Linux Mint Forums

Hello,

Can some Windows spyware, keyloggers or other malware run on Linux if Wine is installed?

I've tested running Windows software on Wine without having first installed it through Wine
(basically, just went to the Windows partition and ran it from the Program Files folder).
Some works OK (eg. Irfanview), some doesn't, some works partly.
This led me to suspect that some of the spyware out there might also have this ability.

Are my fears realistic, or does something about Linux or Wine prevent malware exploits through this route?

Thanks!!

Sontaran

(P.S.:
Today, I found the file iexplore.exe in Mint's trash and its size was only about 2.5kB. Obviously, not the real Internet Explorer, and I have no idea how it got there. Upon seeing this, I deleted it, installed Avast for Linux, uninstalled Wine, and went looking for antispyware for Linux, but didn't see one by a reputable source.)

A Windows virus can run in Wine and similar, but can not do any harm to your Linux - at worst it can copy files to your home
There is a (very) lengthy thread on the subject in the Ubuntu forums - a couple of years old but still valid

Thank you, Husse !

This got me looking in the right direction.

Some of the better bits I found:

http://www.avertlabs.com/research/blog/ ... -in-linux/
"Although it is difficult for malware to autostart in Wine, it is not impossible. Malware can be written to find out if it is running in Wine. It can then either download a Linux binary onto the machine and/or simply add an autostart entry for itself in the Linux desktop environment’s common autostart locations, using the nonroot user’s credentials ........ IRC/Contact malware drops files and connects to a preconfigured IRC server. This IRC Trojan, when ran in Wine, connected to the preconfigured IRC server."
"...Do not set the file association for Windows executables with Wine. This would enable the running of Windows executables in Wine by simply double-clicking them."

Also:
http://www.winehq.org/pipermail/wine-de ... html#73505
especially: http://www.winehq.org/pipermail/wine-de ... 73548.html

http://www.psychocats.net/ubuntu/Sucuri ... lantivirus
"There are rootkit detectors in the repositories—rkhunter and chkrootkit, for example."

I think I'll leave Wine off my system for now...

nice post dude .

Thanks for this article. Since I am using Linux, I don't really have any problems with viruses, spyware and other things. It is also very important that you know what are you doing with your PC, which web sites you are surfing on, what are you downloading. Be careful, and you shouldn't have any problem.
Cheers

Javascript is the same and with the same possible risks regardless of operating system - it is run in the web browser
BUT - it can't spread in Linux due to the file permission system - it won't get permission to do much anything

Exactly. The Javascript issue will really only affect your browser, and you'll know if there's malicious JS code running (it'll be pretty obvious). With Firefox it's very simple to circumvent JavaScript by installing the NoScript plugin, so there isn't much to worry about.

I did not read the whole story but when a Linux server is compromised it's generally because of a config error in Apache (LAMP) or some other "basic" application running on top of the server system
Of course that does not make it less serious

DrHu wrote:

And for the browser specifically, the LSO (Local shred object) should be eliminated

There is a 'BetterPrivacy' add-on for Firefox.

I split off the discussion about the word newbie and moved that to the open chat section here

Hi Guys!

I have a question about the Linux-Mint8.iso, when I ran antivirus on it, found it a treat(?):

Linux-Mint8.iso/casper/filesystem.squashfs Error while scanning The file is a decompressing bomb.

I use Avast! Home Ed updated, runing on Ubuntu 9.04

Is that a false positive?
Any ideas?

I really concern about that because already have 2 netbooks with Linux Mint 8....one mine, the other belongs to my boss..

Regards,

Jamaica Joe

A decompression bomb floods the computer with compressed data. Many scanners will report such large install files falsely as bombs. If you are concerned install to a virtual machine and check that install.

You should expect the iso to almost be a type of "decompression bomb" for the exact reason that monkeyboy just said. It makes a lot of sense if you think about what the installer is doing.

I've just noticed that the firewall listed in Control Center / System is disabled. Surely, by default, it should be switched on...? (I've enabled it now).

I don't know the details of NTFS, but under the FAT32 (and older) Windows file system, the reason for defragging has nothing to do with recovering space. Yes, hard drive space was allocated in clusters of several sectors. If the file size was not evenly divisible by the cluster size, space would be wasted. Defragging did not fix this.

The reason for defragging was performance. The FAT in FAT32 refers to the "file allocation table". This is a block of data at the beginning of a hard drive partition that maps all those file fragments to scattered sectors. When reading a large file, the hard drive would have to seek back to the FAT to get the next entry every time it reached the end of a fragment. Seeking (moving the read head to a different track) is much slower than reading contiguous data.

I don't know linux file systems very well, but I know they don't use a FAT Regardless, the point is that linux wastes much less time when navigating from one fragment to the next because it doesn't have to keep thrashing back and forth to and from the FAT. Fragmentation carries a smaller penalty, so there's less to be gained by fixing it.

IDE drives also threw a new variable into the mix. The cylinder/head/sector mapping reported to the OS may not correspond to the physical mapping. Do contiguous logical sectors necessarily map to contiguous physical sectors? Not any more. Of course, the drive vendors care about performance, so they aren't going to just scatter sectors randomly.

Looks similar to the same tactic used to kill Windows systems there ikey.

nice post ikey, currently searching for NoScript

stevefed5291 wrote:nice post ikey, currently searching for NoScript

https://addons.mozilla.org/en-US/firefox/addon/722

lol, thank you but I managed to find it

stevefed5291 wrote:lol, thank you but I managed to find it

I was under that assumption, but still posted the link for everyone else wanting it to get it.