[opensuse] How to protect Wine from opening malware?
Today I got a malware mail with an *.7z attachment. I saved the attachment and opened the 7z archive with Ark for further investigation. The attachment contained a *.vbs Visual Basic Script file. It is mostly a downloader script which downloads malware from a Russian server. The problem: If I click on the file (instead of choosing "Preview" in context menu), Ark opens Wine with the malware VBS script. My Sophos on-access scanner blocked the attachment. My question: How I can configure KDE or Ark so, that it does not open some problematic file types, especially not with Wine? I also wonder about the insecure default settings. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-09-19 10:52, Bjoern Voigt wrote:
Today I got a malware mail with an *.7z attachment. I saved the attachment and opened the 7z archive with Ark for further investigation.
The attachment contained a *.vbs Visual Basic Script file. It is mostly a downloader script which downloads malware from a Russian server.
The problem: If I click on the file (instead of choosing "Preview" in context menu), Ark opens Wine with the malware VBS script. My Sophos on-access scanner blocked the attachment.
My question: How I can configure KDE or Ark so, that it does not open some problematic file types, especially not with Wine? I also wonder about the insecure default settings.
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. Yes, I actively clicked on the VBS file in Ark, of course by mistake.
Execution bit is not necessary here. I created a test.vbs file on my KDE Plasma desktop and clicked on it. No warning was displayed, Wine executed the file. I also see this as a bug. In the special case, where the VBS file is inside an 7z archive, the question is, if 7z stores the execution bit. I can not see this: $ 7z l 20171809_30581784559.7z 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=de_DE.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz (106E5),ASM) Scanning the drive for archives: 1 file, 2994 bytes (3 KiB) Listing archive: 20171809_30581784559.7z -- Path = 20171809_30581784559.7z Type = 7z Physical Size = 2994 Headers Size = 146 Method = LZMA:16 Solid = - Blocks = 1 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2017-09-18 18:07:26 ..... 9840 2848 20170918_77742887162.vbs ------------------- ----- ------------ ------------ ------------------------ 2017-09-18 18:07:26 9840 2848 1 files Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2017 06:10 AM, Bjoern Voigt wrote:
Carlos E. R. wrote:
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. Yes, I actively clicked on the VBS file in Ark, of course by mistake.
Execution bit is not necessary here. I created a test.vbs file on my KDE Plasma desktop and clicked on it. No warning was displayed, Wine executed the file. I also see this as a bug.
It is the default Windows action. Wine simply acts as Windows would. -- "The time has come," the Walrus said, "To talk of many things: Of shoes-and ships-and sealing-wax- Of cabbages-and kings-- And why the sea is boiling hot- And whether pigs have wings." Lewis Carroll _ _... ..._ _ _._ ._ ..... ._.. ... .._ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-09-19 13:26, Billie Walsh wrote:
On 09/19/2017 06:10 AM, Bjoern Voigt wrote:
Carlos E. R. wrote:
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. Yes, I actively clicked on the VBS file in Ark, of course by mistake.
Execution bit is not necessary here. I created a test.vbs file on my KDE Plasma desktop and clicked on it. No warning was displayed, Wine executed the file. I also see this as a bug.
It is the default Windows action. Wine simply acts as Windows would.
But it is Linux who calls wine. Linux should not call wine to "open" a known executable file unless it has the executable bit. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2017-09-19 13:26, Billie Walsh wrote:
On 09/19/2017 06:10 AM, Bjoern Voigt wrote:
Carlos E. R. wrote:
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. Yes, I actively clicked on the VBS file in Ark, of course by mistake.
Execution bit is not necessary here. I created a test.vbs file on my KDE Plasma desktop and clicked on it. No warning was displayed, Wine executed the file. I also see this as a bug. It is the default Windows action. Wine simply acts as Windows would. But it is Linux who calls wine. Linux should not call wine to "open" a known executable file unless it has the executable bit.
BTW, my Ark currently uses the following settings in "General Settings": [x] Preview the file with internal previewer [ ] Open the file with associated application [x] Show a warning when creating zip archives with AES encryption So, with these settings Ark must not open a VBS script with the associated application (Wine + Microsoft Office). I probably should file a bug. Currently Ark has 47 confirmed and unconfirmed open bugs: https://bugs.kde.org/buglist.cgi?component=general&list_id=1465085&product=a... Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2017 07:21 AM, Bjoern Voigt wrote: own executable file unless it has the executable bit.
