Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Wine Software

WINE: A New Place for KLEZ to Play? 318

An anonymous submitter sends in this cautionary tale about Wine being maybe a little too good at emulating Windows. Update: 10/23 21:05 GMT by M : Better links: mirror 1, mirror 2.
This discussion has been archived. No new comments can be posted.

WINE: A New Place for KLEZ to Play?

Comments Filter:
  • Uhhhh.... (Score:5, Insightful)

    by JoeLinux ( 20366 ) <joelinux@ g m a i l . c om> on Wednesday October 23, 2002 @03:28PM (#4516163)
    Nice thing about WINE is: it can be shut OFF, then there is no environment to flourish in. ("/usr/local? Hell, I'm trying to find C:\windows\system")

    JoeLinux
    • Re:Uhhhh.... (Score:4, Insightful)

      by Shoten ( 260439 ) on Wednesday October 23, 2002 @03:33PM (#4516228)
      Yeah, until you decide to turn it back on again, right? Windows machines have an "off" switch too...whether it's a matter of unloading from memory or powering down, it's no different.
      • Re:Uhhhh.... (Score:3, Informative)

        by JoeLinux ( 20366 )
        McAfee has a windows virus checker that works in linux. Genius idea. So you can run linux, protect Mickeysoft asshats from stupid virii, and even run their programs...and shut it off and scan for viruii when needed.

        JoeLinux
        • VET also has one as well - their distribution CD that gets mailed out quarterly is a bootable linux cd with a linux version of their scanner on it. Pretty good if your system's hosed.
      • Re:Uhhhh.... (Score:5, Insightful)

        by NumberSyx ( 130129 ) on Wednesday October 23, 2002 @04:03PM (#4516557) Journal

        Yeah, until you decide to turn it back on again, right? Windows machines have an "off" switch too...whether it's a matter of unloading from memory or powering down, it's no different.

        You might want to rethink that statment. If you turn the power off on a Windows machine (or a Linux box for that matter), you have a paper weight until you turn it back on. On the other hand, I can completely uninstall Wine from my Linux box and still have a fully functional computer. There is a difference.

      • but (Score:2, Informative)

        by Anonymous Coward
        wine doesnt start the routine windows boot files, win.ini etc... so once offed the virus wont return unless the user starts it again.
    • Re:Uhhhh.... (Score:5, Informative)

      by Nailer ( 69468 ) on Wednesday October 23, 2002 @06:00PM (#4517639)
      Yes, but if your day requires you to run Outlook 2000 throughout your day, then its not practical to shut Wine off (the Ximian Connector still doesn't do everything Outlook does with regards to Exchange).

      One mitigating factor: codeweavers do built in a protection against executable attachments in their winex product.

      • Run Office setup fro myour menu (thats ~/cxoffice/bin/officesetup)
      • Click configuration
      • Hit the advanced button
      • Notice the Outlook security tab, which is turned on by default. "prevent MS Outlook fro mrunning files with these extensions: vbs;wsf;vbe;wsh;hta;bat;pif;exe;scr;lnk"
      • Wait for StarOffice to get anough market share to have its own real viruses.


  • Figures (Score:4, Funny)

    by marduk00 ( 543281 ) on Wednesday October 23, 2002 @03:28PM (#4516164) Journal
    Only the things you don't use or want work well with Wine.
  • Haha, WINE must be very scary for bill if it even runs the virii that prosper on his software....
  • Alright (Score:5, Funny)

    by EggplantMan ( 549708 ) on Wednesday October 23, 2002 @03:29PM (#4516167) Homepage
    I know alot of software developers are anal retentive perfectionists, but this is going a little too far. What's next? EULA emulation?
    • Software developers that are anal-rententive perfectionists start spasming after a few seconds of dealing with the atrocious pile of shit that is the Win32 API, so I wouldn't worry.
    • Re:Alright (Score:3, Funny)

      by blerg ( 185696 )
      I know alot of software developers are anal retentive perfectionists, but this is going a little too far. What's next? EULA emulation?

      I really think they should embrace and extend the EULA with the simple addition of a large fonted, capitalised "Just kidding!" right at the end.

  • by Anonymous Coward on Wednesday October 23, 2002 @03:30PM (#4516183)
    After seven posts!!?? Criminy people? how am I supposed to learn how windows sucks if you keep making IIS explode!?
  • by entrager ( 567758 ) on Wednesday October 23, 2002 @03:32PM (#4516214)
    I don't think so. I think it's pretty amazing that this could occur within Wine. I'd be VERY pleased if I were a Wine developer.
  • by sammaytg1 ( 608758 ) on Wednesday October 23, 2002 @03:35PM (#4516255)
    It's a linux implementation of windows apis. IT really shouldn't be suceptable to virii like windows is. I would really like to know more about this (the article has already been slashdoted)
    • by SpamapS ( 70953 ) on Wednesday October 23, 2002 @03:52PM (#4516462) Homepage
      Its not just "windows" that is susceptible to viruses. It is the API that is too trusting, and the file permissions. When you run wine, you generally own all of the files (default is ~/.wine/fake_windows). So you're going to be able to do anything you could on a windows box.

