26

After reading this question, now, I am wondering if WannaCry malware can infect Linux OS especially Ubuntu.

One of the answers talked about SMB2 and windows. Does it mean a Linux based computer is safe? (Beside the side effects, Wine, and being a conveyor)

Arminius
  • 44,242
  • 14
  • 143
  • 138
rajab
  • 279
  • 1
  • 3
  • 4
  • 5
    The answers at [How is the "WannaCry" Malware spreading and how should users defend themselves from it?](https://security.stackexchange.com/questions/159331/how-is-the-wannacry-malware-spreading-and-how-should-users-defend-themselves-f) clearly say which systems are affected and why: only Windows and not even all versions of Windows and because of a bug in the handling of SMB specific to these systems. Which means that Linux is not affected. Therefore considered as duplicate. – Steffen Ullrich May 14 '17 at 04:09
  • I think your question come from the confusion you have on SMB and Samba : SMB is a protocol and SAMBA is the opensource implementation of it. – elsadek May 14 '17 at 19:37
  • 1
    [Well, if you ignore the "No wine" requirement, it does run on linux and it does encrypt files](https://i.stack.imgur.com/KhY3m.png) – ave May 14 '17 at 21:35
  • As @HenryWHHackv2.0 indirectly points out this is a duplicate of my question in Ask Ubuntu: https://askubuntu.com/questions/914623/what-is-the-wanna-cry-ransomwares-possible-impact-on-linux-users?noredirect=1#comment1443063_914623 which specifically asks about Linux and wine (Windows simulator). On this site however this question isn't a dupe (IMO). It could be migrated to AU and closed as dupe or migrated to U&L (Unix & Linux) where it might stay open. If I had "reopen" rep points here I would click it. – WinEunuuchs2Unix May 17 '17 at 00:15

3 Answers3

53

WannaCry exploits a set of flaws in Microsoft's implementation of the SMB1 protocol. Since these are implementation flaws rather than structural flaws in the protocol itself, Linux systems cannot be automatically infected, but can be if manually installed. This is true regardless of if the systems are running Samba, Wine, or any other Windows-emulation layer.

Mark
  • 34,513
  • 9
  • 86
  • 135
  • 15
    I think saying that because what is being exploited is an implementation bug rather than a structural flaw in the protocol leading to the conclusion that Linux systems are "immune" is a bit much. There remains a possibility that the same bug could exist in Linux, or in Linux userspace code e.g. Samba. I agree with what you probably *meant*, though, that the likelihood of the same bug existing in a very different code base is exceedingly small. And of course, absent an emulation or similar layer the payload would not be able to execute on Linux, so even if the bug exists it's no big deal *now*. – user May 14 '17 at 12:07
  • 3
    Reports that Wine is affected: https://askubuntu.com/a/914954/107069 – schroeder May 15 '17 at 08:12
  • 1
    @schroeder, as I understand it, the AskUbuntu answer is from someone who downloaded and ran WannaCry. The worm can't self-propagate onto a Linux system the way it can with a Windows system -- it can only be installed manually. – Mark May 15 '17 at 09:26
  • 3
    Right, but this would constitute a modification to the statement of 'immunity' – schroeder May 15 '17 at 10:24
  • 1
    Is Linux really immune? Correct me if I'm wrong but the SMB vulnerability only helps in the spreading of the ransomware. It, however, plays no part in the encryption process of the infected machine file. As such if a Linux user were to download (for instance from a phishing attack) and run wannacry, the files would still be encrypted right? The only difference would be that the malware would not be able to spread and infect other machines on the same network. Am I right in saying this or am I missing something somewhere? – weejing May 16 '17 at 14:36
  • 3
    @weejing, WannaCry does not have any built-in method of propagation other than the SMB1 flaws. Yes, with sufficient effort, a Linux user could infect themselves, but it requires deliberate actions to bypass various barriers, unlike Windows, which can be infected just sitting there connected to a network. – Mark May 16 '17 at 20:13
6

Not this strain, it has been written exclusively to attack Windows <=7. WannaCry in its current form does not have any modules to spread directly to Linux-based systems. As mentioned, it uses a recently leaked NSA cyberweapon codenamed ETERNALBLUE to spread within the network, after someone has been infected wiJa th a malicious mail or other attack. It works because of a programming error in Windows' SMB ( network share ) code.

J.A.K.
  • 4,783
  • 13
  • 30
-16

Wannacry doesn't infect Linux machines. It uses CVE-2017-0146 and CVE-2017-0147 which is the NSA leak exploit which was released by Shadow Broker almost 3 weeks ago. It does affect Linux machines with wine configured.

It takes advantage of an SMB exploit.

There are 2 paths that can help you protect yourself.

  1. Make this domain available to your environment. http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com The wannacry uses this to detect if the environment is running under analysis or not. This domain was a unregistered domain until researchers realized. They made it and purchased to domain to stop the spreading. On registering the ransomware thinks it is running under sandbox and hence stops
  2. Download the patch officially release by Microsoft. Following is the link.

WannaCry: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

SMB patch: https://technet.microsoft.com/library/security/MS17-010

Concluding: WannaCry is the ransomware affects only Windows systems.

schroeder
  • 125,553
  • 55
  • 289
  • 326
m1lak0
  • 151
  • 3
  • 13
    The question asks if the malware affects Linux, so how is one supposed to use a Microsoft patch on such a system? – Soron May 14 '17 at 07:50
  • @everyone for whatever reason, this was accepted as an answer - I'm not sure I want to override the OP's wishes here - if you do not think this answer is helpful to others, your option is to downvote – schroeder May 17 '17 at 21:08
  • why this answer takes so many negative ratings? – hamedsh Dec 24 '19 at 20:03