Hello,
Does anybody know if the trojan gatecrasher would be able to run in a Linux system with wine?
I am using XUbuntu and had a warning in my firewall about port 6969 which is used by Gatecrasher trojan.
Of course for security reasons I formated my computer.
Could a Gatecrasher trojan be running in my system if I was using wine?
Thank you for your help
Gatecrasher infecting wine?
Re: Gatecrasher infecting wine?
http://wiki.winehq.org/FAQ#head-3cb8f05 ... 4e305a0459josebelda wrote:Does anybody know if the trojan gatecrasher would be able to run in a Linux system with wine?
Really depends on what it is and how it installs itself.
Gatecrasher infecting wine?
On 09.02.2010 13:31, josebelda wrote:
would be enough, re-formating whole system is not necessary.
Running wine from separate user (that cannot easily obtain root via sudo [like
usual "desktop user/admin"], does not have access to private user data
[~/.mozilla/*/*/{signons,cookies}* and alike], and, maybe, limited network
access [with something like
iptables -N winejail
iptables -A winejail -j REJECT
iptables -A OUTPUT -o ! lo -m owner --uid-owner wineuser -j winejail
plus some rules to specifically allow network on some ports/addresses:
iptables -I winejail -p tcp --dport 80 -j ACCEPT
iptables -I winejail -p tcp -d ${dns-server} --dport 53 -j ACCEPT
iptables -I winejail -p udp -d ${dns-server} --dport 53 -j ACCEPT
]) would also help limit damage from such incident even with wine-aware viruses.
BTW, does anyone know if wine-aware malware (that able to use int $0x80 to
bypass ~/.wine/dosdevices jail, etc) already exists in the wild, or it is still
only theoretical threat?
PS And I don't know, where topicstarter got idea, that port 6969 is used only by
malware - as quick lookup at google:// shows, this port frequently used by
torrent trackers.
Note, that unless worm/virus/troian specifically targets wine, removing ~/.wineThank you very much for your reply.
would be enough, re-formating whole system is not necessary.
Running wine from separate user (that cannot easily obtain root via sudo [like
usual "desktop user/admin"], does not have access to private user data
[~/.mozilla/*/*/{signons,cookies}* and alike], and, maybe, limited network
access [with something like
iptables -N winejail
iptables -A winejail -j REJECT
iptables -A OUTPUT -o ! lo -m owner --uid-owner wineuser -j winejail
plus some rules to specifically allow network on some ports/addresses:
iptables -I winejail -p tcp --dport 80 -j ACCEPT
iptables -I winejail -p tcp -d ${dns-server} --dport 53 -j ACCEPT
iptables -I winejail -p udp -d ${dns-server} --dport 53 -j ACCEPT
]) would also help limit damage from such incident even with wine-aware viruses.
BTW, does anyone know if wine-aware malware (that able to use int $0x80 to
bypass ~/.wine/dosdevices jail, etc) already exists in the wild, or it is still
only theoretical threat?
PS And I don't know, where topicstarter got idea, that port 6969 is used only by
malware - as quick lookup at google:// shows, this port frequently used by
torrent trackers.
Yuriy Kaminskiy best way is not to open wine particular ports in the first place.
josebelda. Linux is different to windows. Formating is not the only solution.
Package management means a 1 to 1 search for alterations can be performed. Know the enemy you are taking on.
Wine always does need to be taken with care. Because software in wine has simplar problems to windows.
Basically if you system is breached and you don't know how. A person can always reuse the same breach.
josebelda. Linux is different to windows. Formating is not the only solution.
Package management means a 1 to 1 search for alterations can be performed. Know the enemy you are taking on.
Wine always does need to be taken with care. Because software in wine has simplar problems to windows.
Basically if you system is breached and you don't know how. A person can always reuse the same breach.