Bashware lets malware evade detection by exploiting Windows 10′ Linux Shell

Bashware Technique Can Exploit Windows Subsystem for Linux (WSL) to Hide Malware Making 400 Million Computers Vulnerable.

Security firm Checkpoint’s researchers Gal Elbaz and Dvir Atias have discovered a new attack method that allows hackers hide all the known malware and bypass even the best security solutions.

The attack technique has been dubbed as Bashware that gains control of the built-in Linux shell in Windows system and lets malware bypass the common security tools such as anti-ransomware and anti-virus software. Since Linux shell is available to Windows users, researchers fear that millions of computer systems running Windows 10 are currently at risk.

For your information, WSL or Windows Subsystem for Linux is a feature in Windows 10 that has recently been integrated into the system by Microsoft. The reason was to make it easier for developers to perform code testing in Linux and Windows. WSL currently is activated manually, but Bashware automates the process to enable WSL and execute malicious payloads stealthily.

In their blog post, researchers claimed that they have named the technique Bashware because Bash is the default shell on most Linux distributions. The currently available security solutions, as per Elbaz and Atias, are not yet adapted to track processes of Linux executable files that run on MS Windows. This allows cybercriminals to run malware without the fear of getting it detected and also use the features of WSL to hide from security software and programs because they haven’t been integrated into the proper detection mechanisms.

When they tried to infect Windows systems they were successful in bypassing the security software despite that the systems were equipped with the leading anti-virus and security products. This means Bashware is capable of affecting “any of the 400 million computers currently running Windows 10 PC globally,” read the blog post.

According to their findings, Bashware possesses both user mode and kernel mode components due to which it becomes possible to create a fully compatible layer for initiating an environment that not just appears but also functions like Linux without needing to “fire up any virtual machine.”

It is worth noticing that Microsoft released containers called Pico processes that allowed the execution of ELF binaries on Windows. When unmodified Linux binaries are placed in Pico processes, the WSL forces Linux system’s calls to be redirected into the Windows kernel. “The lxss.sys and lxcore.sys drivers translate the Linux system calls into NT APIs and emulate the Linux kernel,” wrote Elbaz and Atias.

Bashware loads the malware through a four-stage method which has been described by the researcher duo as a “generic and cross-platform” method utilizing WSL to ensure that both ELF and EXE malicious payloads are executed sneakily so that most credible security products could be bypassed. On the other hand, Bashware never leverages implementation flaws or any logic in WSL design.

WSL is quite well-designed, wrote the researchers, so what lets Bashware function in the way it has been identified is the lack of awareness within the security solutions manufacturers and the fact that this is a relatively new technology abusing Windows OS in an entirely novel manner.

“Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products,” wrote Checkpoint researchers.

With Bashware, hackers don’t need to write malicious codes for Linux and run them through WSL on MS Windows because Bashware installs software called Wine, which not just opens but also hides known Windows malware. However, to use Bashware, cybercriminals need to have the PC admin privileges on the targeted computer. This is not a big deal nowadays since hackers can easily acquire admin privileges through phishing attacks or use stolen credentials.

“We believe that it is both vital and urgent for security vendors to support this new technology to prevent threats such as the ones demonstrated by Bashware,” warned the researcher duo.

To help security vendors in dealing with this kind of attack, Microsoft has taken necessary steps already. According to Microsoft’s spokesperson, it is a low-risk issue since to use the method; hacker has to enable developer mode, install the component, reboot and install WSL, which is not an easy feat.

Watch the attack demo below

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.