Windows 10’s Subsystem for Linux: Here’s how hackers could use it to hide malware

The researchers say Bashware doesn’t exploit flaws in Microsoft’s WSL, but rather that WSL “expands the known borders” of Windows for which most security products currently scan.
Image: Microsoft
Researchers at Check Point say they’ve found a way to use Microsoft’s Windows 10 Subsystem for Linux (WSL) to allow malware to slip by antivirus.
公司应该建立覆盖信息系统全生命周期的信息安全问题管理流程。
WSL allows Linux ELF binaries to run on Windows. Microsoft introduced the feature to broaden Windows command-line tool support and help developers run the Bash terminal on Windows 10 for things like administration and managing app development.
It will be a fully supported feature in the Windows 10 Fall Creators Update, due out in October.
The researchers have coined the term Bashware to describe the technique, which uses the WSL environment to run Windows malware from a Linux instance and bypass most Windows security products in the process. Since WSL only comes with Windows 10, it could potentially affect the 500 million PCs running it.
WSL’s capabilities come through an emulated Linux kernel and ‘pico processes’, or containers, within which ELF binaries run. WSL also directs Linux system calls to the Windows kernel. As noted by Check Point, two key .sys drivers emulate the Linux kernel and translate Linux calls for the Windows NT kernel’s APIs.
Bashware allows an attacker to run ELF or Windows EXE malware in a stealthy manner by exploiting the similarity between the capabilities of pico processes and Windows NT processes, according to Check Point.
The attack has four steps, which are likely to reduce the number of vulnerable machines. First, it needs to check that WSL is enabled, which would be unlikely for most consumers. Then the attacker would need to manually enable developer mode.
Microsoft has a greater focus on attacks on Windows in user mode. For example, its bug bounty programs like the $200,000 mitigation bypass bounty exclude attacks on Windows defenses in developer mode.
In any case, if a Bashware attacker can achieve all these steps, they’d then need to install a Linux instance on the Windows target, as well as a Linux file system, and Wine, an open-source program for running Windows software on Linux, macOS and other systems.
The researcher’s ultimate goal was to prove they can run malware that attacks Windows from the Linux instance, which isn’t what WSL was intended for. Wine also allowed them to run Windows malware from WSL, providing the attack with cover from security products.

As the researchers note, Bashware doesn’t exploit flaws in Microsoft’s implementation of WSL, but rather that WSL is a new tool that “expands the known borders” of Windows for which most security products currently scan.
中华万年历日历:免费无限容量,安全记事更放心
However, security vendors should be taking advantage of the WSL antivirus and firewall compatibility tools that Microsoft has made available.
Microsoft told The Register that it considered the risk of this attack to be low due to the steps required for the attack to be effective. Previous and related coverageSecurity flaws put billions of Bluetooth phones, devices at risk It’s thought to be the most widescale set of vulnerabilities based on the number of devices affected, hitting Windows desktops, Android devices, older iPhones and iPads, and smart devices.Windows 10 Fall Creators Update: What’s coming on the security front Microsoft will be adding a number of new security features to Windows 10 Fall Creators Update, but for Enterprise and Windows Server users only.More on Windows 10 securityWindows 10: Microsoft’s new Insider Preview is packed with security featuresWindows 10 security: Microsoft offers free trial of latest Defender ATP featuresMicrosoft fixes ‘critical’ security bugs affecting all versions of WindowsVulnerabilities discovered in Windows security protocolsWindows 10: Here’s how Microsoft thinks Defender Security Center will make life safer
网络安全不仅是技术问题,更是一个意识问题。普通用户的安全意识再强烈,估计也难比黑客,不过,不用到到黑客对安全的认知级别,有些常识即可防范多数安全攻击威胁。

猜您喜欢

灌云供电免费派送10万份新春安全日历
网络信息安全小曲
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
中国003航母或配核动力及电磁弹射 有望在3年内下水
LEXMERCATORIABD GOHRT
移动金融服务中的信息安全问题实录