Security Market Segment LS
Tuesday, 12 September 2017 10:08

Researchers use Windows 10 Linux subsystem to run malware Featured

By

The provision of a Linux subsystem on Windows systems — a new Windows 10 feature known as Subsystem for Linux (WSL) — has made it possible to run known malware on such systems and bypass even the most common security solutions, security researchers at Check Point claim.

In a detailed blog post, researchers Gal Elbaz and Dvir Atias said they had dubbed this technique of getting malware onto a Windows system as Bashware, with Bash being the default shell on a large number of Linux distributions.

They said existing security solutions had not been adapted as yet to monitor processes of Linux executables running on Windows.

"This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms," Elbaz and Atias said.

They said they had tested infecting Windows machines running most of the leading anti-virus and security products on the market and successfully bypassed every single one.

"This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally," they wrote.

WSL is an optional component of Windows 10 and needs to be installed as administrator.

Describing the WSL feature, the researchers said that it had both user mode and kernel mode components. This created "a complete compatibility layer for running an environment that looks and behaves just like Linux, without having to fire up any virtual machine".

Microsoft had introduced what it called Pico processes – containers that allowed the running of ELF binaries on Windows.

"By placing unmodified Linux binaries in Pico processes, WSL enables Linux system calls to be directed into the Windows kernel," the pair wrote. "The lxss.sys and lxcore.sys drivers translate the Linux system calls into NT APIs and emulate the Linux kernel."

They outlined the four-stage method whereby Bashware loaded the malicious payloads, describing Bashware as "a generic and cross-platform technique that uses WSL in order to allow running both ELF and EXE malicious payloads in a stealthy manner that could bypass most current security solutions".

The pair said that Bashware did not leverage any logic or implementation flaws in WSL’s design.

"In fact, WSL seems to be well designed. What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system," they added.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments