of course, with great power comes....

because sudo rm is a bad thing to do.

Yeah, an inexperienced Linux user with the root password is often more dangerous than most outside threats.

So let me understand, you loaded this program on your computer although you knew it's a virus, or you thought that Windows Police Pro is a genuine anti-virus?

Dad

I knew that it was a virus, but since Windows programs (including viruses) run in a very controlled mode in Linux, I was confident I would be able to terminate it, so I ran it.

I would not have the foolishness to do the same were I running Windows.

It's -almost- like a virtual box. Almost. <3 Wine.

It seems more like a scam than a virus - a real hardcore virus would go through all your browser logs and text files looking for something formatted like a credit card number, send those to it's overseas host, then attempt to burn out your ram, or go invisible and make your comp into a botnet zombie.

Major Props for getting it to work in wine - I can't get any programs to work in wine, not even malicious ones.

Why not just clean it with "rm -r ~/.wine"? It shouldn't have had permission to write to anything outside your home directory.

C:\windows\system32\winebrowser.exe does exist inside of Wine. At least it really did scan your "computer" for something.

Purging only removes system-wide configuration. Stuff installed into Wine go into per-user configuration in your home directory. Thus, purging and reinstalling should do nothing to the malware installation.

As already suggested, "rm -r ~/.wine" or so (as the same user that you generally run wine with, _not_ root) is the way to go.

On my Linux system, the only system32 directory is here:

/home/username/.wine/drive_c/windows/system32

So I don't understand how wine created c:\windows\system32\winebrowser.exe outside of your user .wine directory, unless of course you changed the default wine configuration to tell it your c: drive is somewhere else. But even then, you would still have to give the c: drive parent directory permissions for your non-root user to create it and write files to it if it were outside your user directory, I think.

But isn't doing rm -r ~/.wine so much easier than having a real windows system where you would have to figure out how to disable the virus to get into regedit (if booting into safe mode doesn't help), then manually edit the registry hoping you don't mess up and prevent your whole system from booting into anything other than BSOD, and then manually removing all the virus files hoping you don't remove important system files?

If your wine installation recognized and had access to your linux HOME and / root linux install (as wine likes to do by default), any virus can conceivably infect your linux ELF binaries (or modify your documents).

If you are setup as a no-auth sudoer or a 0day is discovered in WINE, no reason an intelligent enough Windows virus can't root your linux box either.

As far as I know, Firefox in Linux will download a .sh file but will not make it executable. You would have to "chmod +x" it before you could execute it. There is no way for a downloaded file to be executed "accidentally" by an user in Linux.

Linux virus run with root privileges won't be stoppable. Imagine - /bin/kill is no longer there and all bash processes were killed along with your console... :)

This happened to my wife's pc this morning.. (Mint7) She searched for a cake recipe, clicked on a link and up popped simillar crap to this.

Mint's (& Jaunty's) default firefox doesn't have such blocking goodness, unless you upgrade to 3.5, which runs like crap for some reason. Karmic most likely has fixed it.

I'ts been a rather long time since I've seen a PC at my place get (slightly) pwned.. Still, a good warning to not let the "I run linux therefore I am invincible" get permanently implanted in our brains.

"Linux virus run with root privileges won't be stoppable. Imagine - /bin/kill is no longer there and all bash processes were killed along with your console... :)"

That would be most unfortunate.

This is a prime example as to why nothing untrusted should ever be given root privileges.

best way to do linux malware is to distribute it as .deb and target ubuntu. Downloading automatically presents you with the default action to run the installer. That one asks you to give the root password. No problem, you're installing some cool software. Just that .deb can contain installation scripts.

ouch...

Well... the virus would not have permission to harm your linux box, but I think it can erase your home and your removable device that was plugged into your computer at the moment.

Clearly this "Window police pro" is a scam, built to steal credit card, it don't bother destroy your file.

This is old news. At LEAST 10 years ago I was using WINE to test Windows viruses, see what they'd do, and tear their code apart. If WINE got trashed I'd delete it and reinstall a fresh copy. It got boring because most viruses were copies of previous viruses with minor changes to fool the dat files.

