Bish, bosh, Bashware: Microsoft downplays research on WSL Win 10 'hack' threat

Microsoft has downplayed the risks of running a Linux Bash shell command line on Windows 10 via its Windows Subsystem for Linux (WSL) feature after security researchers said the technology could help hackers smuggle malware past security scanners and onto Windows 10 machines.

Researchers at Check Point say that a potential hacking technique, which they call “Bashware,” takes advantage of the new Windows 10 feature WSL, which is now out of beta and will arrive in the Windows 10 Fall Creators Update.

Issues arise because existing security software packages have not been modified to monitor processes of Linux executables running on Windows OS.

Check Point warns that the technology introduces a way for malware to hide from security products that have not yet integrated the proper detection mechanisms. Potential attacks – as yet unknown – would only be possible against technology that only tech-savvy developers have, something that makes the whole attack vector a non-threat to general Windows 10 users.

In response to queries from El Reg, Microsoft offered a statement downplaying the significance of the attack vector.

We reviewed and assessed this to be of low risk. One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default.

The WSL feature goes beyond having the Linux “Bash” shell on Windows OS. WSL contains both user mode and kernel mode components, which together create a complete compatibility layer for running an environment that looks and behaves just like Linux, without having to fire up any virtual machine.

Microsoft has implemented this by introducing so-called Pico processes – containers that allow running ELF binaries on the Windows OS. By placing unmodified Linux binaries in Pico processes, WSL enables Linux system calls to be directed into the Windows kernel.

“Bashware is a generic and cross-platform technique that uses WSL in order to allow running both ELF and EXE malicious payloads in a stealthy manner that could bypass most current security solutions,” Check Point argues in a blog post.

Although WSL is not enabled by default, the researchers reckon the technology can be switched on in the background using privilege escalation. No malware has yet been seen that abuses the method. Third-party experts reckon there are much more straightforward ways to introduce malware, while not entirely dismissing Check Point’s concerns when describing the threat as less than credible, at least for now.

Independent security consultant Kevin Beaumont commented: “The research is valid, in that adding more subsystems to Windows will increase attack surface – but I don’t see it as a credible threat yet.”

“I’ve seen no 'bashware' in wild. That feature is new, this stuff isn’t by default enabled, setting Dev mode needs admin rights,” he added.

Potential abuse of WSL technology creates a means for malware to bypass security products, many of which have not been rejigged to look for abuse of the feature.

“Microsoft has already taken steps that should assist the security vendors to deal with the new security considerations presented by WSL, including Pico APIs that can be used by AV companies in order to monitor these types of processes,” according to Check Point.

The Israeli security firm said that it had updated its SandBlast Threat Prevention products to protect its customers from Bashware. It wants other security vendors to follow suit and modify their products, something that is yet to be rolled out in most if not all cases.

Youtube Video

Check Point researchers tested this technique on most of the leading anti-viruses and security products in the market, successfully bypassing them all.

Dan Matthews, engineer at anti-malware Lastline, said: “While this is probably technically accurate research, it appears a bit sensationalistic.

“While WSL is out of beta, it is disabled and a base Linux OS is not installed on any Windows 10 host by default. In order for this threat to be credible, a user would need to follow several very intentional steps to enable WSL and install a Linux guest machine onto an updated Windows 10 host.

“While a small fraction of PCs may ultimately be at risk, the threat to them is still valid,” Matthews added.®