The Truth About Windows Malware, Wine and Ubuntu

Posted: September 17, 2011 in Random pontifications
Tags: , , , , ,

Lately, meaning over the past few years, there has been a lot of discussion running around various forums, mailing lists, and concessions about the safety of Wine on Linux when it comes to Windows based malware. I recently saw a few more rather heated debates going down on Ubuntu Forums about the subject. It’s become sort of an intra-office debate about it if you will. Some people say, oh it’s not a problem, Ubuntu is secure. Others say, no you can get owned SOOO EASILY!

Of course, you can ALWAYS get owned. However, this debate prompted me to begin a little research on two things. One, how easily can you get owned. Two, how badly will you get owned. A distant third benefit is obviously, how do you NOT get owned.

So I decided I would do some testing.

Part 1 : The Backdoored Executable

While I didn’t have an ACTUAL example of Windows malware, nor do I feel like getting one working under Ubuntu with Wine(this argument is still valid). I decided I would create a simple piece of malware myself. For the purpose of this test I decided I would use a Windows executable , putty.exe. Everyone knows it, if you’ve ever ssh’ed to a server from a Windows box, you probably used this. Now, I understand the odds of someone downloading putty to run in Wine and ssh is remote (no pun intended), especially considering openssh works a lot better. That being said, putty is our guinea pig, it runs easily in Wine , everyone knows it and it’s a Windows executable (and an easy one to obtain). This will work with ANY backdoored .exe/.dll that will work in Wine.

I used the Metasploit Framework to backdoor and encode the executable. I used the Windows version of Meterpreter. We don’t want to break the logic of putty now do we?

Part 2 : The Victim

For my victim machine I decided this study needed to be relevant, so I created a Virtual Machine running Ubuntu 10.04.3 LTS (Lucid Lynx). I fully updated it , and set up UFW in the standard configuration. I figured, ok this is a pretty typical desktop installation, nothing special or different in terms of security, and I haven’t gone and installed a ton of vulnerable services hoping that the demo gods would be on my side. An interesting note, the home directory in this particular installation IS encrypted. I did this to illustrate an important factor when dealing with backdoored files.

I then installed Wine (again in a default configuration), and copied over my “putty.exe” file. Knowing full well this poor VM was about to get owned, I almost felt bad for it.

Part 3 : The Results

So, after installing Wine and copying over my “bad file” I fired up Metasploit and got ready to handle an incoming session from my poor target. I knew I would get a return connection, but I wasn’t really all that sure what it would yield. I had decided though I was going to run this process several different times, to determine exactly how far I could get with JUST this, in different configurations that different users might run a backdoored file.

Method 1 : Using a standard user account

The first method I ran my executable under Wine in was using a standard user account. I figured I probably wouldn’t get too far with this method. I couldn’t have been more wrong. Home directory encryption on a desktop installation…Interesting…

Method 2 : Running my executable as root

With the success of my first attempt now behind me I’d determined that if this was executed as root, or with sudo ; really devestating things were going to happen. Surprisingly due to the fact that I used Windows Meterpreter instead of Linux Meterpreter I couldn’t really do anything and couldn’t see anything I didn’t have access to previously except for this….

Method 3 : Following some of the Wine security tips on Ubuntu Forums

So I figured, ok, this is just not a very secure set up. What can we do to make this a little bit more secure. So I decided I would check out the Wine security tips given by various users around Ubuntu Forums. I figured hardening Wine would make it a little less ownable. Apparmor in the end is the ONLY thing that stopped this from being ridiculous. Removing sym links does absolutely nothing. You can still use Windows Meterpreter to run Linux local escalation, so you aren’t really trapped in your home directory after all. Which raises the question. How many people use apparmor? It’s pretty annoying to set up, and there are a serious lack of GOOD pre-made profiles. Particularly when doing something as diverse as attempting to emulate support for a Windows application

It’s also important to note that there ARE methods for escaping both SELinux and Apparmor confinement. In my opinion that was a little too much research for a Friday afternoon. Besides, in my personal opinion too few people utilize apparmor in conjunction with Wine to make it a valid concern for a potential “attacker”.

Part 4 : What Can We Take From This.

Wine is not the problem, the fact that you’re running a backdoored executable in the first place is where your problem comes in. This isn’t a buffer overflow attack. It’s not executing with the privilages of Wine, it’s executing with the privilages of the user that ran it. Whether it be your standard user, or root/sudo.

  • UFW did nothing to help us here. At least not in a default configuration. A more restrictive outbound policy would have defeated the reverse shell.
  • Home Directory Encryption is essentially useless, if the user is logged in.
  • Sudo is great, just don’t use it 15 minutes prior to running anything that could be malicious in nature 😛
  • Apparmor is good, let’s make it easier for EVERYONE to use, not just us super paranoid sec dorks.
  • Wine is generally not that easy to keep under control and is not nearly as confined as people seem to think it is.

What about Anti-Virus

Well let’s see how this holds up to ClamAV. You might be surprised to know that it had a 50% detection rate with the most popular anti-virus solutions, and that ClamAV could not detect our malicious putty.exe. Even here we could have further encoded the file, or backdoored a larger file to bypass more anti-virus engines.

If you would like to see the full report click here.


It’s also important to note, that while this was tested for use with Wine and Windows based malware, this will also work much better with maliciously crafted .deb packages, that use post-install scripts to run backdoored Linux binaries.

In the end this is just a trojan right? Correct, this isn’t automated, this relies entirely on an attacker waiting for a reverse connection. However, knowing this, would it really be so hard to automate certain tasks? Like dumping hashes, logging services running, obtaining patch levels, and sending it all back to one source. The answer, not really hard at all.

  1. […] posting this due to the strangely odd amount of attention that this particular article about Wine Security is […]

  2. Kimberly says:

    Thanks for sharing this.
    I use Ubuntu too and love to know about this topic.

  3. […] you haven’t read the article the truth about wine , windows malware and Ubuntu I highly suggest you do so now, as this is a follow up to most of the things discussed […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s