digg

Facebook Connect Join Digg About

What would happen if you ran a Windows virus in Linux using wine?

ubuntuforums.org This is a funny thread on the Ubuntu forums describing what happens when you run a windows virus in Linux under wine. Who knew emulation worked this good?

Who dugg this? Made popular Feb 23, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

105 Comments

show profanity settings
expand all
  • geojams, on 10/12/2007, -42/+456Emulation doesn't work good, it works well. Things are good. You do something well.
  • frant1c, on 10/12/2007, -20/+287No, you should have written:

    What follows is a somewhat amusing forum thread from the forums of the famous Linux distribution, Ubuntu, in which it is hitherto described the unfolding of events which happen not long after the user initiates a virus program created for the Windows operating system in Linux operating system using the open source reverse engineered implementation of the windows API's for Linux and Macintosh OS X operating system, also known as wine. Who would have known that emulation works as well as it does, which is shown in the aforementioned thread?
  • shrewduser, on 10/12/2007, -23/+250Not only that but Wine really isn't an emulator, its an open source reverse engineered implementation of the windows API's for Linux and mac.

  • idonthack, on 10/12/2007, -8/+193Dugg for correct use of "hitherto".
  • dsn0wman, on 10/12/2007, -42/+217@shrewduser

    Yes you are right! I should have said; "who knew that open source reverse engineered implementation of the of the windows API's for Linux and mac worked so well?" That just rolls right of the tongue so nicely!
  • nzknzknzk, on 10/12/2007, -11/+167Wine
    Is
    Not an
    Emulator
  • nixfu, on 10/12/2007, -1/+72>Can someone explain to me how..is not an emulator?

    Just because you can program in OpenGL on Windows does not make the OpenGL programs in Linux "emulated".

    WINE is a complete implementation of the Windows programming APIs/Libraries which makes Windows programs run NATIVE on linux, there is no "emulation" layer involved. Its simply a different programming API that you can code to in Linux, just like QT or OpenGL, or C++ or whatever API you want to think of.

    VERY different than running a "emulator" that has to intercept every software call and make translations of some sort...there is NONE OF THAT going on with WINE, they actually have created the native linux libraries needed for you to run WIndows programs native on Linux.

    In fact you can use WINE to WRITE NATIVE linux programs using the Windows API...in fact you can take your win32 based souce code and just recompile it on Linux in many cases.



  • ellfaz, on 10/12/2007, -10/+59no1 expects you to do anything, if ur not gonna read it, dont comment
  • heffae, on 10/12/2007, -0/+38I think the distinction between emulation and wine is that an emulator is translating from one platform to another. Wine is not translating an application into a structure that the Linux API can understand it is allowing the application to run natively in Linux. A bad analogy would be if you were to go to France. You have two options to communicate with the French, bring a friend along who speaks French and will translate back and forth between English and French (emulation) or learn French so that you communicate directly in French. Wine in essence teaches Linux how to speak windows.
    I'm sure someone with more of a programing background could explain it better but I think that's the gist of it.
  • thewhitefedora, on 10/12/2007, -3/+37Linux says: Hey Windows, what's up?
    Windows: You suck and I'm superior
    Linux: Is that why I have to drink alot of WINE to act like you?
  • harlowsmonkeys, on 10/12/2007, -1/+33The history of "Wine Is Not an Emulator" is kind of interesting. If you go back and look at the release notes for each version or the FAQ and other documentation, you'll see it originally WAS "WINdows Emulator". It stayed that way for most of its early history. The "Wine Is Not an Emulator" thing was suggested when Microsoft trademarked "Windows" and there was some concern on the WINE list over whether or not they could get in trouble.

    However, this suggested was not taken. Pretty much everything (release notes, documentation, etc) continued saying it was "WINdows Emulator". The trademark issue was not considered to be a problem. It continued this way for quite a while.

    What got them to change was user perception. WINE is in fact an emulator, according to most accepted definitions of emulator. However, the most prominent emulators are emulators of hardware, not emulators of software. For example, things like Virtual PC, which emulated x86 hardware on PowerPC, MAME that emulates arcade game hardware, and so on. Hardware emulators are almost always very slow compared to the hardware they are running on.

    The concern was that if attention were drawn to WINE being an emulator, most people would think that this means it emulates x86 hardware, and that it is very slow.

