All Discussions > Steam Forums > Steam Discussions > Topic Details
Lennos 2 Jul @ 7:31am
Question about proton increasing the risk of malware on linux
Edit: After fact checking some responses adjusted the title to not make misleading claims.

WINE is compatible with Windows Malware as per their own FAQ:
https://gitlab.winehq.org/wine/wine/-/wikis/FAQ#is-wine-malware-compatible

However the sandbox model proton is based on does not make this vulnerability system wide, which limits the risk substantially. The original title asserted that proton enabled Windows malware by default, which is incorrect.

While there is some level of risk here, it doesn't appear to be particularly high. Thank you to members of the community who responded with enough details to clarify this.

Leaving the original post for clarity.
_________

Recently Valve has enabled Proton/WINE by default so that games have better compatibility on Linux. I can understand why many users would want and desire this. However most of these users are probably completely unaware that they are being forced to make a trade off in security.

The mere presence of these libraries enables Windows malware to run on Linux. There have been many scholarly articles and studies written on this. I'll just provide some parts of an abstract from one of those sources:

"""
Linux is considered to be less prone to malware compared to other operating systems, and as a result Linux users rarely run anti-malware.

...

This project was conducted to assess the security implications of using Wine, and to determine if any specific types of malware or malware behavior have a significant effect on the malware being successful in Wine.

...

The study results provide evidence that Wine can pose serious security implications when used to run Windows software in a Linux environment

"""

Duncan, R., Schreuders, Z.C. Security implications of running windows software on a Linux system using Wine: a malware analysis study. J Comput Virol Hack Tech 15, 39–60 (2019). https://doi.org/10.1007/s11416-018-0319-9

(Accessed via https://link.springer.com/article/10.1007/s11416-018-0319-9#citeas)


Because Proton/WINE cannot be disabled there isn't a way around this problem. Linux users now have a choice: remove steam from LInux entirely so that you can remain completely immune to most of the malware out there, or have your games on Linux and take the non-trivial risk of being infected with it.

I have tried to make some sense out of why we would all be coerced into this situation. From what I can tell there were some usability issues that were solved by just enabling Proton by default.

I can understand why there is a business case for this, but as someone who WANTS a secure operating system I'm frustrated by having no option to disable it, even if the means of doing so would take extra effort.

The response I got from Steams customer service inspired no confidence and I'm sad to say indicated that support is entirely clueless on this topic, so I doubt we'll be able to get help that way.

Again, I'm sure many users appreciated this, but Valve either is completely unaware of the security risk they've silently imposed on all its Linux users or simply doesn't care. I imagine a sizable fraction of our community would actually care about this if they knew about it. From my perspective this was a large trust breaking maneuver on Valve's part.

If you feel like this was a thing you did want, be aware that you now will need far more advanced anti-malware if you're running Steam to attempt to mitigate the risk.
Last edited by Lennos; 19 hours ago
The author of this topic has marked a post as the answer to their question.
Click here to jump to that post.
Originally posted by Thiesen:
The variant of Wine Valve is using (Proton) essentially is a sandbox... ie NO part of ANY game installations is shared with other game installation...

Under WIndows this doesn't happens since NOTHING is sandboxed under Windows...

While Steam needed you to enter your login to install It (Steam needs to be able to talk to system stuff) the games themselves do not touch the kernel...
< >
Showing 1-15 of 21 comments
76561197960377633 2 Jul @ 7:44am 
Steam doesn't enable malware
#1
Wolfpig 2 Jul @ 7:45am 
Im quite sure that malware on Linux trough proton should be the same issue like on windows.....if you run everything with Administrator rights by default.

But most software should only start with that when it is explicitly done by the user.
And of course you wont have any issues at all if you not constantly browse shady sites.


BTW: There is Linux Specific Malware out there...but often gets ignored by Linux Users.
#2
Ben Lubar 2 Jul @ 7:45am 
Why are you adding Windows malware as a non-Steam game?

