Can Windows malware harm a Linux computer when it's executed with Wine?

You are right about accessing the file system and internet, especially because the home folder is mapped with write permission by default. This implies that it can mess with your documents as well, for example adding macros to Open Office documents, deleting your mp3 files or sending interesting files to someone on the internet.

And yes, it can write to your Firefox profile and install an Addon.

Connecting to the internet means, that it can fetch commands from a C&C server to turn your computer into a drone.

I guess some maleware will fail to find those locations outside the standard windows folders. But other will just scan all drives for interesting places.


Theoretically, yes.

Firstly, a bit of background on Wine. Wine provides an executable loader for running Windows executables. Also installed or made use of optionally is a binfmt handler described here, which is how the linux kernel deduces what loader to execute - for example, somewhere built into the kernel is a binfmt handler for ELF files for Linux. Function calls from these executables are then translated by the Wine runtime into their equivalent Linux system calls. The Wine FAQ deals with the question of wine being an emulator.

So, back to your question - could Windows malware infect a Linux box? I said theoretically yes - here are the various threats you face:

  • Bugs in the format handlers. If a specially crafted executable causes Wine to incorrectly load the PE file, you might well be able to exploit it.
  • Bugs in Wine's function translation. This is the same as saying "bugs in the Windows API", if you like - if certain functions translated in Wine are susceptible to buffer overflows etc, then they can be exploited.
  • The fact that function calls are translated. This very fact in itself means malicious activity can happen.
  • The setup and limitations of the Wine install. What file systems have you mapped? Can the executable escape this "chroot"?

There is one key proviso here - being aware or planning for infecting Wine. If malware is written with the expectation that it may be run on Wine, then it can begin to use Wine specific exploits, possibly detecting that Z: is mapped to / and performing appropriate actions. The earlier points in my list above are the least likely, but also the most damaging if they occur.

However, most malware is not written for Wine. You can think of Wine as a separate build target, almost, since how it implements the Windows API is different to how Windows implements the API. Most malware is aimed squarely at Windows, so I'd expect the damage to occur only to the "Windows" install. Indeed some malware may not run, where the Wine developers have assumed strict usage of an API function and where Windows allows something different.

So, to cut a long story short, Wine increases your attack surface by a sizeable amount by allowing you to execute arbitrary Windows programs. The same general rules apply to Wine as apply to any piece of software:

  • Do you need it? If not, don't install it.
  • Is it up to date? If not, update it.
  • Be careful what you run with it. It is not a substitute for being careful with what you download, access and run.

Been a long time since I've done C structured exceptions (MS specific but emulated on Wine), but the syntax is close to this. Somebody using this could have a lot of fun even if Z is not mapped.

bool isLinux = 0;
__try {
    asm {
        mov AL, 172
        int 80h
    }
    isLinux = 1;
} __except {}
if (isLinux)
   asm {
      /* Linux shellcode here */
   }