GreyGeek

The "no thanks" option literally reads "Don't buy and let <some worm it claims you're infected with> send my credit card info to a remote server." Yeah, as if it itself won't do the same thing if it touches your credit card info.

You're misparsing that option. You're reading it as "(Don't buy) and (let worm have credit card details)". Clearly it should be "Don't ((buy) and (let worm have credit card details))". :)

The fix proposed in the guide using apt-get is very OTT. Simply delete ~/.wine. Next run, wine will make stock settings. You could also restore to .wine directory from your backups.

Running DOS viruses in dosbox or freedos can really bork your system. Atleast they did when we last tried in 1995.

Also, I've been thinking that installing .debs from the web is really dangerous. Because apt/dpkg can also install anything running with root privileges.

Installing .debs from anywhere except your own distro's own repository is bad. If some package you want is not in the repository (Debian's .deb files should be OK on Ubuntu; not necessarily so the other way around unless you're running Sid) then you should cut your losses and build it yourself from the Source Code. This isn't hard, unless you can't spell "make install".

unfortunately, for a few years now, the wine developers have been stupid enough to try and 'integrate' more and more with the users desktop. It's reached the point where the first time you run wine, it sets up a 'drive' (z usually) which can access your whole linux filesystem. ie /. plus it will create a bunch of links in .wine/drive_c. for example a link Desktop, which points to your real ~/Desktop.

So a winblows virus, run in wine, can delete shit off your desktop. or anywhere other files that you own if it decides to look at the z: drive.

It gets even worse than that too. because even if you go and change My Documents and My Pictures and Desktop etc etc, using the wine settings, and even if you make sure there are no symlinks within ~/.wine/drive_c which point outside of that area, and even if you remove the 'drive z' mapping, WINE is still STUPID ENOUGH that it maps 'Trash' directories to your real gnome/kde desktop trash directories.

sigh.

it used to be a good tool for running keygens, cracks etc, fairly safely. but not anymore. It's not surprising though really, I mean these developers are so wrapped up in the windows way of thinking (or not thinking) that they just don't realise it's a bad thing to expose your linux filesystem through wine automatically.

See ZeroWine http://zerowine.sourceforge.net [zerowine.sourceforge.net] - it's a malware analysis tool that uses Wine running in a QEMU sandbox to examine malware.

Note that while Windows apps are normally sandboxed to the .wine directory, this is not enforced by Wine - any malicious binary could do a Linux syscall with 0x80, and can splatter trash anywhere the user it's running as can write. If you really want to run toxic waste, use a separate user at the very least, and preferably ZeroWine.

@chris - Wine has NEVER provided a secure sandbox. That is not what it's for. Malware has always been able to break out and do whatever that user can do. If you're going to run toxic waste, you need to treat it as toxic waste.

Might I suggest in future, launching the virus from the cli and using

`WINEPREFIX="/home/myuser/.wine-virus" wine virus.exe`

The bonus being; once the virus has taken over wine, you can just *delete that particular instance*, rather than having to purge wine (and all your other installed wine programs) from your computer.

Actually you *can* run executable code on Linux without chmod. For reasons that don't make sense to me, Gnome and KDE both respect a .desktop shortcut protocol that can in turn run software.

A 'bad thing' imo, that must be stopped

http://www.geekzone.co.nz/foobar/6229#compact [geekzone.co.nz]

for more detail

It's safer to use virtualization if you really need to run Windows software. However, my advise is simply don't use any Windows programs and don't install wine on your computer.

You only had to (kill wine or ) reboot you computer and deletet the .wine folder and everything is gone. Start wine again and the folder would be created. :D

Smart tip when you need to check something is:

mv .wine mywine

winecfg , just exist.

install the program to be checked.

Kill wine

rm -fr .wine

mv mywine .wine

and the orginal wine is ok. Offcource you could use WINEPRFIX as well. But the abowe is bullet proof

First of all, "pkill" is a much more elegant way to kill multiple processes than with kill or killall, e.g. "pkill wine", or even "pkill win" should kill all processes with the name "wine" or "win" in it.

Second of all, I hope for you that you've used a "guest" account with unimportant data in its home directory and without any (sudo) admin rights, since Wine includes a Z drive to your user's home directory since a few years.

