Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/13/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Bashware' Undermines Windows 10 Security Via Linux Subsystem

New WSL feature in Windows 10 gives attackers a way to run malware without being detected by any current endpoint security tools, Check Point says.

Researchers at Check Point Software Technologies have developed a technique for running malware undetected on Windows 10 systems by taking advantage of the new Windows Subsystem for Linux (WSL) feature in the operating system.

Security researchers previously have expressed concerns about the potential for WSL to be misused for malicious purposes. The Check Point technique, which the developers have christened Bashware, is the first to actually demonstrate how that can happen.

"The research shows how easy it could be for a cybercriminal to take advantage of the new Windows Subsystem for Linux mechanism and enable any malware to bypass security products," says Oded Vanunu, Check Point's head of products vulnerability research.

"Most security vendors have not built protections into their solutions to block this potential exploitation path, so we are calling on the security industry to take immediate action and to modify their products to protect users against Bashware," he says.

On Wednesday, Microsoft downplayed the research and described Bashware as of low risk to organizations using Windows 10. "One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective," the company said in a statement. "Developer mode is not enabled by default.” 

WSL is a Windows 10 feature that gives developers a way to run Linux directly on Windows without modifications or the need for a virtual machine. Microsoft has described it as a feature that lets developers take advantage of the command-line interface to run most Linux tools, applications, and utilities directly on Windows. The feature exited beta testing in July and is now a fully supported feature on Windows 10.

Microsoft's main goal with WSL is to bring the familiar Linux Bash terminal into Windows, Vanunu says. WSL includes both user mode and kernel mode components that together enable an environment that behaves just like Linux.

At the core of WSL are containers called Pico processes that allow Linux binaries to run on Windows 10 and to make system calls directly to the Windows kernel. Pico processes have none of the characteristics of common Windows processes, though they have the same capabilities as Windows processes. This gives attackers an opportunity to hide and execute malicious EFE and EXE payloads from within WSL. Since current endpoint security tools, inspection tools, and debuggers are not designed to check Pico processes, the payloads remain undetected.

Bashware does not take advantage of any logic or implementation errors in WSL. It works because current security products simply are not designed to spot malware hidden and running in WSL. "Security products are not using today the Pico process API in order to take any prevention actions," Vanunu says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Concerns about WSL enabling precisely such attacks have been floating for some time. Check Point's four-step Bashware technique is designed to show how it can actually happen.

The first step involves techniques for determining if the WSL feature is enabled on a Windows 10 machine and surreptitiously loading the needed components if the feature happens to be disabled on the system.

Since WSL runs only in developer mode, the second phase of Bashware involves entering developer mode by setting the appropriate registry keys using local administrator privileges, according to the Check Point paper.

The next two steps of Bashware involve downloading and extracting the Linux file system from Microsoft servers and having Windows malware run from the Linux instance by taking advantage of an open source compatibility layer that enables Windows apps to run on Linux.

No specific settings or conditions are required on a target machine for Bashware to work, Vanunu says. "Bashware automatically sets the environment without any user interaction, hence it affects all Win10 variations."  

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.