BTW, my Ark currently uses the following settings in "General Settings":
[x] Preview the file with internal previewer [ ] Open the file with associated application [x] Show a warning when creating zip archives with AES encryption
So, with these settings Ark must not open a VBS script with the associated application (Wine + Microsoft Office).
I probably should file a bug. Currently Ark has 47 confirmed and unconfirmed open bugs: https://bugs.kde.org/buglist.cgi?component=general&list_id=1465085&product=a...
I suspect the problem is that first checkbox, - Preview the file. It should probably launch what ever would be used to edit that file, but instead hands it off to wine. This is still handled by your DE, (KDE in my case) under System settings/ Applications / File Associations / under the treeview of known associations applications / x-wine-extensions (the latter most of these). That says to launch "wine start" wine start operates by inspection of the extension. Given no file, "wine start" simply starts a dos box. You might be able to add an editor to that list as the first most option, most wine installs include wordpad as a default. or remove that entry all together so that nothing is done with a .vbs file. It seems like this issue lies halfway between kde (or any other DE) and wine. ARK simply hands it off to KDE, KDE checks its list of applications and hands it off to wine. Wine does that ever windows would do. Still your problem is expecting the system to handle your errant click intelligently, and apply Linux permissions onto a Windows system. I think that's beyond scope of wine. But I don't know this for sure. Wine is a strange animal, best avoided imho. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
I suspect the problem is that first checkbox, - Preview the file. It should probably launch what ever would be used to edit that file, but instead hands it off to wine.
This is still handled by your DE, (KDE in my case) under System settings/ Applications / File Associations / under the treeview of known associations applications / x-wine-extensions (the latter most of these). That says to launch "wine start" wine start operates by inspection of the extension. Given no file, "wine start" simply starts a dos box.
You might be able to add an editor to that list as the first most option, most wine installs include wordpad as a default. or remove that entry all together so that nothing is done with a .vbs file.
It seems like this issue lies halfway between kde (or any other DE) and wine. ARK simply hands it off to KDE, KDE checks its list of applications and hands it off to wine. Wine does that ever windows would do.
Still your problem is expecting the system to handle your errant click intelligently, and apply Linux permissions onto a Windows system. I think that's beyond scope of wine. But I don't know this for sure. Wine is a strange animal, best avoided imho. Thanks for the explanation.
It would be nice to have some kind of warning dialog, if a user tries to start a potential unsafe file from the internet. Is anyone using protection strategies like Software Restriction Policies on Windows machines? May be similar technologies can be adapted for Linux desktops: Use Software Restriction Policies to block viruses and malware Branko Vucinec, 24/10/2014 https://blog.brankovucinec.com/2014/10/24/use-software-restriction-policies-... BTW, I do not think that I am very safe because I use a regular user on my Linux desktop. Most of my data is writable be this user and so crypto trojans can be dangerous enough. A good malware may also use an opened "sudo" session started by the user to become Root. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2017 07:07 AM, Carlos E. R. wrote:
On 2017-09-19 13:26, Billie Walsh wrote:
On 09/19/2017 06:10 AM, Bjoern Voigt wrote:
Carlos E. R. wrote:
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. Yes, I actively clicked on the VBS file in Ark, of course by mistake.
Execution bit is not necessary here. I created a test.vbs file on my KDE Plasma desktop and clicked on it. No warning was displayed, Wine executed the file. I also see this as a bug. It is the default Windows action. Wine simply acts as Windows would. But it is Linux who calls wine. Linux should not call wine to "open" a known executable file unless it has the executable bit.
Woulda. Coulda. Shoulda. If it is a Windows executable it will call Wine regardless when you click it. That's how it works. It's just like if your in Windows. -- "The time has come," the Walrus said, "To talk of many things: Of shoes-and ships-and sealing-wax- Of cabbages-and kings-- And why the sea is boiling hot- And whether pigs have wings." Lewis Carroll _ _... ..._ _ _._ ._ ..... ._.. ... .._ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2017 11:03 AM, Billie Walsh wrote:
On 09/19/2017 07:07 AM, Carlos E. R. wrote:
On 2017-09-19 13:26, Billie Walsh wrote:
On 09/19/2017 06:10 AM, Bjoern Voigt wrote:
Carlos E. R. wrote:
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. Yes, I actively clicked on the VBS file in Ark, of course by mistake.
