Dual Boot Question - Is Linux side safe if Windows side is infected

Discussion in 'Linux' started by ZenGreen, Apr 12, 2019.

  1. ZenGreen

    ZenGreen MDL Novice

    Jan 28, 2019
    I got my system set up with Linux 19.1 and Windows LTSC dual boot set up,

    If the windows side gets a virus or attacked or something and gets compromised, (I dont really understand viruses but for example like something that searches your files and sends stuff out without you knowing) or whatever they do

    If the windows side get effected and I dual booting into linux (no sharing partitions or files or anything) will any of the stuff that is attacked in windows will it attacked in linux. Or If Im playing games in the windows bootup and its compromised, can my linux stuff (files on HDD linux partition) get read or compromised

    IN A NUTSHELL WHAT IM ASKING, am I safe using my linux set up if my windows set up is compromised. Or can the virus keylog me or whatever while using linux if the virus is in windows.

    Sorry I dont understand a lot of this stuff
  2. oldsh_t

    oldsh_t MDL Expert

    Dec 23, 2009
    You are safe!! 2 different systems.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Nimbus2000

    Nimbus2000 MDL Member

    May 5, 2010
    Almost all viruses are written for Windows and will not run under Linux. Even if they could, because the systems are different, the exploit would not be the same.

    Another thing to consider is that Windows does not read Linux file system. Basically, anything on a Linux partition is invisible to Windows.
  4. pf100

    pf100 MDL Expert

    Oct 22, 2010
    As everyone said you'll be fine. A virus from one can't effect the other (so far).
    That's the greatest thing about dual booting. If one OS gets messed up you have another to fall back on.
  5. anonywimp

    anonywimp MDL Novice

    Jul 15, 2010
    #5 anonywimp, Aug 1, 2019
    Last edited: Aug 1, 2019
    Unless you were running as Administrator in Windows, then you're totally screwed :p

    Just kidding, but ... no not really kidding.

    There is absolutely no technical reason an infection couldn't jump from Windows to Linux on a dual boot system. Your only "protection" against this is that generic malware authors are incredibly lazy and/or stupid most of the time.

    Once you gave malware admin on your Windows, it could have
    • compromised your firmware
    • compromised your boot-loader
    • compromised your high-risk document-formats
    • cross-infected your linux userspace applications
    If the attack was targeted or sophisticated there is almost no limit to what might have happened. If your attacker was logged into your box and poking around, and knew what he was doing, he could just run an emulator and attach the emulator to your Linux partitions to pivot his control of your system.

    So, that's the bad news.

    The good news is, it's pretty unlikely. Especially if it was not a sophisticated targeted attack. But you simply can never be 100% sure you're not infected with some kind of malware.

    Don't believe me? Google "Reflections on Trusting Trust." Worth it for historical/entertainment value even if it's not relevant to your situation.

    You have to assume there is a very low, non-zero possibility that your linux is compromised. You're probably fine. But there is some chance it happened. And, well you pays your money and then you takes your chances!

    If you're worried enough to ask, my advice is you'd might as well just do the paranoid thing and nuke your whole drive.

    First, boot a LiveUSB for whatever flavor of linux you're used to. Then make a big slow drive-image backup of everything, if you can afford to. That way whatever mistakes you make you'll recover from. Throw that back up in a closet somewhere and forget about it.

    Then, back up the stuff you care about (including a list of installed packages), to something fast, preferably an SSD or zippy Corsair USB3 stick or something like that.

    Then, close your eyes and press the button to burn your drive full of zeros, and maybe even burn a known-safe firmware onto your system, preferably using BIOS flashback, if your motherboard has that.

    Then reinstall linux, ask for your old packages back, and restore the SSD backup with your data files. If you did a good job you'll barely loose a thing and wind up with a faster, cleaner Linux.

    If it turns out backup/reinstall is super-hard, maybe think about how you could make it easier for yourself in the future.

    A time-saving device for auditing linux files: the impossibly confusing syntax "sudo grep -rIL . /foo /bar" will show you a list of text files anywhere under /foo or /bar. Likewise "sudo grep -rIl . /foo /bar" will show a list of non-empty binary files in the same trees. But bear in mind this "text-file" detection is heuristic and although it works for finding code, it might not work 100% of the time.

    One other tip: if you have huge data-hoarding problem, try a deduplicating backup system like borg backup. Most of data being hoarded is highly redundant and will compress by huge factors. If you have archives, especially encrypted archives, uncompress them and back them up raw, for maximum dedup.
  6. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    #6 Yen, Aug 1, 2019
    Last edited: Aug 1, 2019
    That's the essence of your post. Anything else is plain academical...(OP assumes windows OS is infected, not Linux).

