First Wine-Aware malware?
Stefan Dösinger
stefandoesinger at gmx.at
Fri Apr 28 03:57:23 CDT 2006
Hi,
I just tried to run some "Malware Checker" just for fun in Wine, just out of
interest how many infected files it will find on a fresh .wine setup. Bad
security habbit, I know :-| . This app was the "ErrorSafe Scanner" from
http://de.errorsafe.com/pages/scanner_de/index.php?aid=fastint_at_de_lng_ed2&lid=intlron&ex=1&p=&ax=1&h=
Don't blame me for system breakage if you go there ;-)
Well, I ran it in a fresh .wine with my unpriviledged testing user(forgot to
remove the Z:\ drive :-( ) . It started without showing anything, and created
some autostart registry entries. As it couldn't be killed with Strg+C, I
looked at the processes with ps to kill it. Well, I found a lot of
"ErrorSafeScannerInstall_de.exe -nag", but also this:
8835 pts/2 S+ 0:00 sh -c ping -w 1 instlog.errorsafe.com >/dev/null
2>/dev/null
8836 pts/2 S+ 0:00 ping -w 1 instlog.errorsafe.com
Well, it also showed a few wininet fixmes:
fixme:wininet:InternetCheckConnectionW
Is there something in Wine which executes the Unix shell to run ping,
redirecting all output to /dev/null ? Or did this malware know about Wine and
Linux, and started the native apps, with the redirection?
Well, I will now do a complete security check on my whole Linux box :-(
(That's bad security too, I know, I should flatten the whole system)
BTW, that malware is described here:
http://www.symantec.com/avcenter/venc/data/errorsafe.html. This page seems to
descibe an older version, as the registry entries were different.
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-devel/attachments/20060428/5bbd0f01/attachment.pgp
More information about the wine-devel
mailing list