      Its not all that surprising that a virus would run without problems. Many of them do exploit actual bugs in the Windows code, but most of them just make regular old crappy Win32 API calls.
    • Sour grapes (Score:3, Insightful)

      by Subcarrier ( 262294 )
      Is it really such a big surprise that something based on Bill's produce quickly turns into vinegar? Storing it somewhere cool (Linux) isn't sufficient to make a good wine, you know.
    • I was under the impression that the goal of the Wine project was to not only implement all of Windows' API, it would also implement the APIs such that any bugs which would occur in Windows would also occur in Wine. To make the environment as nearly identical as possible. I could be wrong, though . . .
    • That always comes up, "Wine Is Not an Emulator". Well, doesn't they say that more because they want a cool recursive acronym than anything else? :)

      It is more than just an implementation of the API, since it obviously emulates the registry and some file system capabilites. Granted, this may be just because this api needs it to work, but it still takes it beyond just the api.
  • by Anonymous Coward on Wednesday October 23, 2002 @03:35PM (#4516258)
    The server is apparently running IIS under Wine.
  • by Havokmon ( 89874 ) <rick&havokmon,com> on Wednesday October 23, 2002 @03:37PM (#4516282) Homepage Journal
    I swear when I read the article earlier today (It was posted on Desktoplinux and NewsForge already), that the guy said that by default, "/" was mounted a Z:.

    I've just recently done a wineinstall to clean out my wine settings, and I don't have a Z:. Does that happen if you're running as root?

    The only potential issue I can see is that your whole home directory is 'shared' between Linux and Wine by default.

    Maybe I just read ~/ as /

    • I swear when I read the article earlier today (It was posted on Desktoplinux and NewsForge already), that the guy said that by default, "/" was mounted a Z:.

      CodeWeavers Wine and WineHQ CVS setup their initial configuration differently I think. You can alter what drives are mapped to what easily enough in the config file, or using the configuration GUI.

    • Typically the reason some Wine installations create Z: mapped to / is because when Wine starts, it needs to be able to find your current directory and the windows executable you are running in a space that's mapped to a windows drive.

      In other words, if I'm sitting at a prompt in the directory /usr/local/sasquatch and try "wine bigfoot.exe" to run the bigfoot.exe file, unless there's a Windows drive mapped that gives access to /usr/local/sasquatch I'm gonna get an error. Mapping a drive to / prevents the error.

      Still, if you run wine as a non-root user, the windows processes shouldn't have access to anything to which your user doesn't have rights.
  • Old Story, Kinda (Score:5, Interesting)

    by GigsVT ( 208848 ) on Wednesday October 23, 2002 @03:37PM (#4516284) Journal
    There was a story a year ago about sircam running on Wine. [slashdot.org]
  • by iceT ( 68610 ) on Wednesday October 23, 2002 @03:38PM (#4516290)

    If you lie down with dogs, you'll get up with fleas...

    Does anyone know if Norton Anti-Virus runs under Wine? ...anyone...?
    • by Ed Avis ( 5917 ) <ed@membled.com> on Wednesday October 23, 2002 @03:48PM (#4516427) Homepage

      There was recently some discussion [winehq.com] on the Wine newsgroup about limiting emulated applications' access to the system. This could be handy for dealing with semi-malware or just programs that don't fully like the emulated environment (and might need to be prevented from doing too many suspicious is-it-really-Windows checks). The reply was that since a Wine emulated program is running as an ordinary executable, it could call Unix system calls anyway, so there would be little point (from a strict security point of view).

      However, something like NetBSD's and OpenBSD's recently added feature to monitor system calls and define policies could potentially be very handy for running binary-only programs you don't fully trust: and of course most such programs are on the Windows platform.

    • As much as I hate to shatter your imaginary world, I have to say that NAV is a completely useless program designed to suck money out of your pocket. There are no more viruses on Windows than there are on Linux. What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook. Run Outlook under wine, and you will get the same worms. It's not a fault of the OS, be it Linux+Wine or Windows, but a problem of the Outlook application.
      • I would say about 95% of the time you are right, but Outlook and Outlook Express are not the only things that cause problems. However, there have been several other issues especially with the Indexing Service and IIS. Remember Code Red and Code Red 2?
      • Not to burst any bubbles, but Outlook is quite safe once you've got the security update, which has been out for some time now. Of course this does nothing for the installed base that have never been updated, but I suppose that's why MS is trying to buildup the autoupdate features more. (Moreso for the OS than Office, but still...)
      • by joto ( 134244 ) on Wednesday October 23, 2002 @05:13PM (#4517191)
        As much as I hate to shatter your imaginary world, I have to say that NAV is a completely useless program designed to suck money out of your pocket.

