Say, you downloaded a pirated game that happened to be malicious, and you run it on linux using compatibility layers like WINE/Proton, does your linux installation get infected?
It’s covered in the FAQ of WineHQ
What if you tried to run Windows malware on Linux?
Submitted 9 hours ago by DeathByBigSad@sh.itjust.works to nostupidquestions@lemmy.world
Comments
Kory@lemmy.ml 6 hours ago
artiman@piefed.social 8 hours ago
If you have other apps and games inside that wine prefix they will get infected but no the host machine won't be affected
cloudless@piefed.social 8 hours ago
Can the malware somehow target the hosting Linux via wine?
Nemo@slrpnk.net 8 hours ago
at that point it’d be Linux malware
danekrae@lemmy.world 8 hours ago
I wiuld guess that if it could, nobody would program it.
The chances of the scenario is too low. Hacking is a numbers game.
stinerman@midwest.social 6 hours ago
Yes. There’s no sandboxing in Wine/Proton. It’s just another application running with the privileges of the user running it. So it can do anything any other process could do with that user’s credentials. This is one reason why Wine recommends that you never run it as root.
bjoern_tantau@swg-empire.de 5 hours ago
That’s not true. By default the host filesystem is available in Wine. And even if this feature is disabled there are no active safeguards in Wine to prevent access.
Only Linux file permissions prevent access to Linux system files. But everything your user has access to can be tampered with.
Ransomware is incredibly common and designed to encrypt everything it can touch.
sylver_dragon@lemmy.world 7 hours ago
Given WINE’s focus on gaming, the execution of the malware could run into issues with system calls which the malware relies on not being fully implemented or acting in unexpected ways. That said, if the if the execution works, the malware may run to completion and have some impact, depending on what the malware was designed to do.
- Infostealers - On a Windows system, this class of malware pulls credentials from browsers (never, ever save your passwords in a browser. Use a password vault. e.g. KeePass, BitWarden). In the ones I have analyzed, they pull the passwords from the browser storage files directly and rely on known file paths. I think this would ultimately fail, as the files in those known paths won’t actually be your browser profile. Under the same logic, stealing cookies won’t work out either. They are just files in a known location, which won’t actually be the right location when running under WINE. Similarly, stealing credentials from Windows Credential Manager will fail, as that won’t have anything useful there. There is other stuff they can go after, but I think you get the point. The stuff it tries to steal won’t actually be in the locations it’s expected to be in. So, I’d think this class of malware would ultimately fail. Of course, attackers could always rewrite the malware to detect the WINE environment and then have it pivot to the the right locations for all this stuff. So, all of this analysis could become wrong.
- Ransomware - On a Windows system, this class of malware will search through the filesystem and encrypt files with specific extensions (.docx, .pdf, .png, and so on). Given that the Linux filesystem is reachable from the WINE environment, I kind think this has a chance of working. One interesting question would be if the encryption routines in the malware would actually work. Again, I think they would. The malware is likely to leverage cryptographic libraries built into Windows and I’d think that WINE would mostly handle those due to DRM/Anti-Cheat in games. It would just be down to how gracefully the malware deals with Unix file paths. My guess would be that the WINE translation layer would make it work. That just leaves the communications back to the attacker’s server for delivery of the keys. I’d guess this would work as WINE is setup to allow communications out to the internet.
- Remote Access Tool (RAT) - I’d guess that some of these would work though they may act funny for the attacker. As with ransomware, the communications back to the attacker’s server should work. This isn’t going to be terribly different from communicating with a game server. There might be some issues around the local agent working correctly though. The attacker may be relying on cmd.exe or powershell to run their commands. So, that might run into issues. At the same time, the malware could implement any commands directly via system and API calls. I’d think most of those would work. So, the attacker may have enough capability to fully compromise the Linux system, if they are willing to put the time into it.
That’s just three possible classes of malware, though it’s most of what I run into professionally (I work in Incident Response). Overall, I’d recommend not relying on Linux to keep you safe from malware bundled into pirated games. While I don’t expect that the infostealer parts of the malware would work correctly (for now), a lot of malware does more than one thing. The attacker may not get your credentials with the initial infection, but you could be opening yourself up to other malware. And, if the attacker includes a RAT, he could come back later and ruin your day.
So ya, be very, very careful about running stuff which you don’t know is safe.
artiman@piefed.social 6 hours ago
You confused wine with proton
bjoern_tantau@swg-empire.de 5 hours ago
Proton is Wine.
Plus some other stuff like DXVK (which is available in vanilla Wine as well). But the heavy lifting is done by Wine.
dontbelievethis@sh.itjust.works 5 hours ago
Your asshole explodes.
WILSOOON@programming.dev 8 hours ago
Yes wine and proton is malware compatible