20 votes

What happens when a Windows virus runs on Linux?

I'm considering installing some abandonware games, and, as anyone who trawls the internet for old executables knows: they are often rife with viruses/malware.

It's easy to avoid the ones that are clearly malicious using tools like VirusTotal, but it gets trickier when the "is it clean?" is more of a "maybe" than a "no" because you're not sure if something is a false positive.

I'd rather not take chances and will generally avoid anything I find even slightly suspicious, but it did get me thinking: if I ran the games through Linux instead of Windows (e.g. via WINE or Proton), am I equally vulnerable?

Does something like that sandbox the virus? Is the virus rendered ineffective by being in a system it's unable to exploit as intended?

Or is this wishful thinking and it's still risky no matter what?

I'm not asking this as a "help me play abandonware games" plea (though, if there are best practices out there feel free to enlighten me). Instead, it's a curiosity -- a "help me better understand Linux vs. Windows" from someone who's not super techy.

11 comments

  1. [4]
    stu2b50
    Link
    It's somewhere in between. There's no sandbox; proton is mainly about translating system calls. Since most malware is already running - a luxury in the malware world, execution on the target is...

    It's somewhere in between. There's no sandbox; proton is mainly about translating system calls. Since most malware is already running - a luxury in the malware world, execution on the target is step #1 and the hardest step - it already has significant access to your OS. That being said, if it relying on exploits to gain higher privileges, then that will likely not translate across proton. There is a chance that whatever the malware is trying to do isn't translated well by proton, just like how some games don't run.

    Linux distros also tend to have a more robust permissions structure than windows, although that will depend on what its trying to do, and what privileges you're running proton with.

    So in the end, there's a good, but not 100%, chance that the malware will run correctly and do bad things to do you.

    If you're seriously worried about malware, given that most abandonware is old, I'd just run it in a VM.

    28 votes
    1. balooga
      Link Parent
      Yeah I came here to offer this advice. If you're unsure about an executable, a VM is a brilliant way to go. You might even just use that for initial vetting of the exe... do some diagnostics in...

      I'd just run it in a VM.

      Yeah I came here to offer this advice. If you're unsure about an executable, a VM is a brilliant way to go. You might even just use that for initial vetting of the exe... do some diagnostics in there, get some confidence that it's safe, then unquarantine it to run directly. That's less safe, but might be a good compromise if you want to add a layer of safety while still maximizing game performance.

      18 votes
    2. Toric
      Link Parent
      NOTE: this is as I recall it, wine may do some other directory mapping I am not immediately aware of. So there is a (weak) sandbox, as proton does have a virtual FS (called wine prefixes), because...

      NOTE: this is as I recall it, wine may do some other directory mapping I am not immediately aware of.

      So there is a (weak) sandbox, as proton does have a virtual FS (called wine prefixes), because programs expect a windows-like file structure. However, wine also mounts the linux root FS under Z:\, so that programs like editors can access your persistent linux files through things like file open dialogues. So, knowing that, most viruses will mostly be focusing on well-known directories under C:\, not for a linux-like filesystem that happens to be under Z:\, and wont do much outside of their wineprefix.

      Of course, that goes out the window if:

      1. The virus is actually targeting linux computers running the program under wine (very unlikely)
      2. Its some form of general data stealer/ransomware, affecting every file on every drive it can get its grubby little hands on.

      If your worried about those or other potential directory mapping tricks wine may do, run it inside of a VM, a container, or a firejail.

      17 votes
    3. xk3
      (edited )
      Link Parent
      Wine runs in admin mode by default. There's no meaningful concept of user mode. But that doesn't mean that all the hardware interfaces that the malware expects will be there. It's not too unlikely...

      if it relying on exploits to gain higher privileges

      Wine runs in admin mode by default. There's no meaningful concept of user mode. But that doesn't mean that all the hardware interfaces that the malware expects will be there.