    BTW: 'Jumping' alone is not sufficient. (Remember windows cannot access any EXT partition). The virus should be able to run on the target OS and do some damage. Hardly possible speaking of a windows virus.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. anonywimp

    anonywimp MDL Novice

    Jul 15, 2010
    #7 anonywimp, Aug 2, 2019
    Last edited: Aug 2, 2019
    That's not really so. There are Windows filesystem drivers for ext[234]fs and I believe even LVM. But let's say OP is running an experimental new filesystem for which only linux drivers exist. Well, all the data on disk is accessible, read-write, as "\\.\PhysicalDisk0", using standard Windows file APIs, to a sufficiently privileged process. So they could still drill in manually, just far enough into our hypothetical filesystem to pivot. Or they could infect the bootloader to pivot next time linux loads. Or they could just pivot right away using WSL, qemu, virtualbox, vmware, a hijacked emulator built into antivirus software, etc.

    That stated, you are probably right -- it's probably mostly academic, if OP got malware from video-game piracy or some sort of careless e-mail attachment manipulation. But, again, I would say this really depends how paranoid OP is and what he knows about the particulars of his own situation.

    Although it's small compared to Mac and Windows, the Linux desktop has been quietly picking up a lot of steam lately*. I've been hearing numbers approaching 2% lately. Not sure I really trust those, but if that's even close to right, that's a genuinely significant share, in fact it's a hell of a lot of people.

    If the current adoption trend continues it's a matter of time before exploits start to appear in script-kiddie exploit packages for pivoting in this way from Windows to Linux. For targeted attacks it's been possible for a long time without a huge coding effort.

    One other concern: If the infection was ransomware, it may well have scribbled over the partition tables, making recovery potentially quite technically challenging. It might also have literally "accidentally" filled the linux partitions with random data, or even successfully encrypted them if it happens to operate at a low enough level (but, again, I think most of them don't work this way; from what I've heard about , they mostly just replace the files).

    There's also a Linux->Windows cross-infection possible, if someone fires up malware within the wine emulator. That's a fairly plausible scenario for someone pirating windows software to play on their Linux desktop. Some malware are known to run successfully under wine, so this is not at all hypothetical. And if that user had their real dos or NTFS partition mounted read-write with squashed permissions, that could indeed lead to a sort of total multi-OS Armageddon :)

    * Pun intended, I suppose. But actually, I suspect this is largely due to Microsoft's UWP fetish since 8.0. To this day I get calls from non-technical people whose Win7 and XP laptops died and are having some sort of "live-tile meltdown." They see those squares (or, as one friend recently described them to me while calling for help after getting stuck in Tablet mode, "all those candy-colored pieces of s**t") and for whatever reason, they just freak out! They seem like a decent design to me personally but I guess I've had time to adjust. Plus I'm one of those 2% so it's not really applicable.
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    #8 Yen, Aug 2, 2019
    Last edited: Aug 2, 2019
    The other way around Linux-->Windows I'd also consider as more probable.

    The reasons for it are either wine (wine itself) or simply the fact that Linux can have access to windows partitions natively.

    There would be even the 'advantage' to have practically full access to windows system files since windows is vulnerable concerning file permissions when being accessed from a second OS.

    Password reset tools (for local windows accounts) make use of that. They have a minimal Linux OS when booted one can access the SAM of windows and overwrite / edit passwords from there. SAM (SecurityAccountManager) is a part of the registry, encrypted, but its encryption is very weak.

    Considering this scenario we could only speak of either a Linux virus that uses Windows OS as a backdoor (hardly possible) to get placed there or vice versa (more probable).

    Anyway there are some more facts:

    -A virus has to be written that it can run there where it's supposed to be. A native Windows virus cannot run on Linux at all. (API AplicationProgrammingInterface).

    A virus that has infected windows cannot infect / run on Linux. A virus that has infected Linux cannot infect / run on windows. Both can damage files which are on shared partitions, though.
    I'd say a Linux virus could also damage the windows system (partition) as well, but hardly vice versa.

    -We have to differentiate damage from infection.

    -Writing such viruses requires a lot of more work. They would have to be designed with this dual-boot setup in mind.

    -Infecting parts of the boot chain or even the UEFI is strictly seen neither a Linux nor a Windows virus. UEFI can be considered as own OS, actually.

    I am also dual booting LTSC and Kubuntu, where Kubuntu is my main OS, at least at home.
    The Kubuntu drive is LUKS encrypted a measure which I can recommend additionally.

    Edit: Almost forgot that answer:
    No, at this scenario you are really safe. To have the virus being active you would have to boot windows.

    When booting to Linux there is absolutely no virus!
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...