Vulnerabilities / Threats

9/13/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Bashware' Undermines Windows 10 Security Via Linux Subsystem

New WSL feature in Windows 10 gives attackers a way to run malware without being detected by any current endpoint security tools, Check Point says.

Researchers at Check Point Software Technologies have developed a technique for running malware undetected on Windows 10 systems by taking advantage of the new Windows Subsystem for Linux (WSL) feature in the operating system.

Security researchers previously have expressed concerns about the potential for WSL to be misused for malicious purposes. The Check Point technique, which the developers have christened Bashware, is the first to actually demonstrate how that can happen.

"The research shows how easy it could be for a cybercriminal to take advantage of the new Windows Subsystem for Linux mechanism and enable any malware to bypass security products," says Oded Vanunu, Check Point's head of products vulnerability research.

"Most security vendors have not built protections into their solutions to block this potential exploitation path, so we are calling on the security industry to take immediate action and to modify their products to protect users against Bashware," he says.

On Wednesday, Microsoft downplayed the research and described Bashware as of low risk to organizations using Windows 10. "One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective," the company said in a statement. "Developer mode is not enabled by default.” 

WSL is a Windows 10 feature that gives developers a way to run Linux directly on Windows without modifications or the need for a virtual machine. Microsoft has described it as a feature that lets developers take advantage of the command-line interface to run most Linux tools, applications, and utilities directly on Windows. The feature exited beta testing in July and is now a fully supported feature on Windows 10.

Microsoft's main goal with WSL is to bring the familiar Linux Bash terminal into Windows, Vanunu says. WSL includes both user mode and kernel mode components that together enable an environment that behaves just like Linux.

At the core of WSL are containers called Pico processes that allow Linux binaries to run on Windows 10 and to make system calls directly to the Windows kernel. Pico processes have none of the characteristics of common Windows processes, though they have the same capabilities as Windows processes. This gives attackers an opportunity to hide and execute malicious EFE and EXE payloads from within WSL. Since current endpoint security tools, inspection tools, and debuggers are not designed to check Pico processes, the payloads remain undetected.

Bashware does not take advantage of any logic or implementation errors in WSL. It works because current security products simply are not designed to spot malware hidden and running in WSL. "Security products are not using today the Pico process API in order to take any prevention actions," Vanunu says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Concerns about WSL enabling precisely such attacks have been floating for some time. Check Point's four-step Bashware technique is designed to show how it can actually happen.

The first step involves techniques for determining if the WSL feature is enabled on a Windows 10 machine and surreptitiously loading the needed components if the feature happens to be disabled on the system.

Since WSL runs only in developer mode, the second phase of Bashware involves entering developer mode by setting the appropriate registry keys using local administrator privileges, according to the Check Point paper.

The next two steps of Bashware involve downloading and extracting the Linux file system from Microsoft servers and having Windows malware run from the Linux instance by taking advantage of an open source compatibility layer that enables Windows apps to run on Linux.

No specific settings or conditions are required on a target machine for Bashware to work, Vanunu says. "Bashware automatically sets the environment without any user interaction, hence it affects all Win10 variations."  

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.