Windows 10’s Subsystem for Linux: Here’s how hackers could use it to hide malware

The researchers say Bashware doesn’t exploit flaws in Microsoft’s WSL, but rather that WSL “expands the known borders” of Windows for which most security products currently scan.
Image: Microsoft
Researchers at Check Point say they’ve found a way to use Microsoft’s Windows 10 Subsystem for Linux (WSL) to allow malware to slip by antivirus.
WSL allows Linux ELF binaries to run on Windows. Microsoft introduced the feature to broaden Windows command-line tool support and help developers run the Bash terminal on Windows 10 for things like administration and managing app development.
It will be a fully supported feature in the Windows 10 Fall Creators Update, due out in October.
The researchers have coined the term Bashware to describe the technique, which uses the WSL environment to run Windows malware from a Linux instance and bypass most Windows security products in the process. Since WSL only comes with Windows 10, it could potentially affect the 500 million PCs running it.
WSL’s capabilities come through an emulated Linux kernel and ‘pico processes’, or containers, within which ELF binaries run. WSL also directs Linux system calls to the Windows kernel. As noted by Check Point, two key .sys drivers emulate the Linux kernel and translate Linux calls for the Windows NT kernel’s APIs.
Bashware allows an attacker to run ELF or Windows EXE malware in a stealthy manner by exploiting the similarity between the capabilities of pico processes and Windows NT processes, according to Check Point.
The attack has four steps, which are likely to reduce the number of vulnerable machines. First, it needs to check that WSL is enabled, which would be unlikely for most consumers. Then the attacker would need to manually enable developer mode.
Microsoft has a greater focus on attacks on Windows in user mode. For example, its bug bounty programs like the $200,000 mitigation bypass bounty exclude attacks on Windows defenses in developer mode.
In any case, if a Bashware attacker can achieve all these steps, they’d then need to install a Linux instance on the Windows target, as well as a Linux file system, and Wine, an open-source program for running Windows software on Linux, macOS and other systems.
The researcher’s ultimate goal was to prove they can run malware that attacks Windows from the Linux instance, which isn’t what WSL was intended for. Wine also allowed them to run Windows malware from WSL, providing the attack with cover from security products.

As the researchers note, Bashware doesn’t exploit flaws in Microsoft’s implementation of WSL, but rather that WSL is a new tool that “expands the known borders” of Windows for which most security products currently scan.
However, security vendors should be taking advantage of the WSL antivirus and firewall compatibility tools that Microsoft has made available.
Microsoft told The Register that it considered the risk of this attack to be low due to the steps required for the attack to be effective. Previous and related coverageSecurity flaws put billions of Bluetooth phones, devices at risk It’s thought to be the most widescale set of vulnerabilities based on the number of devices affected, hitting Windows desktops, Android devices, older iPhones and iPads, and smart devices.Windows 10 Fall Creators Update: What’s coming on the security front Microsoft will be adding a number of new security features to Windows 10 Fall Creators Update, but for Enterprise and Windows Server users only.More on Windows 10 securityWindows 10: Microsoft’s new Insider Preview is packed with security featuresWindows 10 security: Microsoft offers free trial of latest Defender ATP featuresMicrosoft fixes ‘critical’ security bugs affecting all versions of WindowsVulnerabilities discovered in Windows security protocolsWindows 10: Here’s how Microsoft thinks Defender Security Center will make life safer


网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
中国003航母或配核动力及电磁弹射 有望在3年内下水

Could CareFirst Data Breach Case Be Headed to Supreme Court?

Could the class action lawsuit filed against CareFirst Blue Cross Blue Shield after a 2014 cyberattack impacting 1.1 million individuals be the first data breach case headed to the Supreme Court? A recent ruling by a federal court makes that a possibility.
See Also: Ransomware: The Look at Future Trends
The U.S. Court of Appeals for the District of Columbia on Sept. 6 granted CareFirst’s request for a “stay” in the same court’s ruling last month that revived a class action suit against the health insurer. The “stay” allows CareFirst to file an appeal, asking the Supreme Court to review the case.
In its petition seeking the stay, ClearFirst argued that its case being heard by the Supreme Court is also important for other data breach litigation cases.
“The Supreme Court should … guide courts in sorting out the claims of truly injured victims of data breaches from those who file class actions without being able to allege that any harm is real or immediate,” the CareFirst petition notes.
“The Supreme Court needs to address this area of the law to provide more guidance to federal district and appellate courts, especially given that federal courts have struggled to reach consensus as to when the prospect of future injury resulting from stolen information truly presents a ‘substantial risk’ of actual harm.”
CareFirst did not immediately respond to an Information Security Media Group request for comment on when it plans to file an appeal to the Supreme Court.
A Longshot?
Privacy attorney Adam Greene of the law firm David Wright Tremaine is among the legal experts who are skeptical that the Supreme Court will agree to hear the case.
“This case definitely has the potential to make it to the Supreme Court, since there is not consensus on this issue among the circuit courts,” says Greene, who is not involved in the case. “But it still may be a longshot because of the limited number of cases that the Supreme Court can accept.”
Last year, the Spokeo case addressed standing to bring a claim based on whether potential harm is “concrete and particularized,” Greene notes. “It did not involve an information security breach, but was closely watched for its impact on information security breach litigation. But the court did not definitively resolve the issue of what constitutes sufficient harm to have standing to sue, so the question in CareFirst and other security breach cases remains.”

The stay puts on hold an Aug.1 ruling by the appellate court that allows plaintiffs in the CareFirst case to proceed with their punitive class action lawsuit against the insurer, which had been dismissed in 2016 by the U.S. District Court for the District of Columbia (see Appeals Court Allow CareFirst Breach Class Action Lawsuit to Proceed).
Attorney Steven Teppler of the Abbott Law Group, who is not involved in the case, says CareFirst’s effort to file an appeal to the Supreme Court “is a procedural tactic to try and get this issue resolved as soon as possible.”
Breaking the Log Jam
The recent Equifax data breach, which affected as many as 143 million individuals, will likely end up in class action litigation, some legal experts predict.
So sooner or later, Supreme Court justices will decide to review a major data breach case “and the log jam will break,” Teppler says. Companies experiencing data breaches “can’t keep dodging bullets and ruining people’s digital image.”
The August decision by the appeals court to overturn the lower court’s dismissal of the CareFirst case was in itself a significant development in breach cases, legal experts say.
That’s because the lower court’s dismissal of the lawsuit had followed a common trend in data breach litigation where most courts do not find standing to proceed without concrete, identifiable injury to plaintiffs.
The reversal was noteworthy because it could set precedent for other pending and future data breach cases.


煤炭行业周报:9月全国安全大检查影响生产 煤价跌速放缓
网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述