of them have caused any serious issues, all malware I've tried has failed completely due to the lack of IE. I'll be setting up two build environments in the script, one with IE and one with native wine claiming ie (or not depending on responces).
Finally, where would be the right place to report the results? Appdb seems like a strange place to be putting results of this nature. :P
Edward
On Fri, Mar 14, 2008 at 6:58 AM, Lei Zhang thestig@google.com wrote:
On Thu, Mar 13, 2008 at 12:49 PM, L. Rahyen research@science.su wrote:
Separate user is enough if you don't have world writable files in yoursystem. And of course user for such purpose shouldn't be in group(s) that have write access to your personal or system files. If you are unsure use VirtualBox ( http://virtualbox.org/ ) - it's free and open-source, or VMWare ( http://vmware.com/ ) - it's not free. On Debian (and probably Ubuntu) you can install VirtualBox by running "sudo apt-get install virtualbox". I do not recommend to use QEmu because it's less user friendly than VirtualBox (BTW, VirtualBox is based on QEmu).
VMWare workstation is not free, but you can get both VMWare server and VMWare player at no charge. It's available from the Canonical repositories as well: http://archive.canonical.com/ubuntu/pool/partner/v/vmware-server/
"Edward Savage" epssyis@gmail.com wrote:
Finally, where would be the right place to report the results? Appdb seems like a strange place to be putting results of this nature. :P
Since Windows viruses use Win32 APIs that's not surprising that they work under Wine. What you are doing doesn't have IMO any practical means, except probably hurting Wine by creating an image of Wine as a platform for Windows viruses under Linux (which is not true).
The assumption is that since win32 virus are so windows specific and require so many small windows bugs and tweaks to run that they are a good test bed to see how good windows compatibility really is. In general they are also rather badly written so finding linux-wine compatibility issues should also be possible as well, we know they run under windows so if they don't under wine then that is an issue that should be looked at that could also fix other legit applications.
Besides I hardly think that is part of an image that doesn't already exist or is even bad for the project. When I've seen wine in the media (a good number of times now) the comment has been, paraphrased, 'so good that it can even run some windows virus'.
I would suggest that the real media damage would come from any virus running that we don't know about and then root kits or wipes some poor newbies system. I can see the slashdot headline now, "Users under threat from unknown virus risks when using Wine".
I'm happy to just do this as a pet project and maybe report findings for wwn or similar but in general I think it'd be some thing worth at least keeping track of officially.
On Fri, Mar 14, 2008 at 7:40 PM, Dmitry Timoshkov dmitry@codeweavers.com wrote:
"Edward Savage" epssyis@gmail.com wrote:
Finally, where would be the right place to report the results? Appdb seems like a strange place to be putting results of this nature. :P
Since Windows viruses use Win32 APIs that's not surprising that they work under Wine. What you are doing doesn't have IMO any practical means, except probably hurting Wine by creating an image of Wine as a platform for Windows viruses under Linux (which is not true).
-- Dmitry.
"Edward Savage" epssyis@gmail.com wrote:
The assumption is that since win32 virus are so windows specific and require so many small windows bugs and tweaks to run that they are a good test bed to see how good windows compatibility really is. In general they are also rather badly written so finding linux-wine compatibility issues should also be possible as well, we know they run under windows so if they don't under wine then that is an issue that should be looked at that could also fix other legit applications.
If you have plenty of free time in your hands it would be much better spent with testing real applications, or rather triaging bugs in Wine bugzilla.
Besides I hardly think that is part of an image that doesn't already exist or is even bad for the project. When I've seen wine in the media (a good number of times now) the comment has been, paraphrased, 'so good that it can even run some windows virus'.
I would suggest that the real media damage would come from any virus running that we don't know about and then root kits or wipes some poor newbies system. I can see the slashdot headline now, "Users under threat from unknown virus risks when using Wine".
I'm happy to just do this as a pet project and maybe report findings for wwn or similar but in general I think it'd be some thing worth at least keeping track of officially.
That's exactly what hurts Wine: a misguided report of a clueless user, and WWN is not the place for it neither.
That's exactly what hurts Wine: a misguided report of a clueless user, and WWN is not the place for it neither.
Thanks.
Dan Kegel wrote:
On 3/13/08, Edward Savage epssyis@gmail.com wrote:
Just as a silly outside thought; would it be worth keeping track of some of the bigger windows virus so we can see how good wine compatibiliy with all of the nitty gritty bugs of windows really is? Also this would allow us to identify dangerous areas in wine were the ability to affect the linux environment cross over.
Yes, it would be good to keep an eye on that.
Ideally we'd have an automated script to set up a petri dish, try out a bunch of known infectious agents, and see which one of them reproduce.
I haven't done anything like that myself, but I imagine a good place to start might be to script an instance of mozilla or ies4linux visiting the top sites listed at http://www.stopbadware.org/home/topsites and see if they're able to modify the system at all.
- Dan
I like that idea. are there any linux tools to watch files for changes? Or maybe have linux watch the wine processes for their file changing activities.
I like that idea. are there any linux tools to watch files for changes? Or maybe have linux watch the wine processes for their file changing activities.
I've used tripwire for a long time.
fschange looks promising, builds upon inotify, but I've never used it yet:
http://stefan.buettcher.org/cs/fschange/index.html
Cheers Vit
-
Christopher Harvey -
Dan Kegel -
Dmitry Timoshkov -
Edward Savage -
L. Rahyen -
Lei Zhang -
Marcus Meissner -
Pau Garcia i Quiles -
Reece Dunn -
Vít Hrachový