    For a while, the documentation with each release said that WINE was either "WINdows Emulator" or "Wine Is Not an Emulator", take your pick. That went on for a while. Eventually, the first alternative was dropped, leaving us where we are now.

    Note that there were no technical changes in the basic way WINE works between the early years, when the name officially meant "WINdows Emulator", and now, when it officially means "Wine Is Not an Emulator". It was an emulator then, and so it is still an emulator now.

    Keep this in mind if correcting someone who calls WINE a Windows emulator. Whether they are wrong or right depends on whether they are talking about the meaning of the name or the technology by which WINE lets you run Windows applications.
  • kethraal, on 10/12/2007, -2/+34You're clever... but wrong.

    SNES9X _is_ an emulator -- it emulates the CPU found in the SNES, along with all the hardware. Wine, on the other hand, doesn't emulate any hardware -- it implements an API. There's a big difference (or at least there is to people who know what APIs, etc. are.)
  • washcapsfan37, on 10/12/2007, -1/+29I agree. Reading your comment was a waste of time. I want the last 2 seconds of my life back.

    ... awww, I'd probably just waste it anyway.
  • phaed, on 10/12/2007, -7/+35@frantic

    It would still be wrong being that you used the word emulation again. Wine is not an emulator of anything. Its an implementation of the windows API. Say a program calls CreateProcess() function. This is a user level function that will create a process via a system call. If you want to be able to run this program in linux, well then you better create a CreateProcess() function that will do the same thing using linux compatible system calls. Repeat this process for all commonly used functions in the windows API and then you have an implementation of it for linux.
  • foreplay, on 10/12/2007, -1/+22probably worth a try with blaster but it wont shutdown linux it would probably just crash wine which lets face it aint too hard.

  • madmax85, on 10/12/2007, -2/+23-bash-2.05b# wine msblast.exe
    Shutdown in 60 seconds...
    Shutdown of operating system begins. (Shut 1)
    Shutdown of user processes begins. (Shut 2)
    Shutdown of jobs & sessions begins. (Shut 3)
    ...Press any key to reboot
  • inactive, on 10/12/2007, -1/+21if you read some of the post, he said those files were all downloaded at the time of running the virus.
  • whymanwhy, on 10/12/2007, -2/+21I HAVE NO IDEA WHAT THE HELL YOU PEOPLE ARE TALKING ABOUT
  • falloutsyndrome, on 10/12/2007, -5/+24Trovalds would break out of your screen slap you in the face and then turn you into pure source code.
  • trogdoor, on 10/12/2007, -5/+23Just run wine as an underprivileged user that only has read and write access to ~/.wine ( I would't even give it read access to / as it could read and transmit sensitive data ). Windows privilege escalation attacks don't work in wine ( the emulation isn't THAT good :) )and the virus will think that it has Administrator privileges and access to the entire ( fake ) C: drive anyways, it's like a chroot jail.
  • DataPath, on 10/12/2007, -0/+17Microsoft has multiple different implementations of the Win32 API. They have the Win9x implmentation, the WinNT implementation, the WinCE implementation, and a few others that I can't remember. Those are all running on top of different kernels. Someone besides microsoft (WINE) made their own implementation on top of the linux kernel.

    That's it. Pretty simple. No emulation - just a bunch of libraries that abstract access to the system in a specific way.
  • jambarama, on 10/12/2007, -2/+19Then allow me to summarize. He runs the virus under WINE, my guess is he ran it sudo, could be wrong. He was sniffing his traffic with etherape and found the computer was making dozens of connections all around the world and downloading additional viruses and crapware and scattering it across /usr and his home directory.

    The thread goes downhill the longer it goes on, a bunch of other people get on asking for virus removal help, and a bunch of new articles about Windows viruses on Linux get posted. Pretty entertaining.
  • SteelFrog, on 10/12/2007, -1/+16Yeah, basically when the virus is run, it creates copies of itself with various "Oooh, I should check that out" file names like pr0n, 3D Studio Max and other software titles. Anything to get a poor sucker to click on it.
  • ayeroxor, on 10/12/2007, -1/+16"no1 expects you to do anything, if ur not gonna read it, dont comment"

    no1? ur?

    Aren't kids supposed to be in school right now where you are?
  • neko, on 10/12/2007, -0/+11I'm actually a little concerned that windows exes might one day become a viable attack vector on Linux systems - No! Wait! Bear with me!