      It's not too unlikely that there are at least a few viruses which target wine specifically due to the higher likelihood that someone who uses Linux will have access to other privileged machine(s). The malware could allow for a C&C attack where someone else is pivoting through the network from Wine.

      And just because the EXE looks old doesn't really guarantee anything... I would imagine that it is pretty trivial to write an unsigned program that launches another program without needing to recompile the original program. Like modifying the PE Header and then add your code to the end of the EXE and after the malware code is done starting itself it returns to the start of the actual game code. It's easy to change the modified date of files, zip it up, and pretend it is from 20 years ago WinZip. This could all be automated.

      5 votes
  2. knocklessmonster
    Link
    You could always learn bubblewrap around WINE or use something like Bottles with locked down Flatpak permissions. While, theoretically, malware could run in WINE it would need to be targeting that...

    You could always learn bubblewrap around WINE or use something like Bottles with locked down Flatpak permissions.

    While, theoretically, malware could run in WINE it would need to be targeting that environment with a payload intended to breach into Linux to actually do significant system damage outside of the WINE prefix. It could attack your local user files but should not really have a way of doing Linux privilege escalation unless it was somehow specifically engineered to. I do not believe there has ever been a case of malware using WINE to target Linux users.

    10 votes
  3. [3]
    vord
    Link
    I think it works along the lines of "It could run, potentially re-infect other Windows machines, but will not permanently damage your system so long as you don't run it as root. It could also...

    I think it works along the lines of "It could run, potentially re-infect other Windows machines, but will not permanently damage your system so long as you don't run it as root.

    It could also result in data being stolen depending how well you sandbox your filesystem. IIRC flatpak wine/proton can be better isolated.

    You could also probably tell if infected because wine would keep running after main program exits.

    8 votes
    1. [2]
      babypuncher
      Link Parent
      The most obvious threat vector to me is any Linux directories mounted in your Wine prefix. Windows malware designed to run on Windows would have a hard time modifying system settings or messing...

      The most obvious threat vector to me is any Linux directories mounted in your Wine prefix. Windows malware designed to run on Windows would have a hard time modifying system settings or messing with storage volumes, but it could delete or modify files in your user directory, which iirc is mounted by default in new Wine prefixes.

      7 votes
      1. teaearlgraycold
        Link Parent
        Yes simple things like ransomware could actually do some damage.

        Yes simple things like ransomware could actually do some damage.

        3 votes
  4. bonsai_angel
    (edited )
    Link
    The only safe way to install old games is to use retail discs, or verify disc images using redump.org. You can check the hash of your downloaded disc image against the hashes on redump, but you...

    The only safe way to install old games is to use retail discs, or verify disc images using redump.org. You can check the hash of your downloaded disc image against the hashes on redump, but you need a tool to do so. I use teracopy on my windows xp machine. Look on archive.org for disc images with "redump" in the title, and the hashes will usually match what is in the redump database.

    Patches and no-cd cracks are more of a problem. I would love to learn how those cracks actually work, and how to validate them to make sure nothing malicious is going on, but I haven't gotten around to it.

    As for wine, if you run it with user permissions it can access anything on your system that your user can access. A virtual machine is safer, but remember that the guest OS will usually have access to your network by default, which isn't safe at all.

    4 votes
  5. [2]
    Boojum
    Link
    How old are we talking? DOSBOX (or a fork), as an x86 emulator rather than a virtualization layer is likely to be pretty safe, for example.

    How old are we talking? DOSBOX (or a fork), as an x86 emulator rather than a virtualization layer is likely to be pretty safe, for example.

    1 vote
    1. kfwyre
      Link Parent
      Pretty much a bunch of random titles from the period of time between the original The Need for Speed (1994) and Need for Speed: Carbon (2006).

      Pretty much a bunch of random titles from the period of time between the original The Need for Speed (1994) and Need for Speed: Carbon (2006).

      2 votes