Last year, Microsoft surprised everyone by announcing the arrival of Windows Subsystem for Linux (WSL) in Windows 10, which brings the Linux command-line shell to Windows, allowing users to run native Linux applications on Windows system without virtualization.
However, security researchers from security firm Check Point Software Technologies have discovered a potential security issue with the WSL feature that could allow malware families designed for Linux target Windows computers—undetected by all current security software.
The researchers devised a new attack technique, dubbed Bashware, that takes advantage of Windows' built-in WSL feature, which is now out of beta and is set to arrive in the Windows 10 Fall Creators Update in October 2017.
Bashware Attack Undetectable by All Anti-Virus & Security Solutions
According to CheckPoint researchers, the Bashware attack technique could be abused even by a known Linux malware family, because security solutions for Windows are not designed to detect such threats.
This new attack could allow an attacker to hide any Linux malware from even the most common security solutions, including next generation anti-virus software, malware inspection tools, anti-ransomware solution and other tools.
"Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time," Check Point researchers say.
"This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms."
Who is the Culprit? Microsoft or Security Vendors?
In order to run the target Linux application in an isolated environment, Microsoft introduced "Pico processes"—containers that allow running of ELF binaries on the Windows operating system.
During their tests, the Check Point researchers were able to test the Bashware attack on "most of the leading antivirus and security products on the market," and successfully bypass all of them.
It is because no security product monitors Pico processes, even when Microsoft already provides Pico API, a special application programming interface that can be used by security companies to monitor such processes.
"Bashware does not leverage any logic or implementation flaws in WSL's design. In fact, WSL seems to be well designed," the researchers concluded.
"What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system."
Bashware Attackers Requires Admin Rights—Is that Hard on Windows PC?
Yes, Bashware requires administrator access on the target computers, but gaining admin privileges on Windows PCs via phishing attacks and/or stolen admin credentials is not a difficult task for a motivated attacker.
However, these additional attacks could also alert antivirus and security products, subverting the attack before the actual Bashware attack can be executed to hide malware.
Since WSL is not turned on by default, and users are required to manually activate "development mode" on their computer systems in order to use it and reboot the system, the risks posed by the feature are mitigated to some extent.
However, the Check Point researchers say it is a little-known fact that the developer mode can be enabled by modifying a few registry keys, which can be done silently in the background by the attackers with the right privileges.
The Bashware attack technique automates the required procedures by silently loading the WSL components, enabling developer mode, even downloading and extracting the Linux file system from Microsoft's servers, and running malware.
No Need to Write Separate Malware Programs
What's interesting about Bashware? Hackers using Bashware are not required to write malware programs for Linux to run them through WSL on Windows computers.
This extra effort is saved by the Bashware technique which installs a program called Wine inside the downloaded Ubuntu user-space environment, and then launches known Windows malware through it.
The malware then initiates into Windows as pico processes, which will hide it from security software.
400 Million Computers Potentially Exposed to Bashware
The newly discovered attack technique does not leverage any implementation of WSL vulnerability, but is due to the lack of interest and awareness by various security vendors towards WSL.
Since the Linux shell is now available to Windows users, researchers believe that Bashware can potentially affect any of the 400 million PCs currently running Windows 10 across the world.
Check Point researchers said their company had already upgraded its security solutions to combat such attacks and are urging other security vendors to modify and update their next-generation anti-virus and security solutions accordingly.