In a detailed blog post, researchers Gal Elbaz and Dvir Atias said they had dubbed this technique of getting malware onto a Windows system as Bashware, with Bash being the default shell on a large number of Linux distributions.
They said existing security solutions had not been adapted as yet to monitor processes of Linux executables running on Windows.
"This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms," Elbaz and Atias said.
|
|
"This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally," they wrote.
Regarding the bashware story doing the rounds from Checkpoint - it requires an optional feature you have to manually install via admin. pic.twitter.com/mWnvWVA4zE
— Kevin Beaumont (@GossiTheDog) 12 September 2017
WSL is an optional component of Windows 10 and needs to be installed as administrator.
Describing the WSL feature, the researchers said that it had both user mode and kernel mode components. This created "a complete compatibility layer for running an environment that looks and behaves just like Linux, without having to fire up any virtual machine".
Microsoft had introduced what it called Pico processes – containers that allowed the running of ELF binaries on Windows.
"By placing unmodified Linux binaries in Pico processes, WSL enables Linux system calls to be directed into the Windows kernel," the pair wrote. "The lxss.sys and lxcore.sys drivers translate the Linux system calls into NT APIs and emulate the Linux kernel."
They outlined the four-stage method whereby Bashware loaded the malicious payloads, describing Bashware as "a generic and cross-platform technique that uses WSL in order to allow running both ELF and EXE malicious payloads in a stealthy manner that could bypass most current security solutions".
The pair said that Bashware did not leverage any logic or implementation flaws in WSL’s design.
"In fact, WSL seems to be well designed. What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system," they added.