And also, FYI, people have been testing viruses with Wine before, this article is pretty fun to read imho :

http://www.linux.com/archive/feature/42031?theme=print [linux.com]

and this one is quite interesting too :

http://www.linux.com/archive/articles/53698?theme=print [linux.com]

now? are you fucking serious? now? if now is 10 years ago (or more) then fine but otherwise wtf

Well... maybe it is time for:

- chroot jail for Wine C:

- ClamAV integration to Wine

@The MidnighToker - do NOT rely on a virus staying confined to its WINEPREFIX. Remember, this is deliberately malicious software we're talking about. It can easily INT 0x80 to get out of there and do anything it likes that your user can do.

Wine has NEVER promised security inside a WINEPREFIX - it's just a convenience for keeping non-malicious programs isolated. (With those, the threat model is programmer error rather than malice, and a separate WINEPREFIX is fine for that.)

If you're going to run known-malicious software, keep it in prison - run it as a separate user, or run it in a WineZero-like environment, which is an isolated VM created afresh each time.

I also like to test viruses to find out what effect they have on which files. It makes it easier to deal with client machines that become infected. However, I never load a known virus on a machine that I use for anything else. That is asking for trouble.

I have images that I can restore to a clean hard drive for each version of Windows that I test with. I also test with Wine using a live DVD and a hard drive that has only a swap partition on it. I keep it off my primary network and monitor the Internet connection to it with a packet sniffer to see what it is doing.

I stumbled on this over at codeweavers

http://www.codeweavers.com/products/case_studies/ [codeweavers.com]

the article about viruses states that crossover is a safer way the go rather than just plain wine. regardless, like David G. said.."If you're going to run toxic waste, you need to treat it as toxic waste."

Great write up. Really enjoyed it. Going to link to it if you don't mind.

Again, it was a cool read.

You must be aware that Win32 viruses one day can understand they run under wine and try to do whatever they want in Z:\ directory which is by default mapped to "/" (root). Besides there are viruses that just put their payload into every directory in the system - once I deleted over 6000 instances of the same virus on WinXP system.

In this case a virus can wreck a havoc - it can easily erase your home directory or infect each and every other .exe, ELF, .DOC, .ODF, etc. file which is owned by your user account.

I strongly believe that Wine developers should stop providing default Z: drive, instead of that they'd better create something like $TMP/WineSandBox.

Nice article, but your website design screams "awful from the 90s"

it would suck if someone wrote a virus targetted at people who try to run viruses in wine

Isn't there some kind of program that can be installed

that can scan for viruses in Linux,

that will tell you what a program will do if it is

executed?,

for deb files, scripts, tars, zips, .sh files,

and anything related, all under each other,

to be able to know it is safe, and so on?

There should be to some degree for Linux.

I have ClamTk install, but I imagine it doesn't keep me

safe,

and yes I love to install things,

like Mupen which I found a better version of

then the one that can be installed through

Synaptic package Manager.

Call me stupid if you want,

but I know better,

I don't like limitation,

but there will always be limitation with out

enough money.

And although I scanned the .sh file of Mupen

that works really well,

I know now that it might well have not mattered,

because I read something about this after the fact

that I installed it.

I have no worries though because I don't have credit card

numbers, or credit cards,

and all of my info is backed up on another hard drive

I own.

I also have Noscript installed,

which also might not matter if I don't know

what to block and what not to block.

And yes I should have looked over what I just wrote,

but it's too late and this place won't let me edit

it, and if it does let only if I register

I really don't want to register with another place.

Oh please, so you managed to play with a PC target virus on a virtual Windows emulator running in Linux. If Linux was as popular as Microsoft Windows, you would see talented hackers finding easy ways to bypass Linux security, especially since Linux source code is openly available it's easily modifiable.

With proper care and regular maintenance there should be no reason why Windows users should get infected with such thing. Trust me...I've been using PC since Windows 95 and I never had gotten infected with any virus before. Maybe tracking cookies...but nothing big.

This is great and all, but why do you show some browser warning on your site when I'm using a (security hardened) development version of firefox 3.6 (named Namoroka)? Just show it to IE6 users or something.

