Bashware: Malware Can Abuse Windows 10’s Linux Shell to Bypass Security Software

Share this…

Bashware is the name of a new technique that allows malware to use a new Windows 10 feature called Subsystem for Linux (WSL) to bypass security software installed on an endpoint.

Back in 2016, Microsoft announced WSL as a way to run a Linux shell (Bash) inside the Windows 10 operating system. This was done to appeal to the developer community who primarily uses Linux due to its ease of use when it comes to programming-related tasks.

WSL works by taking Bash commands users type in a CLI, converting the shell commands to their Windows counterparts, processing the data inside the Windows kernel, and sending back a response, to both the Bash CLI and a local Linux file system.

The WSL feature has been under development in a beta stage since March 2016, but Microsoft recently announced WSL would reach a stable release this autumn with the release of the Windows 10 Fall Creators Update, scheduled for October 17.

Bashware attack is invisible to current security software

In a report issued late last night, security researchers from Check Point have published technical details about Bashware, a technique that allows malware devs to use Windows 10’s secret Linux shell to hide malicious operations.

Researchers say that current security software, including next-gen antivirus solutions, fail to detect these operations.

This happens because all lack support for Pico processes, a new class of Windows processes that Microsoft added to handle WSL operations.

Bashware needs admin access, but that may not be a problem

The Bashware attack is not a surefire method to run malicious operations undetected on Windows. A Bashware attack, above all, requires administrator privileges.

Malware that reaches a Windows 10 PC needs admin-level access so it can enable the WSL feature, which comes disabled by default, and then turn on Windows 10 Development Mode.

The bad news is that the Windows attack surface is plagued by many EoP (Elevation of Privilege) flaws that attackers can exploit to gain admin-level access to turn on WSL and load the necessary drivers using the DISM utility. Turning on WSL is a silent operation, requiring a single CLI command.

Turning on/off Windows 10 Subsystem for Linux

Furthermore, researchers say that an attacker that has gained administrator privileges won’t have any issues to put Windows 10 in Developer Mode. Attackers can achieve this by modifying a registry key and waiting for (or force) a user to reboot his PC.

At this stage, the attacker has enabled WSL, but the Linux system install doesn’t yet exist on the user’s computer. Researchers say that tools present on the user’s system allow the attacker to silently download the Linux file system from Microsoft’s servers and complete the WSL installation.

When this process finishes, the attacker can utilize the newly installed Bash CLI to run malicious operations. Researchers say the attacker can use Linux commands to interact with Windows PCs, WSL translating everything for the attacker, but if the attacker doesn’t want to modify already existing scripts, he can install Wine — a Windows emulator for Linux.

Basically, Wine allows the attacker to execute malicious Windows commands that Wine translates to Linux commands, that WSL transforms back to Windows operations, and runs on a targeted system.

Security software will need to support Pico processes

Researchers published details about the Bashware attack, so security software vendors can research and add support for WSL and Pico processes before the release of the Windows 10 Fall Creators Update.

Technical details about the Bashware attack are available in Check Point’s report. Researchers also published a video demoing a Bashware attack.

The first security researcher to point out that WSL is an attack surface for Windows 10 was CrowdStrike’s Alex Ionescu in a talk he gave at the Black Hat Europe 2016 security conference.

Researchers that want to keep up to date with WSL development can do so via Microsoft’s WSL portal.