The Bashware Attack Technique
Microsoft has been using Linux for practically three years, and it costs the system a pretty sum, actually.
Last year, Microsoft informed about the development of Windows Subsystem for Linux (WSL) in Windows 10, which provides users with the Linux command-line shell in order to use native Linux applications on Windows system. So, there is no need for a virtualization.
Security specialists of the security firm Check Point Software Technologies have revealed the WSL feature that helps malware intended for Linux to hit Windows devices.
The investigators created a new tricky mechanism called Bashware, which exploits Windows` built-in WSL feature. CheckPoint researchers indicated that a well-known Linux malware is able to exploit this Bashware attack mechanism, because security measures for Windows aren`t designed for the protection of similar threats.
This new malware provides the hacker with possibily to disguise any Linux malware from the most widespread security solutions such as future anti-virus programs, anti-ransomware solutions, malware inspection tools, etc.
What`s the matter? The fault of Microsoft or Security Vendors?
Microsoft presented so-called containers called “Pico processes”, with the help of which ELF binaries run on the Windows operating system.
When testing these “processes”, the Check Point investigators could check the Bashware trick on the most powerful antivirus products. The result of these testings – a successful bypass of all of them.
Do the Bashware criminals need admin rights?
Yes, they do, but it`s not a problem for them to gain admin privileges on Windows PCs for stealing sensitive creditentials, etc. A motivated hacker will make as much pains as possible to hit the target.
WSL isn`t started up by default, so users need to activate this mode manually, that`s why the risks to be affected are increasing in some way.
Moreover, the specialists from Check Point emphasized a little-known information: the developer mode can be activated if the criminal changes some of the registry keys, then he can activate it in the background without being noticed.
The Bashware attack technique is able to set up malware by unnoticed activation of the WSL components that can even download and unpack the Linux file system from Microsoft`s servers.
No need for the development of new malware programs
What is a new feature of Bashware? Criminals using this tricky technique don`t need to create separate malware programs for Linux in order to run them through WSL on Windows PCs.
Bashware installs a special program called Wine inside the downloaded environment of user and then activates Windows malware in it.
This malware takes root into Windows as mentioned before pico processes that will help it to remain unnoticed.
400 Million Computers are at risk of being hit by Bashware
This new attack technique doesn`t exploit weakness of WSL, but security vendors really pay not enough attention to WSL functionality.
Security specialists stated that since Windows users can make use of the Linux shell now, then Bashware can take root into any of 400 million computers with installed on them Windows 10 system.
Check Point researchers admitted that their company had already renewed its security measures to deal with such attacks. So, be careful and keep your system updated and secure.