Wine & viruses

Wed Feb 18 01:47:44 CST 2009

On Tuesday 17 February 2009 17:11:20 Martin Hinner wrote:
> Hi,
>
>   I will start one more hot discussion. Sorry if it was discussed
> earlier, I am not regular reader of this mailing-list. I tried to
> search google, found several discussions, but no real result:
>
> http://www.linux.com/feature/42031
> http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus
> https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880
> wine-devel mailing list google results
>
>   The problem is that some (almost all?) distributions simply execute
> .exe file when you click on it. I was amazed when testing JTAGTest on
> Linux! This is in my opinion quite big issue as ordinary users do not
> have problem clicking on "New folder.exe" on their flashdisk etc. It's
> good that wine is so compatible that it runs even viruses, but I think
> there should be some (optional) protection. The biggest problem seem
> to be removable media, in many distributions mounted under /mnt or
> /media. Please think about this twice before writing "problem is in
> Microsoft not in Wine", "it's not a bug but feature", etc. It's too
> childish IMO.

People who analyze malware seem to use wine to figure out what API calls the 
malware is making. Seems like a very good use of Wine to beat the bad guys.

I don't see anything childish about Wine's decision to be bug-for-bug 
compatible with Windows.

> - What about creating a configurable list of directories, where wine
> would first ask if you really want to execute the program? It would be
> up to distribution what is set-up by default.

What about having the system virus scanner scan all files you download before 
executing them in Wine or any other program? Just because there's not that 
many viruses/trojans for Linux yet doesn't mean it's going to stay that way.

> - It's long time I have been interested in viruses, but I think that
> 90% of most common virus infected/trojan .exe files can be pretty
> easily identified.

Yes, if you keep a virus data base like virus scanners do. It's a huge pain to 
keep those up-to-date. We don't want to deal with that stuff in Wine, there's 
enough work left without also pretending to be a virus scanner.

> Almost every modern virus is trying to connect to 
> the internet either by opening socket or using few standard DLL
> functions. What about adding some checks to Wine that would check the
> calling function code sample against some small database to see if
> this is a virus and ask user? Or adding some "API" functions to allow
> someone to write such program? I have done quite a lot of work with PE
> loading and code modification and I think it could be moved to level
> when it works without crashing anything.

Right. A pop-up box is going to be the solution. Especially as users 
(especially people used to Windows, like most Wine users) learned that these 
pop-ups have two buttons, one saying "Go away and do what I told you" and one 
saying "Annoy me by not running my program". How many normal users will ever 
bother to read the text on Vistas UAC pop-ups?

> Obviously this would have to be global for wine (libwine.so?), not as
> a PE exported API function. Pre-loaded "antivirus" would be able to
> hook Winsock functions + some other important stuff and then check if
> the binary code is not on the list.

If you're really interested, look into resurrecting 
http://wiki.winehq.org/ClamAntiVirusIntegration

It has probably bitrottet in the last two years, but it'd at least get you an 
idea how something like this could be done.

Cheers,
Kai

-- 
Kai Blin
WorldForge developer  http://www.worldforge.org/
Wine developer        http://wiki.winehq.org/KaiBlin
Samba team member     http://www.samba.org/samba/team/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://www.winehq.org/pipermail/wine-devel/attachments/20090218/e73538c6/attachment.pgp 