Windows 10’s Subsystem for Linux: Here’s how hackers could use it to hide malware

The researchers say Bashware doesn’t exploit flaws in Microsoft’s WSL, but rather that WSL “expands the known borders” of Windows for which most security products currently scan.
Image: Microsoft
Researchers at Check Point say they’ve found a way to use Microsoft’s Windows 10 Subsystem for Linux (WSL) to allow malware to slip by antivirus.
WSL allows Linux ELF binaries to run on Windows. Microsoft introduced the feature to broaden Windows command-line tool support and help developers run the Bash terminal on Windows 10 for things like administration and managing app development.
It will be a fully supported feature in the Windows 10 Fall Creators Update, due out in October.
The researchers have coined the term Bashware to describe the technique, which uses the WSL environment to run Windows malware from a Linux instance and bypass most Windows security products in the process. Since WSL only comes with Windows 10, it could potentially affect the 500 million PCs running it.
WSL’s capabilities come through an emulated Linux kernel and ‘pico processes’, or containers, within which ELF binaries run. WSL also directs Linux system calls to the Windows kernel. As noted by Check Point, two key .sys drivers emulate the Linux kernel and translate Linux calls for the Windows NT kernel’s APIs.
Bashware allows an attacker to run ELF or Windows EXE malware in a stealthy manner by exploiting the similarity between the capabilities of pico processes and Windows NT processes, according to Check Point.
The attack has four steps, which are likely to reduce the number of vulnerable machines. First, it needs to check that WSL is enabled, which would be unlikely for most consumers. Then the attacker would need to manually enable developer mode.
Microsoft has a greater focus on attacks on Windows in user mode. For example, its bug bounty programs like the $200,000 mitigation bypass bounty exclude attacks on Windows defenses in developer mode.
In any case, if a Bashware attacker can achieve all these steps, they’d then need to install a Linux instance on the Windows target, as well as a Linux file system, and Wine, an open-source program for running Windows software on Linux, macOS and other systems.
The researcher’s ultimate goal was to prove they can run malware that attacks Windows from the Linux instance, which isn’t what WSL was intended for. Wine also allowed them to run Windows malware from WSL, providing the attack with cover from security products.

As the researchers note, Bashware doesn’t exploit flaws in Microsoft’s implementation of WSL, but rather that WSL is a new tool that “expands the known borders” of Windows for which most security products currently scan.
However, security vendors should be taking advantage of the WSL antivirus and firewall compatibility tools that Microsoft has made available.
Microsoft told The Register that it considered the risk of this attack to be low due to the steps required for the attack to be effective. Previous and related coverageSecurity flaws put billions of Bluetooth phones, devices at risk It’s thought to be the most widescale set of vulnerabilities based on the number of devices affected, hitting Windows desktops, Android devices, older iPhones and iPads, and smart devices.Windows 10 Fall Creators Update: What’s coming on the security front Microsoft will be adding a number of new security features to Windows 10 Fall Creators Update, but for Enterprise and Windows Server users only.More on Windows 10 securityWindows 10: Microsoft’s new Insider Preview is packed with security featuresWindows 10 security: Microsoft offers free trial of latest Defender ATP featuresMicrosoft fixes ‘critical’ security bugs affecting all versions of WindowsVulnerabilities discovered in Windows security protocolsWindows 10: Here’s how Microsoft thinks Defender Security Center will make life safer


网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
中国003航母或配核动力及电磁弹射 有望在3年内下水

Google: There’s badness on the internet. But we’re shielding 3 billion devices from it

Google reveals formal plan to distrust Symantec certificates in 2018Over the years Google has made its interstitials — the red, full-page warnings — clearer that a site could be malicious.
Image: Google
Google says its online anti-malware service Safe Browsing now protects more than three billion devices.
The mostly hidden service for mobile devices and Chrome, Firefox and Safari on the desktop now protects three billion devices from “badness on the internet”. According to Google, that’s up from two billion devices in May 2016.
Google launched the service in 2007 to protect users from drive-by downloads that automatically attack computers through vulnerabilities in browsers and plugins like Flash and Java.
Its rapid expansion over the past year comes mostly from Google’s efforts to push Safe Browsing to mobile devices as well as integrating it with its major services, such as Gmail, where it protects users from malicious messages.
Since 2015, Google has been running a mobile-optimized version of Safe Browsing in Chrome on Android, which now has grown to two billion users, but it also protects users of third-party apps, including Snapchat, which relies on it to check links before sending them on to users.
It probably gained an even bigger boost when Apple enabled Google’s “efficient Safe Browsing updating technology” in Safari in iOS 10 for iPads and iPhones in September 2016.

That month it also started encouraging Android developers to use the Safe Browsing API in Google Play Services. The service is also integral to Google Play Protect for Android devices.
Other ways it’s reaching more devices is via third-party web developers who can integrate it into their web apps.
Over the years Google has expanded protections to include phishing and bad ads behind bogus browser security alerts and made its interstitials — the red, full-page warnings — clearer that a site could be malicious.
As with most of its products, Google is using its research in artificial intelligence to improve Safe Browsing to mobile has been assisted by Google’s artificial intelligence. Previous and related coverageGoogle tightens noose on HTTP: Chrome to stick ‘Not secure’ on pages with search fields In October, Google will begin phase two of its plan to label all HTTP pages as non-secure.Gmail fake Docs attack: Now Google tightens OAuth rules to block phishing Google vows to do more to prevent a repeat of last week’s fake Docs phishing attack.More on securityGoogle reveals formal plan to distrust Symantec certificates in 2018Equifax exposes credit services’ woeful IT, processes, securityTrend Micro finds CEOs are spoofed the most by business email compromiseEquifax’s credit report monitoring site is also vulnerable to hackingCyberwar game tests politicians’ ability to deal with a major attackLunch and learn: BYOD rules and responsibilities


高尔夫限时优惠4.3万 欢迎试乘试驾广告