I second what Tom just said

Apologies for my site complaining about Namoroka, it is set to explicitly not complain about Firefox, Safari, Chrome, and Opera. Sadly I didn't write the jQuery plugin I'm using, so it's hard to fix it. I should probably set it to only yell at IE or something.

@PCUser: The fact Linux is less secure because it is open source is a myth. See, those "talented hackers" have been trying at it for years because Linux actually is the most popular OS... for web servers. And, even in web servers, I have heard of more breaches of Windows Server than of and Linux-based distro.

The real problem is that if more "regular" people did use Linux, there would be more viruses on Linux, too. It doesn't matter if they're easy to remove (as I demonstrated here), some people are stupid and will download and run it. Then, it will be Linux blamed for its users being stupid.

The problem Windows has is that when a user makes one of those stupid mistakes, the entire computer can be compromised even if the user didn't run a program or do anything explicitly "wrong". On Linux, compromising the whole computer usually requires the administrator password, and even if a security hole is found to bypass that, it is fixed in a matter of hours, or days at worst. Unlike Microsoft, who took months to correct the bug in Internet Explorer which allowed the Chinese hacker attack on Google, Yahoo and other accounts.

Turning into a windows vs. linux fight. I dont feel Im biased because I always have a duel boot with both, but if i must say, my windows boot ALWAYS fails and my linux one is always used to fix it. Im much more interested if know if wine can contract a virus designed to install with out my knowledge and proceed to mess with my root directory.

fefefeffe

"Turning into a windows vs. linux fight. I dont feel Im biased because I always have a duel boot with both, but if i must say, my windows boot ALWAYS fails and my linux one is always used to fix it. Im much more interested if know if wine can contract a virus designed to install with out my knowledge and proceed to mess with my root directory."

I have a dual boot as well. Man, that comes in handy when you're surfing and get a trojan for no apparent reason >.> I find it hard to believe a virus could kill your linux directories, seeing as windoze doesn't even recognize or know about them in the first place...maybe if the virus just fragged your hard drive into oblivion...

http://www.dress-soul.ru [dress-soul.ru] -Nash Internet magazin predostavljaet ogromnoe raznoobrazie klubnoj odezhdy, zhenskaja i muzhskaja odezhda, futbolki, rejv odezhdu, a tak zhe cvetnye prikol'nye futbolki i majki, kofty s dlinnym rukavom, klubnye tolstovki, plat'ja, jarkie muzhskie zhiletki, panamki, true'nye shtany, cvetnye sumki, klubnuju atributiku dlja raznoobraznyh tematicheskih vecherinok.Aksessuary.Chasy,soks,bejdzh.

http://dress-soul.ru/ [dress-soul.ru] Our online store offers a huge variety of club clothes, women's and men's clothing, shirts, rave clothing, as well as colored funny t-shirts and tank tops, blouses with long sleeves, club sweatshirts, dresses, bright men's vests, panamki, original pants, colorful handbags, club memorabilia for a variety of thematic vecherinok.Aksessuary.Chasy, socks, name badge.

blog.opensourcenerd.com is interesting !!

<a href=http://www.facebook.com/pages/Sportingbetcom/230985290247684 [facebook.com]>sportingbet.com</a>

<IMG>http://czesci.li/_img/b.gif</IMG [czesci.li]>

Just so everyone knows, Firefox on every platform has this malware warning system.

Also:

"To do the same amount of harm, it would then ask me for the administrator password, not just a repetitive "Allow/Deny" box that I just instinctively click Allow on..." So once again we uncover the truth that it's usually the user's fault computers get infected, not necessarily the operating system they're using.

The XXX Stream

Product Review http://www.roznica.com.ua/goodsdetails_stiralnie-mashini-beko-wmb50831_20282.html [roznica.com.ua] Beko WMB50831

quality review

Strona webowa prezentuje darmowe obrazki i filmiki z kategorii <a href=http://www.warszawa-anonse.pl [warszawa-anonse.pl]>warszawa anonse</a>. Galerie erotyczne przeznaczone tylko dla widzow doroslych. Codzienna aktualizacja materialow. Zobacz teraz!