        No it isn't. While a reasonably intelligent person with some experience with windows should easily be able to keep his windows box free of viruses, most users are not.

        If you've ever been administering windows boxes for others, NAV corporate edition, or some other corporate antivirus software is really a life-saver.

        There are no more viruses on Windows than there are on Linux. What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook.

        Last time I checked, there was about 3 viruses for Linux. I have heard some stories about new ones, so now there might be 10-15. The number of viruses on Windows increases with over 50 per month. As for the frequencies of those viruses: I've yet to actually discover a virus for linux (other than reading about it). On the other hand, with my windows box, I actually have to be careful.

        What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook. Run Outlook under wine, and you will get the same worms. It's not a fault of the OS, be it Linux+Wine or Windows, but a problem of the Outlook application.

        Or outlook express, which is distributed as a part of the Windows OS. There are also problems with permissions (most linux distributions have somewhat sane permissions, most Windows installations have not (because after installing it, they are anything but sane).

        And while there are few reasons to run anything as root under linux (except for the occasional sudo), the only practical way to use Windows is to be logged in with administrator rights (e.g. autocad requires this).

        On the other hand, it is true that linux is susceptible to viruses just like Windows. The main thing going against that now is lack of popularity, and an educated user-base. But there are also lots of good technical reasons why it would be harder on linux. And the lack of outlook, default shares, IIS, and over-user-friendlyness certainly also help :-)

      • I have to say that NAV is a completely useless program designed to suck money out of your pocket

        Uh-huh. Next you'll be telling me that it's all a conspiracy and that viruses are written by the AV vendors themselves.

        There are no more viruses on Windows than there are on Linux.

        I TOTALLY disagree with that statement. You can look at any virus tracking system and see that CLEARLY there are more viruses for Windows. *IF* you had said that Linux is no less suseptible to viruses than Windows, I actually might be inclined to believe you...

        With one exception.

        Most software in Linux was not designed to run applications automatically for the user. Windows software WAS EXPLICITLY DESIGNED to do that.

        IE (and anything that uses that rendering engine, including Outlook, Outlook Express, and etc.) was designed to run VB scripts silently, without knowledge of the user, and with full access to everything the user has access to on that system.

        The software on Windows was designed for ease of use above everything else. This design goal went through EVERY aspect of almost EVERY piece of windows software. From Office (macros) to Exchange (5.5 default IMS configuration was an open relay), and SQL*Server (default 'sa' account w/ no password). That's why your mother can use it. Security and easy to use are more contrary to one another than complimentary.

        Since windows is designed to do everything as 'root' and also designed to do everything 'silently', it makes it a much juicier target for virus. Linux is, at a minimum, tougher to write viruses to. Most 'viruses' under Linux require that the user actively run a program.

        Will Linux ever be 'immune' to viruses? Doubtful... but it at least makes it a LITTLE tougher for people to SPREAD the viruses.

        Now... wanna talk about system vulnerabilites...?
  • by grahamlee ( 522375 ) <graham.iamleeg@com> on Wednesday October 23, 2002 @03:39PM (#4516301) Homepage Journal
    Hi folks!

    The new version of WINE is available! It costs a mere $450 per seat, and after an extensive rewrite of the Windows ABI emulation exports NO functionality whatsoever!
    BTW for optimum emulation, we recommend running WINE at nice -20.

    COMING SOON - WINE SP1.
    The all-new WINE Service Pack removes the ability to run MS-DOS programs, and stops you viewing any digital broadcast medium. This is to enhance your computing experience.
  • by Pike65 ( 454932 ) on Wednesday October 23, 2002 @03:40PM (#4516317) Homepage
    All of the advantages, none of the . . . oops.
  • by sjbe ( 173966 ) on Wednesday October 23, 2002 @03:41PM (#4516335)
    Kinda obvious but easily forgotten. Being able to run windows apps is a two edged sword in many different respects. Access to good applications versus potentially reduced interest in linux development. Ability to run applications not built for linux versus inconsistant ability to run some of those same apps. And now of course, access to Windows apps versus the viruses that often go with them. The good comes along with the bad and there are plenty of unintended consequences to go around. Any engineer will tell you that there are tradeoffs for any design decision. WINE is no exception. Caveat emptor...
  • What's the deal? (Score:5, Insightful)

    by jorlando ( 145683 ) on Wednesday October 23, 2002 @03:43PM (#4516364)
    Wine is supposed to run Windows apps... a virus is a Windows app as any other... If the Wine user is running Outlook what else he can wait for? The vulnerabilities still there...
  • i would think (Score:3, Informative)

    by papasui ( 567265 ) on Wednesday October 23, 2002 @03:44PM (#4516373) Homepage
    the obvious solution would be not to run WINE as root. The filesystem permissions should prevent excessive damage.
    • Re:i would think (Score:2, Informative)

      by scenic ( 4226 )
      I hear this a lot, and it's a sort of silly argument to make for a desktop machine. I mean, I don't care about what's /usr or /usr/local or whatever. I care a little bit about /etc (which is easy to back up) and a hell of a lot more about the stuff in my home directory (and other areas where I have write permissions). On a desktop, viruses/worms suck, period, even if you use a regular user account for daily access.

