18

Today I have both Windows and Ubuntu installed on my SSD.

What happens if I for some reason get a malware/virus (targeted for Windows), perhaps downloading something I should not, while I am running Ubuntu?

Will the malware/virus find a way from the Ubuntu partition into the Windows partition and eventually do something with my Windows files? Assume that I have downloaded some malware (targeted for Windows) on my Ubuntu partition what is likely to happen?

Olba12
  • 1,069
  • 2
  • 8
  • 13

5 Answers5

12

If you had two viruses in play, one that infected Linux with a payload to infect Windows, then it could conceptually happen. However, a native Windows virus cannot run in Linux at all. The reason why nothing would happen has to do with something known as the "Application Binary Interface", or "ABI" for short.

In Windows, most system calls are performed through something called "INT 20h", while in Linux, system calls are performed through "INT 80h". This means that a Windows-based virus that tries to call the system through 20h would simply terminate without causing any harm, as INT 20h is a "DOS-compatible terminate program" command.

In reality, most virus writers are going to go through the path of least resistance: write a Linux virus to infect the currently running Linux system, and write a Windows virus to infect the currently running Windows system. It would take a significant amount of extra effort just to write a virus whose only purpose was to infect an offline OS.

As far as I know, it would be far easier to simply write a hypervisor virus that runs "underneath" the OS, as then the ABI would have no meaning, since they'd have direct access to the hardware and memory.

On the other hand, if you download a virus intentionally, for example, you were trying to get a copy of a game from a questionable resource, and you did this in Linux, but downloaded the file to your Windows partition, and you later ran the program in Windows, then you could indeed get infected at that point. The main point, however, is that Linux is impervious to Windows viruses, and Windows is impervious to Linux viruses. They simply do not speak the same language.

