What is the current thinking on preventing Wine running Windows malware...

Questions about Wine on Linux
Locked
fungible
Newbie
Newbie
Posts: 4
Joined: Wed Aug 02, 2017 2:37 am

What is the current thinking on preventing Wine running Windows malware...

Post by fungible »

... I watched a video on Youtube (https://www.youtube.com/watch?v=TErrIvyj_lU) where a bloke manages to run Windows malware. It's true that the situation is rather artificial, but just what is current thinking about Wine and Windows malware? What if any precautions should I take? In the past, users have advised me that Wine isn't running when you aren't using it so you're safe, but I'm still worried...
madewokherd
Level 4
Level 4
Posts: 143
Joined: Mon Jun 02, 2008 5:03 pm

Re: What is the current thinking on preventing Wine running Windows malware...

Post by madewokherd »

Don't use Wine to run software you don't trust. It doesn't incorporate any kind of security layer that could protect you from malware.

That should be enough for most people. If you're still concerned, you can use external security layers such as AppArmor, a sandbox, a VM, or separate user accounts. That would require some additional work on your part to determine what privileges Wine should have, or what software should be sandboxed, or what information you want to keep on an account that's isolated from Wine.

You can use anti-virus if you want, but be aware that AV itself can be a vector for attack if it's poorly-written and doesn't employ a sandbox.
Wildebeest
Level 2
Level 2
Posts: 10
Joined: Mon Oct 11, 2021 10:33 pm

Re: What is the current thinking on preventing Wine running Windows malware...

Post by Wildebeest »

My experience is any lethal malware could mess up your virtual drive, it would be unlikely be able to corrupt to Linux partitions. As I noted and you should be aware yourself, he ran the malware and it failed to infect Linux OS. Thanks so much for sending us his click bait video. lol

First he knew exactly what he had on his desktop and ran it anyway to prove "Linux is unsafe and should not be trusted".
Secondly how did he get this? Well he runs a "security channel" for Windows users on YouTube and the Linux OS this person is running is under an Oracle Virtual Box ... can't get much safer than that. This video is not spontaneous in any way or shape. So his video opens with him typing in a terminal hiding the icon and program he must have placed for this demonstration.

He types sudo apt-get update, his viewers are misled to believe he got the wannacry ransomware from a Linux distro? Shame on him! I know he states what he did, after he did this, but shame on him! This program would never arrive on the Linux desktop by using the terminal with sudo apt-get, I would hope all the better educated and informed understand. The video is ignorance and greed.

I counter point his childish rant, with what the NSA stated about Linux OS. Our government would be better off switching to SE-Linux OS, but Microsoft lobbyist have the hands on many Washington D.C. wallets.

My security measures for using Linux OS
1. Don't surf the web using WINE, you are unlikely to get any virus or exploit any other way.
2. Keep the OS in a separate partition from the Windows applications.
3. Change the Z:\ target in Wine. Using winecfg "Drives" tab the Z: drive is Linux root by default. Change it to the partition where you stored all your Windows apps.
4. If you get malware simply delete the ~/.wine folder and rebuild the virtual drive.
5. Once a month I use bodhibuilder to back up my OS to a USB key drive.

This YouTuber is using fear over fact, just to get views for 3 cents a pop. How woefully pathetic. He gets paid $11,000 for a video to misinform and panic his viewers.
madewokherd
Level 4
Level 4
Posts: 143
Joined: Mon Jun 02, 2008 5:03 pm

Re: What is the current thinking on preventing Wine running Windows malware...

Post by madewokherd »

Wildebeest wrote: Wed Nov 17, 2021 6:16 amMy experience is any lethal malware could mess up your virtual drive, it would be unlikely be able to corrupt to Linux partitions. As I noted and you should be aware yourself, he ran the malware and it failed to infect Linux OS. Thanks so much for sending us his click bait video. lol
While malware running in Wine as your normal user can't do anything your normal user can't do (absent any privilege escalation bugs), it still would have access to all the files under your normal user account. That can easily include important data or even account credentials if it installs something like a keylogger.
Wildebeest wrote: Wed Nov 17, 2021 6:16 am3. Change the Z:\ target in Wine. Using winecfg "Drives" tab the Z: drive is Linux root by default. Change it to the partition where you stored all your Windows apps.
This doesn't provide any real security layer. It may hinder malware that wasn't designed with Wine in mind, but malware devs accounting for Wine (which does happen) can easily access the full Linux filesystem (subject to user permissions), and there's nothing Wine can do to prevent that.

If you want to prevent Wine from reading/writing outside drive_c, you have to use something like AppArmor that provides real security.
Wildebeest wrote: Wed Nov 17, 2021 6:16 am4. If you get malware simply delete the ~/.wine folder and rebuild the virtual drive.
This advice assumes that removing the Z: drive is effective, which it isn't.
Bamm
Level 4
Level 4
Posts: 136
Joined: Thu May 22, 2008 3:18 am

Re: What is the current thinking on preventing Wine running Windows malware...