      I use a Linux box at work and at home, and my laptop runs OS X, so I'm not saying this as a slight against the Unix variants out there.

      Trust me, I would be much more upset at losing all my digital photographs or code or whatever. Losing the OS isn't really any more or less inconvenient than losing all my data. But losing all my data permanently would really be awful.

      Now, I back up most everything periodically, so I figure I'm better off than, let's say, my mom, who rarely backs up anything. Or my sisters, who used to back up to floppy until I explained to them how silly that was.

      Not having root just prevents certain "shady" things from happening, but in the end, you can do everything as your normal user. I can start up daemons via my normal startup scripts (some of which get called when X comes up, for example), modify binaries that are owned by my user (many applications these days under Linux and OS X), and open network connections for DDOS attacks. The only nice thing is that I think I'm unable to do things like SYN floods (I think... there are definitely limits on RAW sockets, I believe) and certain nastier attacks without root access or the proper access set up.

      Sujal

      • Re:i would think (Score:3, Informative)

        by kasperd ( 592156 )
        Not having root just prevents certain "shady" things from happening, but in the end, you can do everything as your normal user.

        If you run everything as root, your system will probably be as vulnurable as any windows system. Not running as root does of course not prevent all attacks, but it does prevent the most nasty ones. A worm with root permissions can do nasty things to your kernel, filesystem, libraries, and standard executables. If such things happens a reinstall will be your only way back to a normal situation. If OTOH the worm only has access to a single unpreveleged user, the system integrity is unaffected. In this case root can log in and watch what is going on, and there is no way the worm could hide anything. You will be able to compare the users file against the last backup, you will be able to see exactly what files the user has created on the system, you can watch his network access. And cleaning up is easy, just kill all the users processes, delete all his files from /tmp and /var/tmp, and finally restore his home directory from the latest uninfected backup. You can use diff to look for suspicious changes. And the backups can be done regularily by a cron job run as root, and can even be stored online.

        And now that you actually have a fine multiuser system, why not use this fact? If I want to run something I just downloaded from the net, I usually run it under a dummy user ID. And whenever I run Wine, it is done under a dummy user ID. And you can prevent the user from doing certain things on the network, it is just a matter of a few iptables rules. On my system even if I ran Klez under Wine, iptables would deny it access to SMTP.
    • the obvious solution would be not to run WINE as root. The filesystem permissions should prevent excessive damage.

      Excessive damage to what? The application binaries and data, which can be replaced in hours? Or your home directory full of work, some of which might never be replaced?

      • Re:i would think (Score:3, Informative)

        Or your home directory full of work, some of which might never be replaced?

        So create a user named "wine" with no write access to anything you care about. Su to it and run Wine. Problem solved.

    • Re:i would think (Score:3, Interesting)

      by Sloppy ( 14984 )
      Amusingly, this is sort of a case where the filesystem permissions failed. It sounds like this guy had WINE set up as a "viewer" for .EXE files, so KMail "viewed" the attachment with WINE. If you think about how this was probably implemented (speculating and analoquizing is so much more fun than actually looking up the answer ;-), then KMail probably wrote the attachment as a file somewhere under /tmp and without executable permission (both because it wouldn't make sense for KMail to +x it, and also maybe because of how the admin would probably mount /tmp). And then ran WINE with the temp file as argument.

      And WINE executed it anyway. Major blunder.

      Which just sort of goes to show, Unix's executable permission bit, is really mostly just "advisory" and not really enforced by kernel. (How could it?) Filesystem permissions, feh.

      • Re:i would think (Score:3, Insightful)

        by Sloppy ( 14984 )
        And WINE executed it anyway. Major blunder.
        Actually, as I think of this more, I get less certain.

        Suppose you set up KMail to use python as a "viewer" for .py files. Would I treat python running a script that isn't chmodded +x, as a python bug? I don't think so. Hmm.

        The real problem is foolish decisions about setting up external viewers. I no longer blame WINE.

  • by Anonymous Coward on Wednesday October 23, 2002 @03:45PM (#4516383)
    On the footer of *every single page* at linuxguru.net, we specifically request that slashdot not link our stories because we can't handle the load.

    I now have two dead machines because they linked us anyways.

    -James Blackwell
    • This is -1 at the moment, and everything, but the pages really do say not to link from slashdot.

      Search for "articles.linuxguru.net" on google, then have it show its cached version.