phyrfox
  • 5,724
  • 20
  • 24
  • 5
    A year ago I did have a hypervisor virus get into one of my DELL 690's which ran W7 64 bit on 'C' drive and Ubuntu on the 'D' drive. I had lost all permission to delete or edit any admin or sudo level file. I used drive 'E' to install Ubuntu and it found new 1MB partitions at the top of the 'C' and 'D' drives where the virus hid itself from scans. I wiped the partitions clean and found the root kit in my download directory, then deleted it. I was told by I.T. people that only the fed's have the software to do such a nasty trick. –  Jun 14 '16 at 03:18
  • @Sparky256 hypervisors are tricky things, as well as other viruses that can run on sub-processors, like a USB host controller, etc. Once you have that level of access, the OS's protections are completely pointless. I could probably write such a virus myself, if I had the time, but it would take someone with significant resources to make such a virus worthwhile. – phyrfox Jun 14 '16 at 03:31
  • 2
    ..... "and Windows is impervious to Linux viruses.." Well... http://security.stackexchange.com/questions/119075/with-ubuntu-on-windows-10-could-exploits-and-malware-that-work-on-ubuntu-or-re – mostlyinformed Jun 14 '16 at 06:18
  • This was all true before [Bash on Ubuntu on Windows](https://blogs.msdn.microsoft.com/wsl/2016/06/08/wsl-system-calls): "WSL executes unmodified Linux ELF64 binaries by emulating a Linux kernel interface on top of the Windows NT kernel". – isanae Jun 14 '16 at 16:00
  • I just took a look at those, and it's an emulation layer, which is cool, but that still means a Linux virus could only affect Windows if the exploit that the code uses exists in both the Linux and Windows kernel (this seems highly unlikely, although not outside the realm of possibility). More likely, a virus that could infect both Windows and Linux would be an ELF64 binary with branches of code to infect each OS by a different path. In other words, Microsoft has now made it possible for cross-platform viruses to exist. – phyrfox Jun 14 '16 at 16:30
  • "a native Windows virus cannot run in Linux at all" Ever heard of *WINE*? https://linux.slashdot.org/story/09/10/24/1759213/now-linux-can-get-viruses-via-wine – Ben Voigt Jun 14 '16 at 18:00
  • @BenVoigt Yes, I know WINE. It's a Windows *emulator*, transforming Windows calls into Linux calls. So, (a) it's WINE that gets infected, not Linux, (b) the virus can't do anything to trash the Linux OS or really anything much more than spam/zombie, and even *then*, the user has to start up WINE for the virus to resume, *and* most viruses depend on quirks in the kernel/drivers, which WINE does not faithfully reproduce. In other words, a native Windows virus does not magically jump to Linux without a push and a shove. – phyrfox Jun 14 '16 at 18:15
  • 3
    @phyrfox: WINE has access to the Linux filesystem, it can drop Linux-based scripts anywhere the user has write access. And if the dual-boot partition is mounted (pretty likely that a WINE user would want to access documents and programs from the real Windows install) then a virus running on WINE can embed itself there. WINE is a translation layer but it is not a sandbox. – Ben Voigt Jun 14 '16 at 18:20
  • 1
    Wait, what? In Windows programming, system calls are made by calling the Windows API. `INT` is an archaism from the DOS days and most modern compilers won't even generate it in their output. – Mason Wheeler Jun 14 '16 at 18:39
  • @MasonWheeler Yes, they do. Open up notepad.exe in a hex viewer and look for "20 CD", which is the binary for "INT 20." The calling syntax is a little different, as the parameters are not passed by register or stack, but instead follow the INT 20 call in subsequent memory addresses. See [20----Vx0001](http://www.delorie.com/djgpp/doc/rbinter/id/84/24.html) as an example. – phyrfox Jun 14 '16 at 19:06
  • 1
    @phyrfox I just checked. The hex "20 CD" is not found anywhere in Notepad.exe, Windows 8 version. Your link is specifically talking about directly accessing device drivers, which is kernel-only functionality; user-mode code can't do that, as part of the security model. As I said, system calls are performed by making ordinary function calls to the Windows API. – Mason Wheeler Jun 14 '16 at 19:11
  • @BenVoigt What you've basically described is not even a Windows virus. It's a Linux virus that's designed to attack a specific application (WINE) in order to gain access to the hard drive, and then infect a second operating system, which would admittedly be easier to modify the files (because that OS's protections are not present), but would still also have to do in a way that Windows would not detect it, by way of modifying poorly documented files. I wouldn't say it's impossible, but it would take a three-letter agency's resources to make something viable, I'd wager. – phyrfox Jun 14 '16 at 19:16
  • "Will the malware/virus find a way from the Ubuntu partition into the Windows partition **and *eventually* do something** with my Windows files?" It seems like you've completely ignored the question. Obviously, something written for Windows won't run *while* you are in Linux. But what about the next time you boot into Windows? What happens if you *actually run it* from the ext3/4 partition instead of the ntfs partition? – Shane Jun 14 '16 at 21:24
  • @phyrfox: No. A pure Win32 virus which attacked a program running in WINE (image file format buffer overflow attack for example) could search the filesystem for *.DLL and continue its infection. WINE's file handling support is good enough that a bit of shellcode could very well find the functions it needs and never know that `GetProcAddress` is finding functions in WINE DLLs and not real Win32 DLLs. And the files it patches will be the real Windows ones, not the WINE version. All it needs is enough smarts to locate DLLs on other-than-C-drive, which is seen completely apart from WINE also. – Ben Voigt Jun 14 '16 at 21:33
7

In many Ubuntu dual-boot setups it is possible to run code as an unprivileged user which has the ability to write to the Windows partition. Because, if you can do it with the file manager without getting asked for a system password a malware could mount the windows partition too with the same kind of helper. And if the malware setups a file into the Autostart folder of the Windows user it gets executed on the next boot of Windows. Or it could simply read the Windows files and send them to the attacker.

