WINE: A New Place for KLEZ to Play? 318
An anonymous submitter sends in this cautionary tale about Wine being maybe a little too good at emulating Windows. Update: 10/23 21:05 GMT by M : Better links: mirror 1, mirror 2.
This discussion has been archived.
No new comments can be posted.
WINE: A New Place for KLEZ to Play?
Related Links Top of the: day, week, month.
Software production is assumed to be a line function, but it is run like a staff function. -- Paul Licker
Re:First Post Or ist it ? (Score:1, Informative)
you'll easily find that plural from virus is viruses...
Re:Uhhhh.... (Score:3, Informative)
JoeLinux
i would think (Score:3, Informative)
Slashdot crashed my machines (Score:5, Informative)
I now have two dead machines because they linked us anyways.
-James Blackwell
A similar writeup about Klez and WINE (Score:5, Informative)
Re:Wine is not an emulator ... (Score:5, Informative)
Its not all that surprising that a virus would run without problems. Many of them do exploit actual bugs in the Windows code, but most of them just make regular old crappy Win32 API calls.
just goes to show.... (Score:3, Informative)
chris
Re:Wine and / mounted as Z: ? (Score:3, Informative)
CodeWeavers Wine and WineHQ CVS setup their initial configuration differently I think. You can alter what drives are mapped to what easily enough in the config file, or using the configuration GUI.
Re:Slashdot crashed my machines (Score:2, Informative)
Search for "articles.linuxguru.net" on google, then have it show its cached version.
Now, there may not be legal grounds, but uh, come on guys.
WINE is not an emulator (Score:1, Informative)
Whoa there cowboy! Wine is not an emulator (hence the name.) This is from their FAQ:
Is Wine an emulator?
Unfortunately, no. Wine provides low-level binary compatibility, but currently only for OSes running on Intel-compatible chips.
Re:i would think (Score:2, Informative)
I use a Linux box at work and at home, and my laptop runs OS X, so I'm not saying this as a slight against the Unix variants out there.
Trust me, I would be much more upset at losing all my digital photographs or code or whatever. Losing the OS isn't really any more or less inconvenient than losing all my data. But losing all my data permanently would really be awful.
Now, I back up most everything periodically, so I figure I'm better off than, let's say, my mom, who rarely backs up anything. Or my sisters, who used to back up to floppy until I explained to them how silly that was.
Not having root just prevents certain "shady" things from happening, but in the end, you can do everything as your normal user. I can start up daemons via my normal startup scripts (some of which get called when X comes up, for example), modify binaries that are owned by my user (many applications these days under Linux and OS X), and open network connections for DDOS attacks. The only nice thing is that I think I'm unable to do things like SYN floods (I think... there are definitely limits on RAW sockets, I believe) and certain nastier attacks without root access or the proper access set up.
Sujal
article text (Score:4, Informative)
Recently a friend of mine, proficient in Linux, and not what you would call a 'newbie' to computing, received an email from a customer. The email was vague and included an attachment. In KMail, he decided to view the attachment, thinking it was simply an image. He clicks it, nothing happens, no viewer, no error, nothing but a few seconds of milling around, and then more nothing. Then, the wine notification pops up. By this time he had realized the file was a Windows executable, and that he'd just executed it with wine because of the MIME typing capabilities of KDE, and WINE's integration with the desktop.
If he were running windows, I would've slapped him upside the head, everyone with any sense at all would've expected an odd email with an attachment to be a ready and willing virus or worm. Of course, this was no different, this attachment contained the worm known as WORM_KLEZ.H. However, because of the sense of security from worms of this nature bestowed to Linux users, by the same type of ignorance in assumption that spreads them amongst Windows users, he never expected the attachment to be a virus or worm that would infect and operate as it normally does. Unfortunately, this is exactly what happened... click, boom, Klez goes nuts, etc., etc., etc.
The virus itself is simply a worm, it's what you'd call a 'dumb virus', in the sense that it isn't extremely complex, doesn't change itself around much, and basically works as fast as it can before it is easily obliterated by common virus scanning software. The basic idea is that it infects you, spreads itself by emailing from your computer to as many contacts as possible, then does its damage, if you want more detailed information, Trend Micro has plentiful information about Klez and other viruses and worms available on http://www.antivirus.com/.
Now, you may be wondering how it infected and actually 'worked', I know I certainly was. In this particular case, our cool customer known from here on out as 'John' for 'John Doe', had wine installed, and you see, the default configuration for most wine installs, shares your root linux directory as a drive visible to the applications running inside of it. If you know anything about the Klez worm, you'll remember that not only does it search for address books, etc, it will search for many other common file formats on the entire system, searching for email addresses, dropping PE_ELKERN.D, and various other silly virus/worm/intrusive type things.
So far we have the first two parts of the Klez's basic operation, infection, and email address reaping. What is next? Let's say it together kids "PROP A GA TION" yay!!! Now, this is probably one of the most important parts of a worm's life cycle. If it doesn't propagate, it isn't really a worm or a virus. It's just a pointless, irritating program.
Propagation in wine, this was the part in this particular case that I found so amusing. The computer was running a secure MTA (Mail Transport Agent) and the fake Windows registry for WINE was configured to use the localhost as the SMTP server for internet applications. Otherwise, the Klez would not have known how to send itself. It is possible, that, the Klez worm defaults to 'localhost' for the SMTP server if it cannot find one in the registry, this I don't know and it doesn't seem to be covered in Trend Micro's technical description. Anyway, because of the MTA being localhost, the worm was able to queue all of its outgoing email quite quickly. I actually had the opportunity to remotely shell in as root and view `ps aux` output, showing the various smtpd instances sending this email, while I tried to help John find the spooled emails and remove them.
