Say, you downloaded a pirated game that happened to be malicious, and you run it on linux using compatibility layers like WINE/Proton, does your linux installation get infected?
If you have other apps and games inside that wine prefix they will get infected but no the host machine won’t be affected
Can the malware somehow target the hosting Linux via wine?
at that point it’d be Linux malware
Yes. There’s no sandboxing in Wine/Proton. It’s just another application running with the privileges of the user running it. So it can do anything any other process could do with that user’s credentials. This is one reason why Wine recommends that you never run it as root.
There’s still a layer of abstraction there. Since it requires Wine to run, it wouldn’t be able to run itself in the future unless it’s aware that it’s being run in Wine. Then it would need to set up a way to launch itself via Wine.
How the application is started is a separate question. I don’t know enough about Wine to know if it would install a Windows Service as a user service in systemd or init.d or something like that. But if the app is started it can do anything it wants subject to that user’s permissions.
I would guess that if it could, nobody would program it.
The chances of the scenario is too low. Hacking is a numbers game.
Depends of the hacker.
I suppose some government blackhat could do such thing for a very targeted hack. Still unlikely though.
That’s not true. By default the host filesystem is available in Wine. And even if this feature is disabled there are no active safeguards in Wine to prevent access.
Only Linux file permissions prevent access to Linux system files. But everything your user has access to can be tampered with.
Ransomware is incredibly common and designed to encrypt everything it can touch.
Given WINE’s focus on gaming, the execution of the malware could run into issues with system calls which the malware relies on not being fully implemented or acting in unexpected ways. That said, if the if the execution works, the malware may run to completion and have some impact, depending on what the malware was designed to do.
- Infostealers - On a Windows system, this class of malware pulls credentials from browsers (never, ever save your passwords in a browser. Use a password vault. e.g. KeePass, BitWarden). In the ones I have analyzed, they pull the passwords from the browser storage files directly and rely on known file paths. I think this would ultimately fail, as the files in those known paths won’t actually be your browser profile. Under the same logic, stealing cookies won’t work out either. They are just files in a known location, which won’t actually be the right location when running under WINE. Similarly, stealing credentials from Windows Credential Manager will fail, as that won’t have anything useful there. There is other stuff they can go after, but I think you get the point. The stuff it tries to steal won’t actually be in the locations it’s expected to be in. So, I’d think this class of malware would ultimately fail. Of course, attackers could always rewrite the malware to detect the WINE environment and then have it pivot to the the right locations for all this stuff. So, all of this analysis could become wrong.
- Ransomware - On a Windows system, this class of malware will search through the filesystem and encrypt files with specific extensions (.docx, .pdf, .png, and so on). Given that the Linux filesystem is reachable from the WINE environment, I kind think this has a chance of working. One interesting question would be if the encryption routines in the malware would actually work. Again, I think they would. The malware is likely to leverage cryptographic libraries built into Windows and I’d think that WINE would mostly handle those due to DRM/Anti-Cheat in games. It would just be down to how gracefully the malware deals with Unix file paths. My guess would be that the WINE translation layer would make it work. That just leaves the communications back to the attacker’s server for delivery of the keys. I’d guess this would work as WINE is setup to allow communications out to the internet.
- Remote Access Tool (RAT) - I’d guess that some of these would work though they may act funny for the attacker. As with ransomware, the communications back to the attacker’s server should work. This isn’t going to be terribly different from communicating with a game server. There might be some issues around the local agent working correctly though. The attacker may be relying on cmd.exe or powershell to run their commands. So, that might run into issues. At the same time, the malware could implement any commands directly via system and API calls. I’d think most of those would work. So, the attacker may have enough capability to fully compromise the Linux system, if they are willing to put the time into it.
That’s just three possible classes of malware, though it’s most of what I run into professionally (I work in Incident Response). Overall, I’d recommend not relying on Linux to keep you safe from malware bundled into pirated games. While I don’t expect that the infostealer parts of the malware would work correctly (for now), a lot of malware does more than one thing. The attacker may not get your credentials with the initial infection, but you could be opening yourself up to other malware. And, if the attacker includes a RAT, he could come back later and ruin your day.
So ya, be very, very careful about running stuff which you don’t know is safe.
You confused wine with proton
Proton is Wine.
Plus some other stuff like DXVK (which is available in vanilla Wine as well). But the heavy lifting is done by Wine.
I meant the intro you said wine is gaming focused that’s not true proton which is a wine fork focuses on the gaming part, they are not the same wine is for general apps and proton is gaming focused
removed by mod
It’s covered in the FAQ of WineHQ
Yes wine and proton are malware compatible
