Wine 'stable' comes with a trojan - confirmed by VirusTotal #3255

paul-hammant · 2022-05-10T08:15:05Z

paul-hammant
May 10, 2022

Yesterday:

brew tap homebrew/cask-versions
brew install --cask --no-quarantine wine-stable

Avira caught a virus locally. VirusTotal confirmed:

Local verification of SHA256:

$ shasum -a 256 winedevice.exe 
7073edb2bb06f9e914ebf28439c48fe99e1715d62690251e267110f3f6fb28c4  winedevice.exe

I looked at the hackerOne system for posting this, but figured that was for issues in Homebrew itself.

Janis1970 · 2022-05-10T08:53:34Z

Janis1970
May 10, 2022

Sent using the mobile mail appOn 2022-05-10 at 10:15, Paul Hammant wrote: From: "Paul Hammant" ***@***.***>Date: 10 May 2022To: "Homebrew/discussions" ***@***.***>Cc: "Subscribed" ***@***.***>Subject: [Homebrew] Wine 'stable' comes with a trojan - confirmed by VirusTotal (Discussion #3255) Yesterday: brew tap homebrew/cask-versions brew install --cask --no-quarantine wine-stable Avira caught a virus locally. VirusTotal confirmed: Local verification of SHA256: $ shasum -a 256 winedevice.exe 7073edb2bb06f9e914ebf28439c48fe99e1715d62690251e267110f3f6fb28c4 winedevice.exe I looked at the hackerOne system for posting this, but figured that was for issues in Homebrew itself. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

0 replies

SMillerDev · 2022-05-10T09:06:37Z

SMillerDev
May 10, 2022

This should be reported to wine and https://docs.brew.sh/Acceptable-Casks#apps-that-bundle-malware should be followed

1 reply

Gcenx May 10, 2022

Let me copy/paste from one of my other projects that uses wine.

FAQ

My Antivirus says it's a VIRUS!!!

You need to contact your AntiVirus/AntiMalware vender to connect these false positives.
This started once wine moved to using Mingw-gcc to compile PE binaries.

See the following examples

paul-hammant · 2022-05-10T12:52:58Z

paul-hammant
May 10, 2022
Author

Eight security vendors saying the same thing is still a false positive?

3 replies

Gcenx May 10, 2022

If there were actually a virus don't you think this would have been detected by all the vendors?

Heres scans on other binaries from that archive, these three will be ran constantly.

https://www.virustotal.com/gui/file/4be9e01f1387a3f7f3088d548e855d32f772791a7f8c2d8f20a1b16a0f78d664?nocache=1
winecfg.exe 4be9e01f1387a3f7f3088d548e855d32f772791a7f8c2d8f20a1b16a0f78d664
1

https://www.virustotal.com/gui/file/115e5d6c8065136faf84c83d9cb032d4b9f53fe982b5ee5e359e1a626874d3de?nocache=1
cmd.exe 115e5d6c8065136faf84c83d9cb032d4b9f53fe982b5ee5e359e1a626874d3de
1

https://www.virustotal.com/gui/file/9e76c86f2c6064a09b37d6b6c0c7ba901743b4924fc63ca42f713d6bc0e3158f?nocache=1
ntdll.dll 9e76c86f2c6064a09b37d6b6c0c7ba901743b4924fc63ca42f713d6bc0e3158f
2

Have you also noticed that each of those vendors all flag the file as a different threat?

Gcenx May 10, 2022

Eight security vendors saying the same thing is still a false positive?

Also don't you mean 15 as per the scan not 8

seathasky May 10, 2022

This feels fitting right about now haha.

FleetAdmiralButter · 2022-05-10T13:39:51Z

FleetAdmiralButter
May 10, 2022

This is a pretty common occurrence in the Wine community - AV vendors flag Wine executables as some sort of "generic" malware. If you actually take a look at the names, notice that none of the AV engines are actually able to assign a virus strain other than something like "Trojan.Generic" or some ML-generated ID.

I would also question the motive - if it were the maintainer's intent to infect people's Macs (this being a Homebrew package), why on earth would they bundle it as an easily detectable Win32 application?

1 reply

Gcenx May 10, 2022

The amount of files flagged also changes depending on the version of each component of mingw-w64.

Older binutils versions were even worse forcing Valve to actually patch the header generation code to help alleviate this.

The latest binutils is slightly better but I’d only recently bumped this due to the parallel compile bug that was only recently fixed due to Brendon bugging upstream.

Gcenx · 2022-05-12T01:47:38Z

Gcenx
May 12, 2022

I'd though to test if the newer binutils help much for winedevice.exe so rebuilt wine-stable-7.0 and yeah not really

https://www.virustotal.com/gui/file/16fa8aac3d3226e76e350a62e50354d482e58afa0854afd75e88101717723414 winedevice.exe from i386-windows directory (14)

https://www.virustotal.com/gui/file/c49fb78b7994c52d241cb21fb22d41cd281696ea48271b01d4f6a8e898473b0c winedevice.exe from x86_64-windows directory (3)

https://www.virustotal.com/gui/file/2ad4608d06244e2f39aa1804ad11b26d6ef5588ff1eb6b3eb2ade2032c18c62a this winedevice.exe was from x86_64-windows directory (4), this one was built using github actions and the bottle(s) can be downloaded from https://github.com/Gcenx/homebrew-wine where I'm providing a wine formula

These AV vendors are really dam lazy.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Homebrew

Wine 'stable' comes with a trojan - confirmed by VirusTotal #3255

{{title}}

Replies: 5 comments 5 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Wine 'stable' comes with a trojan - confirmed by VirusTotal #3255

Replies: 5 comments · 5 replies

FAQ

My Antivirus says it's a VIRUS!!!

paul-hammant May 10, 2022 Author

Replies: 5 comments 5 replies

paul-hammant
May 10, 2022
Author