Now, a few things must be noted about this particular situation. KLEZ is not a high risk worm, so by no means was this a massive problem for this person. Also, the infection did not include files that were not Windows exectuables, so the native filesystem was left unharmed. The spooled emails were taken care of and the effects overall were minimal, if not simply classified as an 'annoyance.'
The reason this is such an important subject to cover, isn't this instance of infection, but, the possible vulnerability that using WINE in such an insecure (and default) way can provide. For example, a knowledgeable virus programmer could use this situation to make multi-platform viruses, that could detect files by their 'magic file type' similar to the way the tool 'file' does, and infect them through wine. I understand, that this is highly unlikely to occur any time soon, but, I think you can probably imagine many other ways that this opens doors for virus problems to the relatively virus-clean environment of Linux.
The main points I'd like to make are: WINE is obviously mature enough to handle the more advanced code that a virus usually contains. Even if only KLEZ for now, others will in the future, be compatible. The other is: I am willing to bet that 90% of you WINE users out there, can view drive Z, or something similar and get your root file system tree, and something like drive Y provides your home directory READ-WRITE. Please, don't do this, unless it is absolutely necessary, minimize the interaction between your WINE environment, and the real linux environment, specify a directory for wine shared files and keep them separate from your linux home files, etc. This will help to minimize the post-infection damage a virus can accomplish.
Finally, the most important 'bug' most distributions have, is allowing a Windows executable to be run with wine without an obvious chance for interception, by default. Sure, it comes up with a window, telling you that wine is running, and allowing you to disable the notice, however, it does NOT warn you about the application being executed in such a way that you could stop it before it was started. Even Java does this with code that is signed for permissions; it still asks you if you are sure you want to give it permissions.
As it goes, I was unable to easily obtain any previously written information on securing WINE properly, and I am no security expert. Some basic tips would include, configuring the program, read all of the options, don't let it set itself up completely for you.If anyone has any tips they would like to share, please do.
Re:Slashdot crashed my machines (Score:5, Informative)
Aanyway, why not do what a few other sites do... in Apache just reject anything with a referer from slashdot.org domain. redirect it to something like a tripod page that says "your link has been rejected - linked from slashdot" or something.
or heck, just drop the request. Make them mirror it.
Re:i would think (Score:3, Informative)
So create a user named "wine" with no write access to anything you care about. Su to it and run Wine. Problem solved.
Re:It's not a Wine problem... (Score:3, Informative)
Boon for antivirus industry? (Score:4, Informative)
Now, Linux users will catch and spread a long list of old Windows favorites making the demand for commercial antivirus software go up again. This John Doe caught Klez a rather non descript worm. Imaging Anna Korunikova in the inboxes of most Linux geeks.
Better see about Norton Command Line Scanner or perhaps...
rpm -e wine-*
Re:i would think (Score:3, Informative)
If you run everything as root, your system will probably be as vulnurable as any windows system. Not running as root does of course not prevent all attacks, but it does prevent the most nasty ones. A worm with root permissions can do nasty things to your kernel, filesystem, libraries, and standard executables. If such things happens a reinstall will be your only way back to a normal situation. If OTOH the worm only has access to a single unpreveleged user, the system integrity is unaffected. In this case root can log in and watch what is going on, and there is no way the worm could hide anything. You will be able to compare the users file against the last backup, you will be able to see exactly what files the user has created on the system, you can watch his network access. And cleaning up is easy, just kill all the users processes, delete all his files from
And now that you actually have a fine multiuser system, why not use this fact? If I want to run something I just downloaded from the net, I usually run it under a dummy user ID. And whenever I run Wine, it is done under a dummy user ID. And you can prevent the user from doing certain things on the network, it is just a matter of a few iptables rules. On my system even if I ran Klez under Wine, iptables would deny it access to SMTP.
but (Score:2, Informative)
Re:I'll say this only once... (Score:2, Informative)
Re:I'll say this only once... (Score:4, Informative)
No it isn't. While a reasonably intelligent person with some experience with windows should easily be able to keep his windows box free of viruses, most users are not.
If you've ever been administering windows boxes for others, NAV corporate edition, or some other corporate antivirus software is really a life-saver.
There are no more viruses on Windows than there are on Linux. What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook.
Last time I checked, there was about 3 viruses for Linux. I have heard some stories about new ones, so now there might be 10-15. The number of viruses on Windows increases with over 50 per month. As for the frequencies of those viruses: I've yet to actually discover a virus for linux (other than reading about it). On the other hand, with my windows box, I actually have to be careful.
What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook. Run Outlook under wine, and you will get the same worms. It's not a fault of the OS, be it Linux+Wine or Windows, but a problem of the Outlook application.
Or outlook express, which is distributed as a part of the Windows OS. There are also problems with permissions (most linux distributions have somewhat sane permissions, most Windows installations have not (because after installing it, they are anything but sane).
And while there are few reasons to run anything as root under linux (except for the occasional sudo), the only practical way to use Windows is to be logged in with administrator rights (e.g. autocad requires this).
On the other hand, it is true that linux is susceptible to viruses just like Windows. The main thing going against that now is lack of popularity, and an educated user-base. But there are also lots of good technical reasons why it would be harder on linux. And the lack of outlook, default shares, IIS, and over-user-friendlyness certainly also help :-)
Re:Not a WINE-specific problem (Score:2, Informative)
Sorry if I'm wrong... (Score:2, Informative)
to
...
Of course it could still mess up some of your Windows-/Wine-related stuff. But I don't see how it could obtain addresses to spread itself to, unless of course you have Windows Address Book, Outlook, or something installed with Wine.
Re:Uhhhh.... (Score:5, Informative)
One mitigating factor: codeweavers do built in a protection against executable attachments in their winex product.