Vulnerabilities / Threats

9/13/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Bashware' Undermines Windows 10 Security Via Linux Subsystem

New WSL feature in Windows 10 gives attackers a way to run malware without being detected by any current endpoint security tools, Check Point says.

Researchers at Check Point Software Technologies have developed a technique for running malware undetected on Windows 10 systems by taking advantage of the new Windows Subsystem for Linux (WSL) feature in the operating system.

Security researchers previously have expressed concerns about the potential for WSL to be misused for malicious purposes. The Check Point technique, which the developers have christened Bashware, is the first to actually demonstrate how that can happen.

"The research shows how easy it could be for a cybercriminal to take advantage of the new Windows Subsystem for Linux mechanism and enable any malware to bypass security products," says Oded Vanunu, Check Point's head of products vulnerability research.

"Most security vendors have not built protections into their solutions to block this potential exploitation path, so we are calling on the security industry to take immediate action and to modify their products to protect users against Bashware," he says.

On Wednesday, Microsoft downplayed the research and described Bashware as of low risk to organizations using Windows 10. "One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective," the company said in a statement. "Developer mode is not enabled by default.” 

WSL is a Windows 10 feature that gives developers a way to run Linux directly on Windows without modifications or the need for a virtual machine. Microsoft has described it as a feature that lets developers take advantage of the command-line interface to run most Linux tools, applications, and utilities directly on Windows. The feature exited beta testing in July and is now a fully supported feature on Windows 10.

Microsoft's main goal with WSL is to bring the familiar Linux Bash terminal into Windows, Vanunu says. WSL includes both user mode and kernel mode components that together enable an environment that behaves just like Linux.

At the core of WSL are containers called Pico processes that allow Linux binaries to run on Windows 10 and to make system calls directly to the Windows kernel. Pico processes have none of the characteristics of common Windows processes, though they have the same capabilities as Windows processes. This gives attackers an opportunity to hide and execute malicious EFE and EXE payloads from within WSL. Since current endpoint security tools, inspection tools, and debuggers are not designed to check Pico processes, the payloads remain undetected.

Bashware does not take advantage of any logic or implementation errors in WSL. It works because current security products simply are not designed to spot malware hidden and running in WSL. "Security products are not using today the Pico process API in order to take any prevention actions," Vanunu says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Concerns about WSL enabling precisely such attacks have been floating for some time. Check Point's four-step Bashware technique is designed to show how it can actually happen.

The first step involves techniques for determining if the WSL feature is enabled on a Windows 10 machine and surreptitiously loading the needed components if the feature happens to be disabled on the system.

Since WSL runs only in developer mode, the second phase of Bashware involves entering developer mode by setting the appropriate registry keys using local administrator privileges, according to the Check Point paper.

The next two steps of Bashware involve downloading and extracting the Linux file system from Microsoft servers and having Windows malware run from the Linux instance by taking advantage of an open source compatibility layer that enables Windows apps to run on Linux.

No specific settings or conditions are required on a target machine for Bashware to work, Vanunu says. "Bashware automatically sets the environment without any user interaction, hence it affects all Win10 variations."  

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19991
PUBLISHED: 2018-12-10
VeryNginx 0.3.3 allows remote attackers to bypass the Web Application Firewall feature because there is no error handler (for get_uri_args or get_post_args) to block the API misuse described in CVE-2018-9230.
CVE-2018-19653
PUBLISHED: 2018-12-09
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
CVE-2018-19982
PUBLISHED: 2018-12-09
An issue was discovered on KT MC01507L Z-Wave S0 devices. It occurs because HPKP is not implemented. The communication architecture is APP > Server > Controller (HUB) > Node (products which are controlled by HUB). The prerequisite is that the attacker is on the same network as the target HU...
CVE-2018-19983
PUBLISHED: 2018-12-09
An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the attacker conducts a DoS attack against the Z-Wave S0 Security version product by continuously sending ...
CVE-2018-19980
PUBLISHED: 2018-12-08
Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.