Malware doesn't just magically appear on your system, and Proton doesn't make exe files runnable system-wide.
#3
Wolfgang 2 Jul @ 7:52am 
Sure, if you run every crap out there via Proton/WINE then yes, it is a risk. To which common sense (not common, I know) should tell you that you shouldn't.
And I really want to know why you think that all or many games here on Steam are with malware, as this would be the only reason for your reaction as otherwise it would be a severe overreaction.
Why isn't every Windows system then infected with malware?

And the basic PC security 101: Don't run things on your PC that you got from shady sources. The weakest link in security is not the system but the user.
#4
blunus 2 Jul @ 8:22am 
"The study results provide evidence that Wine can pose serious security implications when used to run Windows software in a Linux environment"

The most weakness of any OS is always the end user who's gonna do something outside the official stores. As the good ol' post #1 says, Steam doesn't enable malware.
Last edited by blunus; 2 Jul @ 8:23am
#5
Realigo Actual 2 Jul @ 8:45am 
You raise a good point, but, exploits designed for Windows memory handled by the NT kernel won't cross the gap. The WINE element would need to be a stage to set up Linux elements, but this could unify the early stage.

A point I would make is that as Linux becomes more widespread, it will become more of a target. And unlike Windows, the culture around incident-response is vastly, vastly different in the Linux ecosystem and constitutes a huge weak point. Basically, what I am saying is, in Linux right now, if something gets past the door, it can be much harder for users to isolate and respond to while keeping the system intact. This fact alone will mean the Linux malware ecosystem will grow meaningfully without something like Wine, as adoption increases.
Last edited by Realigo Actual; 2 Jul @ 8:49am
#6
The author of this thread has indicated that this post answers the original topic.
Thiesen 2 Jul @ 9:11am 
The variant of Wine Valve is using (Proton) essentially is a sandbox... ie NO part of ANY game installations is shared with other game installation...

Under WIndows this doesn't happens since NOTHING is sandboxed under Windows...

While Steam needed you to enter your login to install It (Steam needs to be able to talk to system stuff) the games themselves do not touch the kernel...
#7
Wolfpig 2 Jul @ 9:44am 
Originally posted by Thiesen:
Under WIndows this doesn't happens since NOTHING is sandboxed under Windows...


The Windows Kernel is running in a VM..........
#8
JamesF0790 2 Jul @ 9:58am 
Security through obscurity is not security
#9
ShelLuser 2 Jul @ 11:21am 
It's a lot of bogus stuff... First, notice the date? 2018, which means this is already 7 years old and many enhancements have been made with regards to security.

Second.... it's actually pretty comical article if you take the time to read some test results because.... well:

5.1.1 =>
The malware was copied to C:\WINDOWS\system32\lssas.exe, compromising the lssase.exe service in both Linux and Windows.

Since when does Wine provide such a service out of the box? I mean... according to this article[medium.com] it takes quite a bit of effort to set this up. So... is this really has dangerous as is being claimed?

Then if you check out 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7 and 5.1.8 you'll notice something very specific:

