Wine & viruses

Martin Hinner martin at hinner.info
Tue Feb 17 10:11:20 CST 2009


Hi,

  I will start one more hot discussion. Sorry if it was discussed
earlier, I am not regular reader of this mailing-list. I tried to
search google, found several discussions, but no real result:

http://www.linux.com/feature/42031
http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus
https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880
wine-devel mailing list google results

  The problem is that some (almost all?) distributions simply execute
.exe file when you click on it. I was amazed when testing JTAGTest on
Linux! This is in my opinion quite big issue as ordinary users do not
have problem clicking on "New folder.exe" on their flashdisk etc. It's
good that wine is so compatible that it runs even viruses, but I think
there should be some (optional) protection. The biggest problem seem
to be removable media, in many distributions mounted under /mnt or
/media. Please think about this twice before writing "problem is in
Microsoft not in Wine", "it's not a bug but feature", etc. It's too
childish IMO.

- What about creating a configurable list of directories, where wine
would first ask if you really want to execute the program? It would be
up to distribution what is set-up by default.

- It's long time I have been interested in viruses, but I think that
90% of most common virus infected/trojan .exe files can be pretty
easily identified. Almost every modern virus is trying to connect to
the internet either by opening socket or using few standard DLL
functions. What about adding some checks to Wine that would check the
calling function code sample against some small database to see if
this is a virus and ask user? Or adding some "API" functions to allow
someone to write such program? I have done quite a lot of work with PE
loading and code modification and I think it could be moved to level
when it works without crashing anything.

I understand, that none of this is system solution. But are
anti-viruses system solution? They solve real world problem.

Regarding API I have mentioned above I mean some hookdll() function
that would re-direct GetProcAddress() or PE loader for defined
functions, i.e.:
http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c3639
http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c127

Obviously this would have to be global for wine (libwine.so?), not as
a PE exported API function. Pre-loaded "antivirus" would be able to
hook Winsock functions + some other important stuff and then check if
the binary code is not on the list.

Martin



More information about the wine-devel mailing list