      Now, there may not be legal grounds, but uh, come on guys.
    • Enjoy it while it lasts. Afterall, at this point, what are you gonna do?

      Just hope and pray that they don't repost the same story tomorrow. It's been happening a fair bit lately.
    • by OnyxRaven ( 9906 ) on Wednesday October 23, 2002 @04:11PM (#4516639) Homepage
      ...moderated funny... gah.

      Aanyway, why not do what a few other sites do... in Apache just reject anything with a referer from slashdot.org domain. redirect it to something like a tripod page that says "your link has been rejected - linked from slashdot" or something.

      or heck, just drop the request. Make them mirror it.
    • by Anonymous Coward on Wednesday October 23, 2002 @04:21PM (#4516737)
      Run IIS next time so we can blame Microsoft. We dont like to see Linux servers go down for the same reason.
      • Except that IIS supports this nice feature called a throttle which would give many /.'ers a "Server Busy" error but would also A) allow current sessions to browse the site at a reasonable speed and B) not take the server down. Of course, packet monitoring is available at the OS level, but it's nice to have it controlled and gracefully handled by the web server. AFAIK Apache does not yet support this (although I have no experience with 2.x which no one really uses anyway).
    • Sue slashdot, well actually their parent company. You notifid slashdot to not link to your site for very specific reasons and they ignored the notice knowing full well what the consequences of their actions would likely be. I'd be interested to see what a ruling like this would do to hyperlinking and deeplinking of web sites.
    • On the footer of *every single page* at linuxguru.net, we specifically request that slashdot not link our stories because we can't handle the load. I now have two dead machines because they linked us anyways.

      I'd have thought a "Linux Guru" would know how to block traffic referred from Slashdot, preferably at the firewall (if you have content based filtering), or at the webserver if not. In addition, it's not that hard to throttle traffic back to a level your servers can handle. Again, something a guru should know. Aaah, yes... the penny drops. You're the same James Blackwell that's been flaming Larry McVoy on LKML. It all makes sense now...

  • by Adam9 ( 93947 ) on Wednesday October 23, 2002 @03:50PM (#4516441) Journal
    Well, this article that I found here [linuxchix.org] that discusses the limitations of Klez on WINE and how Sircam was able to run on WINE. All in all, it appears to be a limited threat.
  • Putting too much M$ in Linux makes bitter WINE.
  • WINE = good (Score:3, Funny)

    by RomikQ ( 575227 ) <romikq@mail.ru> on Wednesday October 23, 2002 @03:53PM (#4516473) Homepage
    Well, I haven't seen the article, cause it's been slashdotted, but to all that talk about wine virii execution - look at this [linux.org.ru] (the author of the screenshot is C-Pro).

    Besides, I mean, just as with any other tool, you need caution. If you run wine as root with the whole tree as e: then sooner or later you're gonna regret it. The level achieved by wine emulation is amazing, so there are going to be security flaws if you don't know what you are doing, just as with any product with functionality as extensive as wine's
  • by yipyow ( 317154 ) on Wednesday October 23, 2002 @03:54PM (#4516486) Homepage
    ok, so i haven't seen the article. but this just goes to show that although running windows apps under linux using wine may be useful, what we are really wanting to do here is stop using that stuff anyway, by writing apps to replace them. isn't that why most of us run linux anyway, because we can't stand the alternative?

    chris
  • by Olmy's Jart ( 156233 ) on Wednesday October 23, 2002 @03:57PM (#4516510)
    Fine... Why in blue blazes did KMail run Wine in the first place. Why would KMail run any attachment? It's one thing to run a viewer on an image like a .jpg. It's a totally different sort of thing to run the attachment. What are they going to do if they get a foo.sh file. Run it under bash? That's basically what they've done here. This is exactly why Microsoft got in heat over these worms and why these things run rampant on MS systems even if the users are not admin on that system.


    It's a security bug, a security hole, just like the ones in LookOut, and it ain't a Wine problem. This one belongs on bugtraq.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Wednesday October 23, 2002 @04:20PM (#4516723)
      Comment removed based on user account deletion
      • by kasperd ( 592156 ) on Wednesday October 23, 2002 @04:43PM (#4516931) Homepage Journal
        • How is KMail supposed to know if it is safe to "run" the attachment?
        • How is KMail supposed to know how to "run" the attachment?
        It is two different questions, but the answer is the same. You give KMail a list of filetypes, and tell it what to do with them. The list could contain a flag specifying dangerous filetypes. If that feature does not exist in KMail, the filetype should be ommited from the list.

        To me this sounds like a bug in the configuration rather than the software. And it does sound like a configuration mistake in the default install of this distribution.
        • To me this sounds like a bug in the configuration rather than the software. And it does sound like a configuration mistake in the default install of this distribution.