Execution bit is not necessary here. I created a test.vbs file on my KDE Plasma desktop and clicked on it. No warning was displayed, Wine executed the file. I also see this as a bug. It is the default Windows action. Wine simply acts as Windows would. But it is Linux who calls wine. Linux should not call wine to "open" a known executable file unless it has the executable bit.
Woulda. Coulda. Shoulda.
If it is a Windows executable it will call Wine regardless when you click it. That's how it works. It's just like if your in Windows.
That is not cast in concrete. This is linux. Its configurable. You need only remove the handling of .vbs files from application associations in the linux/kde settings. Wine would still know what to do with it, but linux would ignore it, or ask what to do. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
That is not cast in concrete.
This is linux. Its configurable. You need only remove the handling of .vbs files from application associations in the linux/kde settings. Wine would still know what to do with it, but linux would ignore it, or ask what to do. Yes, now I edited the application/x-wine-extension-vbs file type in systemsettings5. Wine does not open *.vbs files anymore.
Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-09-20 22:05, Bjoern Voigt wrote:
John Andersen wrote:
That is not cast in concrete.
This is linux. Its configurable. You need only remove the handling of .vbs files from application associations in the linux/kde settings. Wine would still know what to do with it, but linux would ignore it, or ask what to do. Yes, now I edited the application/x-wine-extension-vbs file type in systemsettings5. Wine does not open *.vbs files anymore.
That's not the only place. I use XFCE and have the same issue. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 2017-09-19 20:03, Billie Walsh wrote:
On 09/19/2017 07:07 AM, Carlos E. R. wrote:
On 2017-09-19 13:26, Billie Walsh wrote:
On 09/19/2017 06:10 AM, Bjoern Voigt wrote:
Carlos E. R. wrote:
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. Yes, I actively clicked on the VBS file in Ark, of course by mistake.
Execution bit is not necessary here. I created a test.vbs file on my KDE Plasma desktop and clicked on it. No warning was displayed, Wine executed the file. I also see this as a bug. It is the default Windows action. Wine simply acts as Windows would. But it is Linux who calls wine. Linux should not call wine to "open" a known executable file unless it has the executable bit.
Woulda. Coulda. Shoulda.
If it is a Windows executable it will call Wine regardless when you click it. That's how it works. It's just like if your in Windows.
No, because it is Linux who decides to call Wine, supposedly using Linux criteria. Windows criteria doesn't count yet, Wine is not yet running. IMHO, this is a security risk. Test. I send to myself an email with an inocuous (plain text file) with extension .vbs. First hurdle: my mail system intercepts it. Ok, it goes to the banned folder. I open the email, click on the attachment, and... I get a dialog: "open with" (with wine preselected as the default app)), or "save", and do this always. Thunderbird does it right. But Thunar (XFCE file browser) does not. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 09/19/2017 07:54 PM, Carlos E. R. wrote:
On 2017-09-19 20:03, Billie Walsh wrote:
On 09/19/2017 07:07 AM, Carlos E. R. wrote:
On 2017-09-19 13:26, Billie Walsh wrote:
On 09/19/2017 06:10 AM, Bjoern Voigt wrote:
Carlos E. R. wrote:
But you are actively clicking on a .vbs file, an "executable". The default action would be execute it (with wine). However, if it does not have the execute flag enabled, it would be a bug to try to execute it. Yes, I actively clicked on the VBS file in Ark, of course by mistake.
Execution bit is not necessary here. I created a test.vbs file on my KDE Plasma desktop and clicked on it. No warning was displayed, Wine executed the file. I also see this as a bug. It is the default Windows action. Wine simply acts as Windows would. But it is Linux who calls wine. Linux should not call wine to "open" a known executable file unless it has the executable bit. Woulda. Coulda. Shoulda.
If it is a Windows executable it will call Wine regardless when you click it. That's how it works. It's just like if your in Windows. No, because it is Linux who decides to call Wine, supposedly using Linux criteria. Windows criteria doesn't count yet, Wine is not yet running.
IMHO, this is a security risk.
Yes. It is a security risk. That's why Windows is so easy to infect. You are automatically running in administrator mode with Windows by default. That's why I always set up a"user" and run Windows in user mode. -- "The time has come," the Walrus said, "To talk of many things: Of shoes-and ships-and sealing-wax- Of cabbages-and kings-- And why the sea is boiling hot- And whether pigs have wings." Lewis Carroll _ _... ..._ _ _._ ._ ..... ._.. ... .._ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Billie Walsh
-
Bjoern Voigt
-
Carlos E. R.
-
Carlos E. R.
-
John Andersen