Post by Bamm »

Since the content of Z: is owned by root, how is it possible for Wine apps to modify them? In my mind, the only things it can change are the content of the $HOME directory.
madewokherd
Level 4
Level 4
Posts: 143
Joined: Mon Jun 02, 2008 5:03 pm

Re: What is the current thinking on preventing Wine running Windows malware...

Post by madewokherd »

Drive letters are irrelevant to a program's ability to modify anything. It's determined by your user, which would typically have access to the contents of $HOME, removable drives, and network drives. For most people, this is going to include things you don't want malware having access to.
Wildebeest
Level 2
Level 2
Posts: 10
Joined: Mon Oct 11, 2021 10:33 pm

Re: What is the current thinking on preventing Wine running Windows malware...

Post by Wildebeest »

@Bamm and @madewokherd
I agree the Z drive root is irrelevant, but why have it start at the root? I wasn't expressing this or any portion of Wine as being "exploitable" to the Linux OS. The most a hacker could hope for is using the Z drive to establish you are running Wine and the path to your folders. If you partition (wall off) your programs using Wine, there is nothing the Z drive can reference other than what you show it. On my list above, only #1 is a key exploit to Wine via a web browser. I don't have any reason to operate the web browser within the Wine VM, but if you did, it might install malware meant for Windows. This still fails to exploit the Linux OS in any fashion. The person who created that video was using it to state, Wine is a Linux exploitable app! If you have solid proof of this please, by all means do share.

I simply gave @fungible a list they can use as they are "still worried" about the use of Wine.
madewokherd
Level 4
Level 4
Posts: 143
Joined: Mon Jun 02, 2008 5:03 pm

Re: What is the current thinking on preventing Wine running Windows malware...

Post by madewokherd »

AFAIK Linux's security (what it gives your user/programs permissions to do) is solid. It's just that, for most people, having malicious software running with their normal user permissions would be very bad. It doesn't really matter if the malware is running through Wine or not. You should be careful about any downloaded software, it just happens that Linux distros make this easier by providing a trusted source for most software you would want. This means that Wine isn't making your system's security any worse, but it's not *providing* any security either.

I agree that you're unlikely to get malware through Wine, as long as you're careful what you download and run (as you should be anyway).

From what I understand, you are claiming that removal of Z: prevents Windows programs from accessing files outside of C:. There are many ways that a program can still do this:
* The program can modify the drive mapping the same way winecfg does. The code it uses to do this is right here: https://source.winehq.org/git/wine.git/ ... ive.c#l267. Note that it's pure Windows code, and winecfg builds as a pure exe. Any Windows program can do what it does.
* The program can use the \\?\unix namespace to access files. This is what you get if you try to convert a path that doesn't have a drive mapping to a Windows path, using winepath -w. This namespace cannot be removed.
* The program can interact directly with the Linux kernel, using the syscall instruction. Here is an example of pure assembly code that does this: https://stackoverflow.com/questions/385 ... d-syscalls Note that it doesn't have to link any external libraries to accomplish this. You could put this assembly in a PE exe or dll, and it would work if it's run in Wine. You can use syscalls like open() and write() to access the filesystem.

All of these require the application to be aware that Wine exists and coded specifically for it, but none of them require an exploit of Linux. None of them require an exploit of Wine because there's no security layer in Wine to exploit (it's an example of https://devblogs.microsoft.com/oldnewth ... 0/?p=15273). The third one in particular would be impossible for Wine to prevent, given how it works.

The easiest proof of concept for one of these is to run something like: wine notepad '\\?\unix\etc\lsb-release'

If you want to do the same thing with a Windows program that's not bundled with Wine, you can use Notepad++: wine ~/.wine/drive_c/Program\ Files\ \(x86\)/Notepad++/notepad++.exe '\\?\unix\etc\lsb-release'
Wildebeest
Level 2
Level 2
Posts: 10
Joined: Mon Oct 11, 2021 10:33 pm

Re: What is the current thinking on preventing Wine running Windows malware...

Post by Wildebeest »

You seem to be getting hung up on the Z drive more than anything else. My system has 3 physical drives and a total of 7 partitions including the swap and vfat for the EFI. One of these partitions contains my old Windows programs, most are more than 12 years old. Many need DOS Box to run and that is a completely different story. Let's talk about where my Z drive in Wine points, the second partition of the first SATA is sda2 and labeled "Chamber". When I install or update the wine prefix, I redirect C and Z to this area using the GUI frontend winecfg to reroute the drive paths. This assures my home directory is not targeted by any unneeded setup files and extra clutter.

On the second drive I have my Linux OS running on a SSD in a 140 GB partition. This gives my OS plenty of room as I said, I back it up to a key drive once a month. What irks me about people questioning the security of Linux OS; I have been running Linux since my departure from XP, in that time never had a hiccup or a cough from the Linux OS. No malware has set foot upon my system since that time. Other machines running Windows (I have to deal with on a regular basis) are constantly picking up malware running 2 trusted anti-viral programs and firewalls. I am not spouting that Linux has the titanium armor or God-like superpowers, but when clients allow me to replace their Windows with Linux, I seldom hear from them again. I currently make a lot of money from Windows systems, I only wish it wasn't at the cost of user's desire to suffer with it.

Have a better one!
Locked