          Just don't jump to that conclusion. KMail uses file MIME types that are registered in KDE - that is configurable for and by each user and any apps they may install that may run the appropriate script to either create a new type or get control of the existing one. MIME types then can be and are used by variety of apps such as Konqueror, KMail, KBear, etc. that launch external apps or plugins that are registered for a given type. You can register *.bat, *.exe, *.com, *.vbs files' MIME type and associate them with Wine. Now, if this was done as a default from that guy's distro you may have a point; but also that user may have compiled and installed his own Wine and associated the above file types on his own.

          On a side note, KDE has a very nice configuration tool for file MIME types that can be accessed by right-clicking on any file.
      • You are using the identical defense that Microsoft used to circulate when people complained about Outlook opening all attachments. KMail (and other mailers) need to be able to distinguish between "safe" and "unsafe" attachment types.

      • The fundamental problem is the concept of "opening" a file. Having an operation that's easy for the user to invoke, but that could do basically anything, is a really bad idea. (Yesterday, I tried to open a door and I ended up opening a restaurant. Today, I tried to open my wallet and opened a wound on my leg. Then I tried to close my wallet, but closed my bank account instead. Anyway...) It was a bad idea on the Mac, it was a bad idea on Windows, and it's a bad idea on Linux.

        What KMail wants to let you do is "view" a file. You view .sh files with a text editor. You view .jpgs with GIMP. You don't view Windows executables. Programs that view files are safe to use (unless there's a bug in the viewer).

        You may, at some point, want to execute a file. You do this with exec(). You don't do this with a viewer.

        If you insist on acting on files without any concern for the operation you're going to do on the file, I'd suggest using "rm", which will work on any file, regardless of type, and will cause relatively little damage in the long run.

    • It worked just because of the way it would run a jpeg viewer. The MIME type instructs kmail that windows executables are supposed to be executed using the "wine" executable (e.g. wine sol.exe). So KMail isn't executing the program, it's executing a "viewer" that "views" (runs) Windows executables. The fact that this opens up a huge security hole just shows how careful you have to be.
    • by gmarceau ( 119282 ) <dnys2v4dq1001@sneakemail.com> on Wednesday October 23, 2002 @04:51PM (#4517022) Homepage
      Why did Wine accepted to run a file which didn't have +X permissions? That would be Wine's contribution to bugtrack.
  • article text (Score:4, Informative)

    by Anonymous Coward on Wednesday October 23, 2002 @04:06PM (#4516582)
    The WINE project is becoming increasingly popular and useful to those who would continue to use proprietary, free, and unported opensource software available only for Microsoft Windows. I've tested it with a few games I had purchased while I still used Windows, and it surprised me. The WINE project, and the two popular forks in the project, WineX, and Codeweavers WINE, have come along quite nicely, albeit it slowly, over the last few years. I give a lot of credit to the many developers that have poured a lot of their time into the project, but, with the good, the bad must be accepted.

    Recently a friend of mine, proficient in Linux, and not what you would call a 'newbie' to computing, received an email from a customer. The email was vague and included an attachment. In KMail, he decided to view the attachment, thinking it was simply an image. He clicks it, nothing happens, no viewer, no error, nothing but a few seconds of milling around, and then more nothing. Then, the wine notification pops up. By this time he had realized the file was a Windows executable, and that he'd just executed it with wine because of the MIME typing capabilities of KDE, and WINE's integration with the desktop.

    If he were running windows, I would've slapped him upside the head, everyone with any sense at all would've expected an odd email with an attachment to be a ready and willing virus or worm. Of course, this was no different, this attachment contained the worm known as WORM_KLEZ.H. However, because of the sense of security from worms of this nature bestowed to Linux users, by the same type of ignorance in assumption that spreads them amongst Windows users, he never expected the attachment to be a virus or worm that would infect and operate as it normally does. Unfortunately, this is exactly what happened... click, boom, Klez goes nuts, etc., etc., etc.

    The virus itself is simply a worm, it's what you'd call a 'dumb virus', in the sense that it isn't extremely complex, doesn't change itself around much, and basically works as fast as it can before it is easily obliterated by common virus scanning software. The basic idea is that it infects you, spreads itself by emailing from your computer to as many contacts as possible, then does its damage, if you want more detailed information, Trend Micro has plentiful information about Klez and other viruses and worms available on http://www.antivirus.com/.

    Now, you may be wondering how it infected and actually 'worked', I know I certainly was. In this particular case, our cool customer known from here on out as 'John' for 'John Doe', had wine installed, and you see, the default configuration for most wine installs, shares your root linux directory as a drive visible to the applications running inside of it. If you know anything about the Klez worm, you'll remember that not only does it search for address books, etc, it will search for many other common file formats on the entire system, searching for email addresses, dropping PE_ELKERN.D, and various other silly virus/worm/intrusive type things.

    So far we have the first two parts of the Klez's basic operation, infection, and email address reaping. What is next? Let's say it together kids "PROP A GA TION" yay!!! Now, this is probably one of the most important parts of a worm's life cycle. If it doesn't propagate, it isn't really a worm or a virus. It's just a pointless, irritating program.

