While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.
While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."
In a blog post highlighting the Bashware problem, Check Point Research says: "We have recently found a new and alarming method that allows any known malware to bypass even the most common security solutions, such as next generation anti-viruses, inspection tools, and anti-ransomware. This technique, dubbed Bashware, leverages a new Windows 10 feature called Subsystem for Linux (WSL), which recently exited Beta and is now a fully supported Windows feature."
The researchers say that the technique is very easy to exploit, and it can be used to bypass "most of the leading anti-virus and security products on the market." It is said that the attack vector could place all 400 million computers running Windows 10 at risk.
Check Point Research has shared a video demonstrating a Bashware attack:
The steps for exploiting a system using a Bashware attack can be summarized as follows:
All of these steps are very easily achieved. But why Wine, you may ask? Check Point Research explains:
Our final goal was to show that we can run malware attacking the Windows system from the Linux instance, although malware is not designed to be cross-platform in that way. We found that Winehq project is the perfect solution for that -- a free open-source compatibility layer that allows Microsoft Windows programs to run on Unix-like operating systems. Even better -- for those unfamiliar with it -- Wine is not an emulator, but rather it translates Windows API calls into POSIX (Portable Operating System Interface), which is perfect for our needs.
This is exactly what we needed in order to make a Windows malware run from the WSL environment, turning it invisible as well. Bashware uses the Winehq project capabilities and installs a pre-optimized wine project into the WSL Linux environment.
Next, EXE formats need to be converted by Wine, turning its NT syscalls to POSIX syscalls. Later on, the Pico provider (lxcore.sys) will convert these POSIX syscalls back to NT syscalls, turning lxcore to the actual caller of this process. This way, a file running on the Windows OS can execute any known malicious payload from the Linux OS, where it remains hidden from most security products.
You can read more about the Bashware technique over on the Check Point Research blog.