What is the "Wanna Cry" ransomware's possible impact on Linux users?

windows wine malware

Solution 1:

If it helps and to complement Rinzwind's answer, first the questions:

1. How does it spread?

Via Email. 2 friends were affected by it. They send the email to me to test under a supervised environment, so you would basically need to open the email, download the attachment and run it. After the initial contamination, it will systematically check the network to see who else can be affected.

2. Can I get affected by using Wine?

Short answer: Yes. Since Wine emulates almost every behavior of the Windows environment, the worm can actually try to find ways on how it can affect you. The worst case scenario is that depending on the direct access wine has to your Ubuntu system, some or all parts of your home will be affected (Did not fully test this. See answer 4 below), although I see a lot of roadblocks here for how the worm behaves and how it would try to encrypt a non ntfs/fat partition/files and what non-super admin permission would it need to do this, even coming from Wine, so it does not have full powers like on Windows. In any case, it's better to play on the safe side for this.

3. How can I test the behavior of this once I get an email that has it?

My initial test which involved 4 VirtualBox containers on the same network ended in 3 days. Basically on day 0, I contaminated on purpose the first Windows 10 system. After 3 days, all 4 were affected and encrypted with the "Whoops" message about the encryption. Ubuntu on the other hand was never affected, even after creating a shared folder for all 4 guests that is on the Ubuntu desktop (Outside of Virtualbox). The folder and the files in it were never affected, so that's why I have my doubts with Wine and how this can propagate on it.

4. Did I test it on Wine?

Sadly I did (Already had a backup and moved critical job files from the desktop before doing so). Basically, my desktop and music folder were doomed. It did not however affect the folder I had in another drive, maybe because it was not mounted at the time. Now before we get carried away, I did need to run wine as sudo for this to work (I never run wine with sudo). So in my case, even with sudo, only the desktop and the music folder (for me) was affected.

Note that Wine has a Desktop Integration feature where as, even if you change the C: drive to something inside the Wine folder (Instead of the default drive c), it will still be able to reach your Linux Home folder since it maps to your home folder for documents, videos, download, saving game files, etc.. This needed to be explained since I was send a video about a user testing WCry and he changed the C Drive to "drive_c" which is inside the ~/.wine folder but he still got affected on the home folder.

My recommendation if you wish to avoid or at least lower the impact on your home folder when testing with wine is to simply disable the following folders by pointing them to the same custom folder inside the wine environment or to a single fake folder anywhere else.

enter image description here

Am using Ubuntu 17.04 64-Bit, partitions are Ext4 and I have no other security measures apart from simply installing Ubuntu, formatting the drives and updating the system every day.

Solution 2:

What steps do Linux users need to protect from this if for example they are using wine?

Nothing. Well maybe not nothing but nothing extra. The normal rules apply: make regular backups of your personal data. Also test your backups so you know you can restore them when needed.

Things to note:

  1. Wine is not Windows. Don't use wine to:

    1. open mails,
    2. open dropbox links
    3. browse the web.

      Those 3 are the way this seems to spread onto machines. If you need to do that use virtualbox with a normal install.

  2. It also uses encryption and encrypting in Linux is a lot more difficult than in Windows. If this malware would be able to touch your Linux system, at worst your personal files in your $home are compromised. So just restore a backup if that ever happens.

No word if wine is doing anything about a security update.

It is not a wine problem. "Fixing" this would mean you need to use Windows components that have this fixed. Or use a virus scanner in wine that can find this malware. Wine itself can not provide any form of fix.

Again: even though wine can be used as the attack vector you still need to do things as a user you should not be doing from wine to get infected: you need to use wine to open a malicious website, malicious link in a mail. You should already never do that since wine does not come with any form of virus protection. If you need to do things like that you should be using windows in a virtualbox (with up to date software and virus scanner).

And when you do get infected over wine: it will only affect files that are yours. Your /home. So you fix that by deleting the infected system and restoring the backup we all already make. That's it from the Linux side.