    Propagation in wine, this was the part in this particular case that I found so amusing. The computer was running a secure MTA (Mail Transport Agent) and the fake Windows registry for WINE was configured to use the localhost as the SMTP server for internet applications. Otherwise, the Klez would not have known how to send itself. It is possible, that, the Klez worm defaults to 'localhost' for the SMTP server if it cannot find one in the registry, this I don't know and it doesn't seem to be covered in Trend Micro's technical description. Anyway, because of the MTA being localhost, the worm was able to queue all of its outgoing email quite quickly. I actually had the opportunity to remotely shell in as root and view `ps aux` output, showing the various smtpd instances sending this email, while I tried to help John find the spooled emails and remove them.

    Now, a few things must be noted about this particular situation. KLEZ is not a high risk worm, so by no means was this a massive problem for this person. Also, the infection did not include files that were not Windows exectuables, so the native filesystem was left unharmed. The spooled emails were taken care of and the effects overall were minimal, if not simply classified as an 'annoyance.'

    The reason this is such an important subject to cover, isn't this instance of infection, but, the possible vulnerability that using WINE in such an insecure (and default) way can provide. For example, a knowledgeable virus programmer could use this situation to make multi-platform viruses, that could detect files by their 'magic file type' similar to the way the tool 'file' does, and infect them through wine. I understand, that this is highly unlikely to occur any time soon, but, I think you can probably imagine many other ways that this opens doors for virus problems to the relatively virus-clean environment of Linux.

    The main points I'd like to make are: WINE is obviously mature enough to handle the more advanced code that a virus usually contains. Even if only KLEZ for now, others will in the future, be compatible. The other is: I am willing to bet that 90% of you WINE users out there, can view drive Z, or something similar and get your root file system tree, and something like drive Y provides your home directory READ-WRITE. Please, don't do this, unless it is absolutely necessary, minimize the interaction between your WINE environment, and the real linux environment, specify a directory for wine shared files and keep them separate from your linux home files, etc. This will help to minimize the post-infection damage a virus can accomplish.

    Finally, the most important 'bug' most distributions have, is allowing a Windows executable to be run with wine without an obvious chance for interception, by default. Sure, it comes up with a window, telling you that wine is running, and allowing you to disable the notice, however, it does NOT warn you about the application being executed in such a way that you could stop it before it was started. Even Java does this with code that is signed for permissions; it still asks you if you are sure you want to give it permissions.

    As it goes, I was unable to easily obtain any previously written information on securing WINE properly, and I am no security expert. Some basic tips would include, configuring the program, read all of the options, don't let it set itself up completely for you.If anyone has any tips they would like to share, please do.

  • Speaking of Wine... (Score:2, Interesting)

    by dcuny ( 613699 )
    I was just looking at the latest WINE news [winehq.org] and saw an interesting comment regarding Xandros and CodeWeavers that didn't seem to appear in yesterday's discussion of Xandros [slashdot.org]:
    • There's a little more behind this than meets the eye. Both Xandros and CodeWeavers have a significant share owned by a holding company, Linux Global Partners . Other companies in their portfolio include Ximian, Gobe, Metro Link, and GNU Cash. All of the companies are fully independent, but as Linux Global Partner's web site states,
    • Our operating strategy is to integrate our partner companies into a collaborative network that leverages our collective knowledge and resources. With the goal of holding our partner company interests for the long-term, we use our collective resources to actively develop the business strategies, operations and management teams of our partner companies.

    Maybe I'm being paraniod here, but it looks like Linux Global Partners [linuxglobalpartners.com] is buying up lots of Linux technology. And given that Xandros doesn't follow the "free as in beer" model, I've got to wonder how this bodes for the future of Linux. I mean, the projects are still under GPL, but that doesn't mean it will be released for free [slashdot.org]. Clearly they are in this to turn a profit.

    I guess the free ride has to end at some point.

  • by Anonymous Coward
    I've said it before, and I'll say it again:

    Klez crawls network shares. So if you saved a few bucks by setting up samba servers, you'd better be running antivirus on them.

    If you've got an ftp site that Windows users are uploading files to, you'd better be running antivirus on them.

    Sure, the virus won't run on Linux, but it'll still spread as soon as someone on a Windows box uses one of these files.

    That is all.
  • by FreeLinux ( 555387 ) on Wednesday October 23, 2002 @04:28PM (#4516787)
    The antivirus industry will love this. Who knows, they may even contribute to WINE. You see, so many Linux users have this false sense of security, assuming that since Linux hasn't been significantly targeted by virus writers that, Linux is virus proof. Big mistake, as demonstrated by this story.

