l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2004 Jun 14 13:05

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Linux viruses?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Linux viruses?



On Sun, Jun 13, 2004 at 11:31:00AM -0700, Marianne Waage wrote:
> Bill Kendrick said:
> >Noticed this article on my newsticker just now:
> > Antivirus vendors await first Linux worm
> > http://www.infomaticsonline.co.uk/News/1155836
> >However, one line in the article piqued my curiosity:
> > Symantec reported that it has found three Linux viruses in the wild
> > since the start of 2004.
> >Anyone have any references to these three?
> 
> I always wondered what would happen if you got a virus through something
> emulated like Outlook under wine. There was some other program that let
> you run MS products under linux but I don't recall the name now.
> 
> -yams

One configures WINE with mappings between Linux directories and DOS
drives and also mappings between Linux files and DOS devices. I'm not
sure what your configuration is like, but we can hypothetically
discuss my WINE configuration.

$ ls -l .wine/dosdevices/
a:: -> /dev/fd0
c: -> /home/bloom/.wine/c_drive/
com1 -> /dev/ttyS0
com2 -> /dev/ttyS1
com3 -> /dev/ttyS2
com4 -> /dev/modem
d: -> /windowshd/
e: -> /tmp/
f: -> /home/bloom/.wine/../
lpt1 -> /dev/lp0

(I edited out a bunch of the unnecessary columns after pasting this
listing in.)

/windowshd/ is a read-only mounted NTFS partition which is my boot
partition when I boot to Windows. My software lives there, so I use it
in WINE to run maxplus.

You'll notice that the a: drive is hooked up to a device file
/dev/fd0. This doesn't seem to be properly configured. (I can't access
the floppy drive at all, but I don't particularly care). But it looks
like WINE could theoretically reformat a floppy.

c:, d:, e:, and f: are all mapped to folders. d: is
read-only. Additionally, com1, com2, com3, com4, and lpt1 are hooked
up to device files.

I only use WINE to run MaxPlus, but hypothetically assuming I ran a
piece of software that could contract a virus, here are the dangers.

If the virus decided it wanted to delete all of the files on the f:
drive, I would no longer have a UNIX home directory. If it decided it
wanted to format the f: drive, I imagine it would fail. Likewise for
the c: drive, although it would only be able to delete a few files,
not the whole home directory. For drive e:, /tmp has the sticky bit
set. WINE needs to get Linux permissions to access files, so a virus
could only delete temporary files that I owned. As I'm the only user
on my system, that's most of them -- but there is something there
owned by root, and WINE couldn't delete that. I tested out the d:
drive in the Windows 2000 command prompt, and WINE refused to let me
even read the drive, saying "Access Denied" - although I know it works
fine when I'm running MaxPlus.

I haven't tested this, but I imagine WINE has full TCP/IP network
access. A virus that started running on WINE could probably propagate
itself just like any other virus.

WINE applications can launch other WINE applications. When a new WINE
application is launched, a corresponding new UNIX WINE process is
launched to create that process. (I just verified this by experiment).

Perhaps the most critical feature Windows and WINE with respect to
a virus is that of auto-launching processes. In Windows, the Windows
Registry maintains a well-formatted, read-writable list of processes
launch on startup and login. Viruses simply add themselves to this
list. In Linux, it's possible for a virus to add itself to
automatically start at login, but much harder than on Windows,
(because the syntax of .profile or .login makes it much harder to
automatically add a process to the list, (because the syntax of
.profile or .login makes it somewhat harder to automatically add a
process to the list). In WINE, there is no such list (if there is, it's
ignored). The only process that starts when you start WINE is the one
you requested on WINE's commandline. Although Microsoft Outlook could
start a virus, it wouldn't come back up next time you started WINE.
(Unless Microsoft Outlook also maintained a list of programs to start
up when it started, in which case a virus could attack that list. But
there does not appear to be such a list, and if there is then programs
aren't attacking that list)

Conclusion:
A virus in WINE could:
* Start up, even automatically, the first time you were infected.
* Trash your Linux home directory.
* Mine the directories you gave it permission to access to find
  email addresses.
* Mass-mail itself to other people.
* Dial your modem or waste paper on your printer.

A virus in WINE could not:
* Format your hard drive.
* Trash other peoples' files.
* Start up automatically the next time you ran WINE.

Considering that some of the really critical abilities are missing in
WINE, I think running WINE is safer than running Windows.

-- 
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 10/14/2003. If you use GPG *please* see me about 
signing the key. ***** My computer can't give you viruses by email. ***

Attachment: signature.asc
Description: Digital signature

_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.