Windows 10’s Subsystem for Linux: Here’s how hackers could use it to hide malware

The researchers say Bashware doesn’t exploit flaws in Microsoft’s WSL, but rather that WSL “expands the known borders” of Windows for which most security products currently scan.
Image: Microsoft
Researchers at Check Point say they’ve found a way to use Microsoft’s Windows 10 Subsystem for Linux (WSL) to allow malware to slip by antivirus.
公司应该建立覆盖信息系统全生命周期的信息安全问题管理流程。
WSL allows Linux ELF binaries to run on Windows. Microsoft introduced the feature to broaden Windows command-line tool support and help developers run the Bash terminal on Windows 10 for things like administration and managing app development.
It will be a fully supported feature in the Windows 10 Fall Creators Update, due out in October.
The researchers have coined the term Bashware to describe the technique, which uses the WSL environment to run Windows malware from a Linux instance and bypass most Windows security products in the process. Since WSL only comes with Windows 10, it could potentially affect the 500 million PCs running it.
WSL’s capabilities come through an emulated Linux kernel and ‘pico processes’, or containers, within which ELF binaries run. WSL also directs Linux system calls to the Windows kernel. As noted by Check Point, two key .sys drivers emulate the Linux kernel and translate Linux calls for the Windows NT kernel’s APIs.
Bashware allows an attacker to run ELF or Windows EXE malware in a stealthy manner by exploiting the similarity between the capabilities of pico processes and Windows NT processes, according to Check Point.
The attack has four steps, which are likely to reduce the number of vulnerable machines. First, it needs to check that WSL is enabled, which would be unlikely for most consumers. Then the attacker would need to manually enable developer mode.
Microsoft has a greater focus on attacks on Windows in user mode. For example, its bug bounty programs like the $200,000 mitigation bypass bounty exclude attacks on Windows defenses in developer mode.
In any case, if a Bashware attacker can achieve all these steps, they’d then need to install a Linux instance on the Windows target, as well as a Linux file system, and Wine, an open-source program for running Windows software on Linux, macOS and other systems.
The researcher’s ultimate goal was to prove they can run malware that attacks Windows from the Linux instance, which isn’t what WSL was intended for. Wine also allowed them to run Windows malware from WSL, providing the attack with cover from security products.

As the researchers note, Bashware doesn’t exploit flaws in Microsoft’s implementation of WSL, but rather that WSL is a new tool that “expands the known borders” of Windows for which most security products currently scan.
中华万年历日历:免费无限容量,安全记事更放心
However, security vendors should be taking advantage of the WSL antivirus and firewall compatibility tools that Microsoft has made available.
Microsoft told The Register that it considered the risk of this attack to be low due to the steps required for the attack to be effective. Previous and related coverageSecurity flaws put billions of Bluetooth phones, devices at risk It’s thought to be the most widescale set of vulnerabilities based on the number of devices affected, hitting Windows desktops, Android devices, older iPhones and iPads, and smart devices.Windows 10 Fall Creators Update: What’s coming on the security front Microsoft will be adding a number of new security features to Windows 10 Fall Creators Update, but for Enterprise and Windows Server users only.More on Windows 10 securityWindows 10: Microsoft’s new Insider Preview is packed with security featuresWindows 10 security: Microsoft offers free trial of latest Defender ATP featuresMicrosoft fixes ‘critical’ security bugs affecting all versions of WindowsVulnerabilities discovered in Windows security protocolsWindows 10: Here’s how Microsoft thinks Defender Security Center will make life safer
网络安全不仅是技术问题,更是一个意识问题。普通用户的安全意识再强烈,估计也难比黑客,不过,不用到到黑客对安全的认知级别,有些常识即可防范多数安全攻击威胁。

猜您喜欢

灌云供电免费派送10万份新春安全日历
网络信息安全小曲
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
中国003航母或配核动力及电磁弹射 有望在3年内下水
LEXMERCATORIABD GOHRT
移动金融服务中的信息安全问题实录

Google: There’s badness on the internet. But we’re shielding 3 billion devices from it

Google reveals formal plan to distrust Symantec certificates in 2018Over the years Google has made its interstitials — the red, full-page warnings — clearer that a site could be malicious.
Image: Google
Google says its online anti-malware service Safe Browsing now protects more than three billion devices.
The mostly hidden service for mobile devices and Chrome, Firefox and Safari on the desktop now protects three billion devices from “badness on the internet”. According to Google, that’s up from two billion devices in May 2016.
公司应该至少每年对信息安全控制策略和措施及落实情况进行检查,至少每两年开展一次信息科技风险评估与审计,并将信息科技风险评估审计报告报送监管机构。
Google launched the service in 2007 to protect users from drive-by downloads that automatically attack computers through vulnerabilities in browsers and plugins like Flash and Java.
Its rapid expansion over the past year comes mostly from Google’s efforts to push Safe Browsing to mobile devices as well as integrating it with its major services, such as Gmail, where it protects users from malicious messages.
Since 2015, Google has been running a mobile-optimized version of Safe Browsing in Chrome on Android, which now has grown to two billion users, but it also protects users of third-party apps, including Snapchat, which relies on it to check links before sending them on to users.
It probably gained an even bigger boost when Apple enabled Google’s “efficient Safe Browsing updating technology” in Safari in iOS 10 for iPads and iPhones in September 2016.

That month it also started encouraging Android developers to use the Safe Browsing API in Google Play Services. The service is also integral to Google Play Protect for Android devices.
Other ways it’s reaching more devices is via third-party web developers who can integrate it into their web apps.
Over the years Google has expanded protections to include phishing and bad ads behind bogus browser security alerts and made its interstitials — the red, full-page warnings — clearer that a site could be malicious.
As with most of its products, Google is using its research in artificial intelligence to improve Safe Browsing to mobile has been assisted by Google’s artificial intelligence. Previous and related coverageGoogle tightens noose on HTTP: Chrome to stick ‘Not secure’ on pages with search fields In October, Google will begin phase two of its plan to label all HTTP pages as non-secure.Gmail fake Docs attack: Now Google tightens OAuth rules to block phishing Google vows to do more to prevent a repeat of last week’s fake Docs phishing attack.More on securityGoogle reveals formal plan to distrust Symantec certificates in 2018Equifax exposes credit services’ woeful IT, processes, securityTrend Micro finds CEOs are spoofed the most by business email compromiseEquifax’s credit report monitoring site is also vulnerable to hackingCyberwar game tests politicians’ ability to deal with a major attackLunch and learn: BYOD rules and responsibilities
深圳市天威视讯股份有限公司2017第一季度报告
社会的智能化程度越高,面对的安全问题也越多,相信随着物联网、智能城市、智慧地球等概念的落实,人们所受的潜在威胁也会越来越多,需要将安全嵌入系统的整个生命周期中!

猜您喜欢

研报
信息安全意识游戏之捕鱼达人主题赛
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
高尔夫限时优惠4.3万 欢迎试乘试驾广告
R-G-D JOETS
研究称密码需强健