    Now, Linux users will catch and spread a long list of old Windows favorites making the demand for commercial antivirus software go up again. This John Doe caught Klez a rather non descript worm. Imaging Anna Korunikova in the inboxes of most Linux geeks. ;)

    Better see about Norton Command Line Scanner or perhaps...

    rpm -e wine-*
  • get used to it.... (Score:5, Insightful)

    by morgajel ( 568462 ) on Wednesday October 23, 2002 @04:29PM (#4516805)
    This is relatively tame.

    As much as I hate saying this, I fear it's going to get a lot worse. As/If Linux gains popularity on all systems, including desktops, you can expect there are going to be a lot of disgruntled windows people out there who will become unemployed because they can't grow with technology. I'm expecting to see a lot of linux software start getting messed with and drastic increase of linux trojans and viruses.

    don't believe me?
    Look at how much software has been backdoored lately- bitchx, ssh, and sendmail. That's a BIG FUCKING DEAL. As we continue, expect the crosshairs to be levelled towards us. There's gonna be a conspiracy. I'm not making any accusations, but keep in mind that the opensource movement is putting pressure on a group of companies that aren't exactly known for their ethical behavior.

    of course I know I'm probably just a paranoid nut, but hey, that's a good thing to be in our field.. ...and this is one of the few times where my sig doesn't apply.
    • As we continue, expect the crosshairs to be levelled towards us. There's gonna be a conspiracy.
      Why the hell not? The reverse has been true for a long long time. Now them evil Micro$haft Windo$e luser$ get a chance to strike back at a bunch of elitist whining pricks.

      Almost time to get a taste of our own medicine.

    • If you really want to go for the conspiracy theories, wouldn't finding holes be a great way for MSFT to shake up some fear in the CIO's office? Especially if you let go of a bunch of vunerabilities at once...
  • by Maradine ( 194191 ) on Wednesday October 23, 2002 @04:45PM (#4516969) Homepage
    I've got a 5-gallon carboy in the closet with 12-day old merlot in secondary fermenation. It took me two bloody hours to santize all of my siphoning gear just to make sure i wouldn't skunk on me . . . and now you're saying I have to worry about KLEZ in my wine??

    Christ, this homebrew thing just isn't worth it.
  • by Todd Knarr ( 15451 ) on Wednesday October 23, 2002 @05:00PM (#4517094) Homepage

    This isn't just limited to WINE, it can hit real Linux mail programs too if anyone ever writes a Linux/ELF virus attachment. Repeat after me, kids:

    Executable MIME types have no place in a mail program!

    None, never, no way. Mail program doesn't matter. OS doesn't matter. No mail program should ever, under any circumstances, execute anything attached to an e-mail message, period full stop. You should only execute things from people you trust, and one attribute of e-mail is that you don't even know if the From address is the real sender so how can you trust the message?

    • Remember that Linux doesn't see .exe as an executable, it sees it as just another data type. How can KMail tell the difference between opening a JPEG with GIMP and opening an EXE with WINE?
  • by standsolid ( 619377 ) <kenny@NoSpAm.standsolid.com> on Wednesday October 23, 2002 @05:04PM (#4517126) Homepage
    looks like John was running linux for everyday tasks as his root account.... should we feel sorry? Hey, just as an example, i'll give you all my root account password so you can rape my computer all you want. sound good?
  • This is an interesting find ... In the following excerpt taken from the WINE FAQs [winehq.com], the author tries to make an argument that diversification is needed in the Windows world (thus WINE) so that Windows viruses can't take out as much of the computer population. Well, looks like that argument for WINE just backfired.

    Excerpt:
    [snip]Code Red did what any "virus" presented with a large homogeneous population would do: it infected more than 359.000 computers in just the first day.[snip]

    It is only a matter of time before a more virulent worm appears. The only way to decrease its impact is to diversify the OS population. Because it is an alternate implementation of the Win32 API and runs on top of a completely different OS, Wine does not have the same flaws and thus can provide this needed diversity.

  • But I believe it should be possible just to allow Wine to access only some files, so if a worm like KLEZ is run, it can only access your files under $HOME/somedir, like changing
    [Drive F]
    "Path" = "${HOME}"
    "Type" = "network"
    "Label" = "Home"
    "Filesystem" = "win95"

    to
    [Drive F]
    "Path" = "${HOME}/wine"
    ...

    Of course it could still mess up some of your Windows-/Wine-related stuff. But I don't see how it could obtain addresses to spread itself to, unless of course you have Windows Address Book, Outlook, or something installed with Wine.
  • It a joke (Score:2, Insightful)

    by fred0110 ( 127260 )
    Guys, its a joke. Someone emulated it just as an excerise.. Its not really a danger to Linux. :)
  • by sheriff_p ( 138609 ) on Thursday October 24, 2002 @02:53AM (#4520069)
    If you want to know how exactly klez works, there's a very detailed analysis here:

    http://www.virusbtn.com/resources/viruses/indepth/ klez.xml [virusbtn.com]

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...