    If someone downloads a bash script, via the web or email, they won't be able to run it until they flick on the executable bit via chmod or some other way. This is one of the great features of UNIX file permissions, you have to explicitly state that you want to be able to execute this file.

    But with a .exe file - do Wine and Mono check that the file must be marked +x first? Is it possible for Nautilus or Konqueror to execute the file directly if they've got some sort of association for .exe -> wine / mono? I keep worrying that some Gnome developer is going to say "let's make this more friendly" and make some MIME handler for application/x-mswindows...

    Naturally, the most this can do is trash someone's home directory, or set up some sneaky zombie cron job - but in general getting one's home directory trashed is not a nice experience.

    Also, in winecfg, there doesn't seem to be any ability to mark a mapped drive as being "readonly" - that's something I think is important. I don't care if it mucks up it's virtual c drive, but I don't want it touching my files! Obviously a chroot would solve things nicely, but they're a bit of a pain to set up, even with schroot. It'd be nice if Wine could do it transparently like some FTP servers etc.
  • condormcs, on 10/12/2007, -0/+10just thinking about windows viruses makes my face hurt
  • wastern, on 10/12/2007, -0/+9I just tried to explain to a guy at work why he shouldn't run as root all the time. After about 30 minutes he sort of got it, but I don't think he's going to stop

    He thinks because he's the administrator for the computer that he should be using the root account. Some people have just enough knowledge to be really dangerous
  • PFS1, on 10/12/2007, -2/+11I like how the "tags" for the thread are just the words in the subject all rearranged.
  • dougm68, on 10/12/2007, -3/+12Well done to the guy who was brave enough to risk it.
    --------------------------
    He was brave?
    What about his poor linux box that was helplessly forced to sacrifice its /home directory just for the misguided sadistic curiosity of this Torvald ball licker?

    ~who is to blame?
  • elipabst, on 10/12/2007, -1/+10It's like a village full of village idiots there. Gee I wonder what happens if I run Windows viruses through WINE in parts of my filesystem where I keep important Windows executables? Ohh NOES I trashed my filesystem, that's unpossible!!!

    Why the hell would you intentionally download and execute malware in anything that's not sandboxed or at least could be reformated with ease? Especially when this has already been done and shown that some Windows malware is at least partially functional under WINE:
    http://os.newsforge.com/article.pl?sid=05/01/25/1430222&from=rss
  • mikev, on 10/12/2007, -0/+8"Aren't kids supposed to be in school right now where you are?"

    They should, but it doesn't mean they are. :/
    This goes to show how many new users the "digg it" button on YouTube has brought in...
  • inactive, on 10/12/2007, -0/+6Has anybody ever ran shutdown.exe in Wine?
  • vvelox, on 10/12/2007, -0/+6Very possible. On some systems firefox will actually ask you if you wish to run a .exe with wine.

    Not just linux, but any other system capable of running wine.
  • nofxjunkee, on 10/12/2007, -1/+7@davidlow: pick your battles. you can use the word emulate to mean whatever the ***** you want it to mean, but if everyone disagrees with you then you're just going to confuse people and piss them off. if you understand emulation and you understand what WINE is then you should have no trouble understanding that it's not an emulator at all and _why_ it is confusing to call it emulation.

    If you don't get it yet, then you need to learn more instead of arguing with people here. You're wasting your breath.
  • davidlow, on 10/12/2007, -20/+26@shrewduser
    "Wine really isn't an emulator, its an open source reverse engineered implementation of the windows API's"

    Can someone explain to me how a reverse engineered implementation of API's, carefully selected to match as closely as possible the complete set of API's found in Windows, is not an emulator?

    What definition of the word 'emulator' am I supposed to be using that makes sense of the acronym "Wine Is Not and Emulator" ???
  • Shirokun, on 10/12/2007, -1/+6A little tip I got.

    If you have wine installed and want to restrict it's action and usage to de Fake C (windows) folder created in /home/user/.wine just type: Winecfg

    Select the harddrives tab
    Once there remove the entries you don't want, and wine will only see and act within the folders you want him to see and act.