If this way is not possible the malware might try to use a privilege escalation bug to get either root or even kernel permissions. From there it could mount and write to the Windows partition or even setup a BIOS/UEFI malware.

And sometimes not even privilege escalation is needed because you are doing some seemingly innocent software installation as root, like trying to install some python package and making a typo.

Of course the original malware would have to be designed with this dual-boot setup in mind. Chances are low that you encounter a malware running in Ubuntu at all (apart from malware targeting web servers), chances are even lower that this is designed to infect the Windows partition in a dual-boot setup. But it is possible and probably not even hard to implement. And especially if you are an interesting target and the attacker knows about your setup then he might try this attack path.

One way to protect you against this is by encrypting your Windows partition so that it is impossible to access the files from outside the Windows OS. This does not protect against attacks on the BIOS/UEFI level though.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • According to http://www.howtogeek.com/234826/how-to-enable-full-disk-encryption-on-windows-10/ you can encrypt the windows partition in Windows 10, which is the version I have, just by switching it on in a menu. Would it be enough to just turn this on in Windows? – Olba12 Jun 14 '16 at 11:29
  • 1
    @Olba12: if the drive itself is encrypted this way it should protect against simply accessing the Windows files from Ubuntu. You might still have to deal with attacks at the BIOS/UEFI. But these are much harder and more system specific so the chance to get infected by these is even lower. – Steffen Ullrich Jun 14 '16 at 11:50
5

Yes, it is possible for a malware to infect the Windows partition while your are using Linux - source: it happened to me.

This was many years ago when I was starting with Linux. The dualboot system was currently running under Linux, and I wanted to exchange files between two computers using Samba. Since there were some problems with it, I removed all security protections and limitations in Samba one by one until it finally worked (or maybe it didn't even work, I don't remember).

Upon booting back into Windows some time later I was greeted by several alarms by the personal firewall asking if programs xyz and foo are allowed to connect to the internet. Those turned out to be malware executables located in c:\windows\system or the like.

Turns out with my Samba fiddling under Linux I had actually shared the entire Windows C:\ drive with write permissions and without any authentication or address limitation; and also apparently I didn't have any firewall activated in Linux (or maybe I had disabled that as well). Since this was in the days before SOHO router were commonplace, the computer was directly connected to the internet via DSL modem. So some malware had found my writable Samba share (probably by brute-force scanning of IP ranges), had copied itself into the Windows system directory, and had also added necessary entries to autostart files it had found there. Naturally the infection had stayed dormant while Linux was running, but became active next time I booted Windows.

So granted, this was a massive heap of f***ups on my part; but it shows that if you are sufficiently careless under Linux you might even infect your Windows system.

oliver
  • 541
  • 4
  • 10
  • This is something I myself could have done. Thanks for telling, maybe this will make me less naive. :) – Olba12 Jun 14 '16 at 16:28
3

If the Windows partition is mounted, then any user with permission to write to that mount can change any file as they please, without the normal restrictions or permissions that would be enforced when Windows is booted. This could allow a malicious user to replace critical system files in order to infect Windows.

That being said, I don't think there is any known malware that does this. It would need to be specifically targeted for this scenario and would require the Windows partition to be mounted with certain permissions.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • 1
    "That being said, I don't think there is any known malware that does this." You might want to weaken that statement even further (malware exploit in 3...2...1). Dual boot isn't that uncommon. – Maarten Bodewes Jun 14 '16 at 11:48
1

The other answers explain pretty well why Windows malware won't run on Ubuntu. However there are some languages like Java, and most interpreted languages which are cross platform like PHP, Python, Ruby, etc, and malware written in any of those languages will execute just fine on Windows, Mac, Linux, and even BSD.

Assuming the malicious code can run successfully under Ubuntu, it can then proceed to do whatever it wants, mostly getting root (using a kernel exploit for example) and then writing to the Windows partition to copy itself there as well.

André Borie
  • 12,706
  • 3
  • 39
  • 76