Oh when a user is 'not so smart' and uses sudo with wine it is the USER'S problem. Not wine.

If anything: I myself am already against using wine for anything. Using a dual boot with no interaction between linux and windows or using a virtualbox with an up to date Windows and using a virus scanner is far superior to anything wine can offer.

Some of the affected companies by this:

  • Telephonica.
  • Fedex.
  • National Health Services (Britain).
  • Deutsche Bahn (German Railroad).
  • Q-park (Europe. Parking service).
  • Renault.

All used unpatched Windows XP and Windows 7 systems. Baddest was the NHS. They use Windows on hardware where they can not upgrade the operating systems (...) and had to ask patients to stop coming to hospitals and use the general alarm number instead.

As of yet not a single machine using Linux or a single machine using wine got infected. Could it be done? Yes (not even "probably"). But the impact would probably be a single machine and not have a cascading effect. They would need our admin password for that. So "we" are of little interest to those hackers.

If anything to learn from this ... stop using Windows for mail and general internet activities on a company server. And no, virus scanners are NOT the correct tool for this: updates for virusscanners are created AFTER the virus is found. That is too late.

Sandbox Windows: do not allow shares. Update those machines. -Buy- a new operating system when Microsoft cans a version. Don't use pirated software. A company still using Windows XP is asking for this to happen.

Our company policies:

  • Use Linux.
  • Don't use shares.
  • Use a password safe and do not save passwords outside the safe.
  • Use online mail.
  • Use online storage for documents.
  • Only use Windows inside virtualbox for things Linux can not do. We have some VPNs our clients use that are Windows only. You can prepare a vbox and copy it over when you have all the software in it you would need.
  • Windows systems that are used inside our company (personal notebooks for instance) are not allowed on the company network.

Solution 3:

This malware appears to spread in two steps:

  • First, via good ol' e-mail attachments: a Windows user receives an e-mail with an attached executable and runs it. No Windows vulnerability involved here; just user ineptitude in running an executable from an untrusted source (and ignoring the warning from their antivirus software, if any).

  • Then it tries to infect other computers on the network. That's where the Windows vulnerability comes into play: if there are vulnerable machines on the network, then the malware can use it to infect them without any user action.

In particular, to answer this question:

As I haven't booted Windows 8.1 in 6 to 8 weeks can I apply this patch from Ubuntu without booting Windows first?

You can only become infected through this vulnerability if there is an infected machine on your network already. If that is not the case, it is safe to boot a vulnerable Windows (and install the update right away).

This also means, by the way, that using virtual machines does not mean you can be careless. Especially if it is directly connected to the network (bridged networking), a Windows virtual machine behaves like any other Windows machine. You may not care very much if it gets infected, but it can also infect other Windows machines on the network.

Solution 4:

Based on what everyone wrote and spoke about this subject already:

WannaCrypt ransomware is not coded to work on other OS than Windows (not including Windows 10) because it is based on the NSA Eternal Blue exploit, which takes advantage of a Windows security breach.

Running Wine under Linux is not unsafe but you can infect yourself if you use this software for downloads, e-mail exchange and web-browsing. Wine does have access to many of your /home folder paths, which makes possible for this malware to encrypt your data and "infect" you in some way.

Briefly speaking: Unless the cyber-criminals intentionally design WannaCrypt to affect Debian (or other Linux distro) based OSs you should not be worried on this subject as an Ubuntu user, although it is healthy to keep yourself aware on cyber-threads.

Related

Creating a new folder in Nautilus
How do I install and mount an exFAT partition? [duplicate]
How to find location of installed library
How can I change xfce bottom panel to the top?
How to install libOpenCL.so on ubuntu
Take photo using webcam
how to check if $1 and $2 are null?
How can multiple private keys be used with ssh?
VirtualBox Guest Additions installation problem [duplicate]
How to flush dns in ubuntu 12.04? [duplicate]
Why is /etc/profile not invoked for non-login shells?
Gradle in Ubuntu for Launchpad