Wine & viruses

Mihai Donțu mihai.dontu at gmail.com
Tue Feb 17 10:44:58 CST 2009 

On Tuesday 17 February 2009, Martin Hinner wrote:
> Hi,
>
>   I will start one more hot discussion. Sorry if it was discussed
> earlier, I am not regular reader of this mailing-list. I tried to
> search google, found several discussions, but no real result:
>
> http://www.linux.com/feature/42031
> http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus
> https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880
> wine-devel mailing list google results
>
>   The problem is that some (almost all?) distributions simply execute
> .exe file when you click on it. I was amazed when testing JTAGTest on
> Linux! This is in my opinion quite big issue as ordinary users do not
> have problem clicking on "New folder.exe" on their flashdisk etc. It's
> good that wine is so compatible that it runs even viruses, but I think
> there should be some (optional) protection. The biggest problem seem
> to be removable media, in many distributions mounted under /mnt or
> /media. Please think about this twice before writing "problem is in
> Microsoft not in Wine", "it's not a bug but feature", etc. It's too
> childish IMO.
>
> - What about creating a configurable list of directories, where wine
> would first ask if you really want to execute the program? It would be
> up to distribution what is set-up by default.
>
> - It's long time I have been interested in viruses, but I think that
> 90% of most common virus infected/trojan .exe files can be pretty
> easily identified. Almost every modern virus is trying to connect to
> the internet either by opening socket or using few standard DLL
> functions. What about adding some checks to Wine that would check the
> calling function code sample against some small database to see if
> this is a virus and ask user? Or adding some "API" functions to allow
> someone to write such program? I have done quite a lot of work with PE
> loading and code modification and I think it could be moved to level
> when it works without crashing anything.
>
> I understand, that none of this is system solution. But are
> anti-viruses system solution? They solve real world problem.
>
> Regarding API I have mentioned above I mean some hookdll() function
> that would re-direct GetProcAddress() or PE loader for defined
> functions, i.e.:
> http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c3639
> http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c127
>
> Obviously this would have to be global for wine (libwine.so?), not as
> a PE exported API function. Pre-loaded "antivirus" would be able to
> hook Winsock functions + some other important stuff and then check if
> the binary code is not on the list.

I think that soon there will no longer be a need to hack wine in order to 
prevent the spread of malware. There is already work in progress on an API (a 
derivative of dazuko) that will allow for antivirus scanners to intercept all 
filesystem accesses and scan for, well, viruses. It seems to me that this is 
the right way to go.

-- 
Mihai Donțu

More information about the wine-devel mailing list