None of the files that appeared to be dropped by the malware in the Windows environment were also dropped in the Linux environment, this suggests that the malware had not been successful at compromising the Linux system. None of the relevant registry API calls that were made in Windows were successful in Wine, this indicates that the malware had failed to make key registry changes when running in Linux.
...
The evidence collected during analysis suggests that the malware failed to compromise the Linux system running Wine. In Linux, the second process failed to initialize and the main process crashed during execution.
...
Analysis results for the Drixed sample can be viewed in Table 7. The analysis suggests that the malware was unsuccessful in compromising a computer running Linux and the Windows compatibility software Wine, the overall results can be viewed in Table 8. The malware did not extract information from internet browsers when running in the Linux environment.
...
The malware called eight functions to delete files in the Windows but only called three in the Linux. Similar registry based API calls were made in both environments, the most significant call being found in both environments in the location Software\Microsoft\Windows\CurrentVersion\Run, this registry location was changed to allow the malware to run when the infected computer started up. When running in Zero Wine some key processes failed to start and the Sleep.exe’ process crashed. Overall it was clear that the malware was not successful at compromising the Linux computer system.
...
When the malware was run on Windows it dropped the file rasphone.pbk was dropped by the malware, the difference list that was generated by Zero Wine confirmed that this file was not dropped in the Linux environment. The malware also failed to make significant changes to the registry in Linux such as the RAS AutoDial which is located at Software\Microsoft\RAS AutoDial. The malware successfully started all of the processes in the Linux environment; however, it was unable to start any of the services that were started in the Windows environment.
...
The malware did not recreate the vital registry based API calls that were called in the Windows environment. The malware was unsuccessful at making changes to the registry to ensure that it ran on start-up. The malware also failed to make changes to the registry to edit the Internet settings. The same processes started in Windows and Linux. The network traffic was not similar in the Linux environment with no DNS requests being detected. None of the services started in Windows were also started in Linux. It is clear that overall the malware was not successful at compromising the Linux system.
...
This means that it has not achieved its function of fingerprinting the system and had not made changes to the system to ensure that it would run on start-up. The fact that the main process appears to have failed to initialize suggests further that the malware has failed to compromise the target machine. The network activity, in Windows recorded as attempting to communicate with 91.239.232.145, was also not present in the PCAP file generated in the Linux environment. Neither the Tapisrv’ nor Rasman’ service was opened in the Linux environment. Table 22 concludes that the malware was unsuccessful in all areas, meaning it has failed to run successfully.
....
The network traffic that was detected in Windows revealed multiple DNS and ICMP requests. No similar packets were detected when the malware was run in the Linux environment. Overall the malware sample was partially successful at running in the Linux environment as similarities were found in the registry based API calls.
...
However, the malware was not entirely successful as it did not generate any network traffic in the Linux environment. The network traffic from the Windows virtual machine revealed that the malware attempted a DNS request to triplexfund.com. No similar packets were captured in the PCAP file generated by Zero Wine, this suggests that the malware was not completely successful as the call home function failed.

OP... did you even bother to actually read the article or did you simply do like many others: stop after you read the headline (and the summary / conclusion)?

Because it's pretty obvious from these quotes that the allegid risk is actually... non-existent. Because most of the malware that got tested... actually failed to do anything.
Last edited by ShelLuser; 2 Jul @ 11:28am
#10
Yzal 2 Jul @ 12:05pm 
Conclusion The research conducted in this study produced a series of results that can be used to develop an understanding of the behavior of Windows malware running in Linux via Wine. Results indicate that Windows malware is able to run successfully in a Linux environment through Wine. The success rates of Windows malware running in a Linux environment does appear to be relatively low. The fact that some samples of malware did run successfully illustrates that using the compatibility layer software Wine in a Linux environment does present a security risk to Linux systems, which would otherwise be secure against Windows malware.

TL;DR version: Don't download random ♥♥♥♥ and run it on your computer.
You know, basic internet security stuff.
Last edited by Yzal; 2 Jul @ 12:07pm
#11
Dango 2 Jul @ 12:40pm 
Is this related to steam removing the option to disable Steam Play for other titles option in the compatibility section?
#12
blunus 2 Jul @ 12:42pm 
Originally posted by Dango:
Is this related to steam removing the option to disable Steam Play for other titles option in the compatibility section?
No, it's not related.
#13
Wolfpig 2 Jul @ 12:48pm 
Originally posted by ShelLuser:


OP... did you even bother to actually read the article or did you simply do like many others: stop after you read the headline (and the summary / conclusion)?

Because it's pretty obvious from these quotes that the allegid risk is actually... non-existent. Because most of the malware that got tested... actually failed to do anything.


Ah, is that such a major security risk like some researchers found years ago in Android...... which had around 30-40 steps in it including sideloading different apps as root and at some point needed physical access to the device.
#14
Dendrobates Tinctorius 2 Jul @ 1:17pm 
Originally posted by Lennos:
The response I got from Steams customer service inspired no confidence and I'm sad to say indicated that support is entirely clueless on this topic, so I doubt we'll be able to get help that way.
that makes two of you, i guess
#15
< >
Showing 1-15 of 21 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Discussions > Topic Details
Date Posted: 2 Jul @ 7:31am
Posts: 21
Start a New Discussion

Discussions Rules and Guidelines