Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/13/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Bashware' Undermines Windows 10 Security Via Linux Subsystem

New WSL feature in Windows 10 gives attackers a way to run malware without being detected by any current endpoint security tools, Check Point says.

Researchers at Check Point Software Technologies have developed a technique for running malware undetected on Windows 10 systems by taking advantage of the new Windows Subsystem for Linux (WSL) feature in the operating system.

Security researchers previously have expressed concerns about the potential for WSL to be misused for malicious purposes. The Check Point technique, which the developers have christened Bashware, is the first to actually demonstrate how that can happen.

"The research shows how easy it could be for a cybercriminal to take advantage of the new Windows Subsystem for Linux mechanism and enable any malware to bypass security products," says Oded Vanunu, Check Point's head of products vulnerability research.

"Most security vendors have not built protections into their solutions to block this potential exploitation path, so we are calling on the security industry to take immediate action and to modify their products to protect users against Bashware," he says.

On Wednesday, Microsoft downplayed the research and described Bashware as of low risk to organizations using Windows 10. "One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective," the company said in a statement. "Developer mode is not enabled by default.” 

WSL is a Windows 10 feature that gives developers a way to run Linux directly on Windows without modifications or the need for a virtual machine. Microsoft has described it as a feature that lets developers take advantage of the command-line interface to run most Linux tools, applications, and utilities directly on Windows. The feature exited beta testing in July and is now a fully supported feature on Windows 10.

Microsoft's main goal with WSL is to bring the familiar Linux Bash terminal into Windows, Vanunu says. WSL includes both user mode and kernel mode components that together enable an environment that behaves just like Linux.

At the core of WSL are containers called Pico processes that allow Linux binaries to run on Windows 10 and to make system calls directly to the Windows kernel. Pico processes have none of the characteristics of common Windows processes, though they have the same capabilities as Windows processes. This gives attackers an opportunity to hide and execute malicious EFE and EXE payloads from within WSL. Since current endpoint security tools, inspection tools, and debuggers are not designed to check Pico processes, the payloads remain undetected.

Bashware does not take advantage of any logic or implementation errors in WSL. It works because current security products simply are not designed to spot malware hidden and running in WSL. "Security products are not using today the Pico process API in order to take any prevention actions," Vanunu says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Concerns about WSL enabling precisely such attacks have been floating for some time. Check Point's four-step Bashware technique is designed to show how it can actually happen.

The first step involves techniques for determining if the WSL feature is enabled on a Windows 10 machine and surreptitiously loading the needed components if the feature happens to be disabled on the system.

Since WSL runs only in developer mode, the second phase of Bashware involves entering developer mode by setting the appropriate registry keys using local administrator privileges, according to the Check Point paper.

The next two steps of Bashware involve downloading and extracting the Linux file system from Microsoft servers and having Windows malware run from the Linux instance by taking advantage of an open source compatibility layer that enables Windows apps to run on Linux.

No specific settings or conditions are required on a target machine for Bashware to work, Vanunu says. "Bashware automatically sets the environment without any user interaction, hence it affects all Win10 variations."  

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29572
PUBLISHED: 2020-12-06
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
CVE-2020-29573
PUBLISHED: 2020-12-06
sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\...
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.