Bish, bosh, Bashware: Microsoft downplays research on WSL Win 10 'hack' threat

To be fair, it's a hard hack to pull off


Microsoft has downplayed the risks of running a Linux Bash shell command line on Windows 10 via its Windows Subsystem for Linux (WSL) feature after security researchers said the technology could help hackers smuggle malware past security scanners and onto Windows 10 machines.

Researchers at Check Point say that a potential hacking technique, which they call “Bashware,” takes advantage of the new Windows 10 feature WSL, which is now out of beta and will arrive in the Windows 10 Fall Creators Update.

Issues arise because existing security software packages have not been modified to monitor processes of Linux executables running on Windows OS.

Check Point warns that the technology introduces a way for malware to hide from security products that have not yet integrated the proper detection mechanisms. Potential attacks – as yet unknown – would only be possible against technology that only tech-savvy developers have, something that makes the whole attack vector a non-threat to general Windows 10 users.

In response to queries from El Reg, Microsoft offered a statement downplaying the significance of the attack vector.

We reviewed and assessed this to be of low risk. One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default.

The WSL feature goes beyond having the Linux “Bash” shell on Windows OS. WSL contains both user mode and kernel mode components, which together create a complete compatibility layer for running an environment that looks and behaves just like Linux, without having to fire up any virtual machine.

Microsoft has implemented this by introducing so-called Pico processes – containers that allow running ELF binaries on the Windows OS. By placing unmodified Linux binaries in Pico processes, WSL enables Linux system calls to be directed into the Windows kernel.

“Bashware is a generic and cross-platform technique that uses WSL in order to allow running both ELF and EXE malicious payloads in a stealthy manner that could bypass most current security solutions,” Check Point argues in a blog post.

Although WSL is not enabled by default, the researchers reckon the technology can be switched on in the background using privilege escalation. No malware has yet been seen that abuses the method. Third-party experts reckon there are much more straightforward ways to introduce malware, while not entirely dismissing Check Point’s concerns when describing the threat as less than credible, at least for now.

Independent security consultant Kevin Beaumont commented: “The research is valid, in that adding more subsystems to Windows will increase attack surface – but I don’t see it as a credible threat yet.”

“I’ve seen no 'bashware' in wild. That feature is new, this stuff isn’t by default enabled, setting Dev mode needs admin rights,” he added.

Potential abuse of WSL technology creates a means for malware to bypass security products, many of which have not been rejigged to look for abuse of the feature.

“Microsoft has already taken steps that should assist the security vendors to deal with the new security considerations presented by WSL, including Pico APIs that can be used by AV companies in order to monitor these types of processes,” according to Check Point.

The Israeli security firm said that it had updated its SandBlast Threat Prevention products to protect its customers from Bashware. It wants other security vendors to follow suit and modify their products, something that is yet to be rolled out in most if not all cases.

Youtube Video

Check Point researchers tested this technique on most of the leading anti-viruses and security products in the market, successfully bypassing them all.

Dan Matthews, engineer at anti-malware Lastline, said: “While this is probably technically accurate research, it appears a bit sensationalistic.

“While WSL is out of beta, it is disabled and a base Linux OS is not installed on any Windows 10 host by default. In order for this threat to be credible, a user would need to follow several very intentional steps to enable WSL and install a Linux guest machine onto an updated Windows 10 host.

“While a small fraction of PCs may ultimately be at risk, the threat to them is still valid,” Matthews added.®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022