Gatecrasher infecting wine?

Open forum for end-user questions about Wine. Before asking questions, check out the Wiki as a first step.
Forum Rules
Locked
josebelda
Newbie
Newbie
Posts: 2
Joined: Mon Feb 08, 2010 7:44 am

Gatecrasher infecting wine?

Post by josebelda »

Hello,

Does anybody know if the trojan gatecrasher would be able to run in a Linux system with wine?

I am using XUbuntu and had a warning in my firewall about port 6969 which is used by Gatecrasher trojan.

Of course for security reasons I formated my computer.

Could a Gatecrasher trojan be running in my system if I was using wine?

Thank you for your help
vitamin
Moderator
Moderator
Posts: 6605
Joined: Sat Feb 23, 2008 2:29 pm

Re: Gatecrasher infecting wine?

Post by vitamin »

josebelda wrote:Does anybody know if the trojan gatecrasher would be able to run in a Linux system with wine?
http://wiki.winehq.org/FAQ#head-3cb8f05 ... 4e305a0459

Really depends on what it is and how it installs itself.
josebelda
Newbie
Newbie
Posts: 2
Joined: Mon Feb 08, 2010 7:44 am

Post by josebelda »

Thank you very much for your reply.
Yuriy Kaminskiy

Gatecrasher infecting wine?

Post by Yuriy Kaminskiy »

On 09.02.2010 13:31, josebelda wrote:
Thank you very much for your reply.
Note, that unless worm/virus/troian specifically targets wine, removing ~/.wine
would be enough, re-formating whole system is not necessary.

Running wine from separate user (that cannot easily obtain root via sudo [like
usual "desktop user/admin"], does not have access to private user data
[~/.mozilla/*/*/{signons,cookies}* and alike], and, maybe, limited network
access [with something like
iptables -N winejail
iptables -A winejail -j REJECT
iptables -A OUTPUT -o ! lo -m owner --uid-owner wineuser -j winejail
plus some rules to specifically allow network on some ports/addresses:
iptables -I winejail -p tcp --dport 80 -j ACCEPT
iptables -I winejail -p tcp -d ${dns-server} --dport 53 -j ACCEPT
iptables -I winejail -p udp -d ${dns-server} --dport 53 -j ACCEPT
]) would also help limit damage from such incident even with wine-aware viruses.

BTW, does anyone know if wine-aware malware (that able to use int $0x80 to
bypass ~/.wine/dosdevices jail, etc) already exists in the wild, or it is still
only theoretical threat? :-)

PS And I don't know, where topicstarter got idea, that port 6969 is used only by
malware - as quick lookup at google:// shows, this port frequently used by
torrent trackers.
oiaohm
Level 8
Level 8
Posts: 1020
Joined: Fri Feb 29, 2008 2:54 am

Post by oiaohm »

Yuriy Kaminskiy best way is not to open wine particular ports in the first place.

josebelda. Linux is different to windows. Formating is not the only solution.

Package management means a 1 to 1 search for alterations can be performed. Know the enemy you are taking on.

Wine always does need to be taken with care. Because software in wine has simplar problems to windows.

Basically if you system is breached and you don't know how. A person can always reuse the same breach.
Locked