    Thanks juhanfg for the tip!
  • wastern, on 10/12/2007, -6/+11>>Can you really read these definitions and tell me that Wine does not do these things called emulation?

    yes, because WINE is an acronym that stands for:

    Wine Is Not an Emulator

    So, well.....its not an emulator. I think the creators/developers know a little better then you exactly what it is
  • grumpyrain, on 10/12/2007, -0/+4A normal person would have tested it in a VMWare session, you know, the whole idea of a sandbox.
  • Oldschoolhack, on 10/12/2007, -0/+4That was pretty informative. Dugg for the experiment and informative followup.
  • MightyGiant, on 10/12/2007, -0/+4ardchoille42: "This one of the reasons I feel that using wine is a bad idea."

    Zyphrexi: "well perhaps the wine devs don't expect us to RUN viruses..."

    lol
  • crashie, on 10/12/2007, -1/+5chmod +x doesn't make Linux (or UNIX or Mac) more secure. There are many file types (other than .exe) that may contain code (and viruses) that don't need to have the eXecutable bit.

    What makes Linux secure is the default settings. For example, users don't have access to things outside their own directory by default, they can't insert code into the kernel, etc...
  • inactive, on 10/12/2007, -0/+4Wine originally stood for WINdows Emulator.
    They came up with the new name to be snarky. It's a joke.

  • powatom, on 10/12/2007, -1/+5Sounds to me like it's safer to break my own legs to stop myself falling over when I walk outside.
  • foolfromhell, on 10/12/2007, -0/+3At the bottom of the list to where it copied itself to...
    "/home/mustard/.local/share/The Sims 3 crack.exe: Worm.SomeFool.Gen-2 FOUND"
    /home/mustard/.local/share/Microsoft WinXP Crack.exe: Worm.SomeFool.Gen-2 FOUND
    /home/mustard/.local/share/Teen Porn 16.jpg.pif: Worm.SomeFool.Gen-2 FOUND
    /home/mustard/.local/share/Adobe Premiere 9.exe: Worm.SomeFool.Gen-2 FOUND
    /home/mustard/.local/share/Adobe Photoshop 9 full.exe: Worm.SomeFool.Gen-2 FOUND
    /home/mustard/.local/share/Porno Screensaver.scr: Worm.SomeFool.Gen-2 FOUND
    /home/mustard/.local/share/XXX hardcore pic.jpg.exe: Worm.SomeFool.Gen-2 FOUND
    /home/mustard/.local/share/Microsoft Office 2003 Crack.exe: Worm.SomeFool.Gen-2 FOUND
    /home/mustard/.local/share/mime/1000 Sex and more.rtf.exe: Worm.SomeFool.Gen-2 FOUND
    /home/mustard/.local/share/mime/Keygen 4 all appz.exe: Worm.SomeFool.Gen-2 FOUND
    And more...
    Thats a lot of pirated software, porn, and especially kiddie porn...
  • Sepeteus, on 10/12/2007, -1/+4I think I'm going to install Win95 on VmWare and let it access the internets without an antivirus software.
  • UnFriendlyFire, on 10/12/2007, -0/+3What would happen if you ran a Windows virus in Linux using wine?

    It would A) Do nothing
    B) Corrupt the thread (process) that was running WINE
    C) Rip a hole in the fabric of space
  • inactive, on 10/12/2007, -0/+3kethraal: Couldn't you say that it EMULATES an API? I think the point foxmajik was trying to make is that you're arguing semantics. It's almost as annoying as the "hacker"/"cracker" debates.

    According to Wikipedia, "A software emulator allows computer programs to run on a platform (computer architecture and/or operating system) other than the one for which they were originally written." Also, as others have said, WINE originally stood for WINdows Emulator.
  • inactive, on 10/12/2007, -0/+3Really annoying and dumb
    Don't click! He gets money from that. Though I wonder who would anyway...
    And posting 1mil of the same link is more effective?
  • benthere, on 10/12/2007, -1/+3@harlowsmonkeys

    If what you're saying is correct, it was likely changed to match GNU, LAME, etc:

    GNU is
    Not
    Unix

    LAME
    Ain't an
    Mp3
    Encoder

    and so on.
  • Sicarul, on 10/12/2007, -0/+2Actually, you can just remove the / directory as a wine drive and it IS safer, it will just be able to cripple your fake C: directory.
  • Fetching more discussions...
    Show 51 - 100 of 105 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.