[vox] Linux viruses?

Ken Bloom kabloom at ucdavis.edu
Sun Jun 13 14:33:14 PDT 2004 

On Sun, Jun 13, 2004 at 11:31:00AM -0700, Marianne Waage wrote:
> Bill Kendrick said:
> >Noticed this article on my newsticker just now:
> > Antivirus vendors await first Linux worm
> > http://www.infomaticsonline.co.uk/News/1155836
> >However, one line in the article piqued my curiosity:
> > Symantec reported that it has found three Linux viruses in the wild
> > since the start of 2004.
> >Anyone have any references to these three?
> 
> I always wondered what would happen if you got a virus through something
> emulated like Outlook under wine. There was some other program that let
> you run MS products under linux but I don't recall the name now.
> 
> -yams

One configures WINE with mappings between Linux directories and DOS
drives and also mappings between Linux files and DOS devices. I'm not
sure what your configuration is like, but we can hypothetically
discuss my WINE configuration.

$ ls -l .wine/dosdevices/
a:: -> /dev/fd0
c: -> /home/bloom/.wine/c_drive/
com1 -> /dev/ttyS0
com2 -> /dev/ttyS1
com3 -> /dev/ttyS2
com4 -> /dev/modem
d: -> /windowshd/
e: -> /tmp/
f: -> /home/bloom/.wine/../
lpt1 -> /dev/lp0

(I edited out a bunch of the unnecessary columns after pasting this
listing in.)

/windowshd/ is a read-only mounted NTFS partition which is my boot
partition when I boot to Windows. My software lives there, so I use it
in WINE to run maxplus.

You'll notice that the a: drive is hooked up to a device file
/dev/fd0. This doesn't seem to be properly configured. (I can't access
the floppy drive at all, but I don't particularly care). But it looks
like WINE could theoretically reformat a floppy.

c:, d:, e:, and f: are all mapped to folders. d: is
read-only. Additionally, com1, com2, com3, com4, and lpt1 are hooked
up to device files.

I only use WINE to run MaxPlus, but hypothetically assuming I ran a
piece of software that could contract a virus, here are the dangers.

If the virus decided it wanted to delete all of the files on the f:
drive, I would no longer have a UNIX home directory. If it decided it
wanted to format the f: drive, I imagine it would fail. Likewise for
the c: drive, although it would only be able to delete a few files,
not the whole home directory. For drive e:, /tmp has the sticky bit
set. WINE needs to get Linux permissions to access files, so a virus
could only delete temporary files that I owned. As I'm the only user
on my system, that's most of them -- but there is something there
owned by root, and WINE couldn't delete that. I tested out the d:
drive in the Windows 2000 command prompt, and WINE refused to let me
even read the drive, saying "Access Denied" - although I know it works
fine when I'm running MaxPlus.

I haven't tested this, but I imagine WINE has full TCP/IP network
access. A virus that started running on WINE could probably propagate
itself just like any other virus.

WINE applications can launch other WINE applications. When a new WINE
application is launched, a corresponding new UNIX WINE process is
launched to create that process. (I just verified this by experiment).

Perhaps the most critical feature Windows and WINE with respect to
a virus is that of auto-launching processes. In Windows, the Windows
Registry maintains a well-formatted, read-writable list of processes
launch on startup and login. Viruses simply add themselves to this
list. In Linux, it's possible for a virus to add itself to
automatically start at login, but much harder than on Windows,
(because the syntax of .profile or .login makes it much harder to
automatically add a process to the list, (because the syntax of
.profile or .login makes it somewhat harder to automatically add a
process to the list). In WINE, there is no such list (if there is, it's
ignored). The only process that starts when you start WINE is the one
you requested on WINE's commandline. Although Microsoft Outlook could
start a virus, it wouldn't come back up next time you started WINE.
(Unless Microsoft Outlook also maintained a list of programs to start
up when it started, in which case a virus could attack that list. But
there does not appear to be such a list, and if there is then programs
aren't attacking that list)

Conclusion:
A virus in WINE could:
* Start up, even automatically, the first time you were infected.
* Trash your Linux home directory.
* Mine the directories you gave it permission to access to find
  email addresses.
* Mass-mail itself to other people.
* Dial your modem or waste paper on your printer.

A virus in WINE could not:
* Format your hard drive.
* Trash other peoples' files.
* Start up automatically the next time you ran WINE.

Considering that some of the really critical abilities are missing in
WINE, I think running WINE is safer than running Windows.

-- 
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 10/14/2003. If you use GPG *please* see me about 
signing the key. ***** My computer can't give you viruses by email. ***
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://rod.livepenguin.com/pipermail/vox/attachments/20040613/ce75a9a4/attachment.bin

More information about the vox mailing list