Researchers at Check Point Software Technologies have developed a technique for running malware undetected on Windows 10 systems by taking advantage of the new Windows Subsystem for Linux (WSL) feature in the operating system.

Security researchers previously have expressed concerns about the potential for WSL to be misused for malicious purposes. The Check Point technique, which the developers have christened Bashware, is the first to actually demonstrate how that can happen.

"The research shows how easy it could be for a cybercriminal to take advantage of the new Windows Subsystem for Linux mechanism and enable any malware to bypass security products," says Oded Vanunu, Check Point's head of products vulnerability research.

"Most security vendors have not built protections into their solutions to block this potential exploitation path, so we are calling on the security industry to take immediate action and to modify their products to protect users against Bashware," he says.

On Wednesday, Microsoft downplayed the research and described Bashware as of low risk to organizations using Windows 10. "One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective," the company said in a statement. "Developer mode is not enabled by default.” 

WSL is a Windows 10 feature that gives developers a way to run Linux directly on Windows without modifications or the need for a virtual machine. Microsoft has described it as a feature that lets developers take advantage of the command-line interface to run most Linux tools, applications, and utilities directly on Windows. The feature exited beta testing in July and is now a fully supported feature on Windows 10.

Microsoft's main goal with WSL is to bring the familiar Linux Bash terminal into Windows, Vanunu says. WSL includes both user mode and kernel mode components that together enable an environment that behaves just like Linux.

At the core of WSL are containers called Pico processes that allow Linux binaries to run on Windows 10 and to make system calls directly to the Windows kernel. Pico processes have none of the characteristics of common Windows processes, though they have the same capabilities as Windows processes. This gives attackers an opportunity to hide and execute malicious EFE and EXE payloads from within WSL. Since current endpoint security tools, inspection tools, and debuggers are not designed to check Pico processes, the payloads remain undetected.

Bashware does not take advantage of any logic or implementation errors in WSL. It works because current security products simply are not designed to spot malware hidden and running in WSL. "Security products are not using today the Pico process API in order to take any prevention actions," Vanunu says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Concerns about WSL enabling precisely such attacks have been floating for some time. Check Point's four-step Bashware technique is designed to show how it can actually happen.

The first step involves techniques for determining if the WSL feature is enabled on a Windows 10 machine and surreptitiously loading the needed components if the feature happens to be disabled on the system.

Since WSL runs only in developer mode, the second phase of Bashware involves entering developer mode by setting the appropriate registry keys using local administrator privileges, according to the Check Point paper.

The next two steps of Bashware involve downloading and extracting the Linux file system from Microsoft servers and having Windows malware run from the Linux instance by taking advantage of an open source compatibility layer that enables Windows apps to run on Linux.

No specific settings or conditions are required on a target machine for Bashware to work, Vanunu says. "Bashware automatically sets the environment without any user interaction, hence it affects all Win10 variations."  

Related content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.