Windows 10’s Subsystem for Linux: Here’s how hackers could use it to hide malware

The researchers say Bashware doesn’t exploit flaws in Microsoft’s WSL, but rather that WSL “expands the known borders” of Windows for which most security products currently scan.
Image: Microsoft
Researchers at Check Point say they’ve found a way to use Microsoft’s Windows 10 Subsystem for Linux (WSL) to allow malware to slip by antivirus.
WSL allows Linux ELF binaries to run on Windows. Microsoft introduced the feature to broaden Windows command-line tool support and help developers run the Bash terminal on Windows 10 for things like administration and managing app development.
It will be a fully supported feature in the Windows 10 Fall Creators Update, due out in October.
The researchers have coined the term Bashware to describe the technique, which uses the WSL environment to run Windows malware from a Linux instance and bypass most Windows security products in the process. Since WSL only comes with Windows 10, it could potentially affect the 500 million PCs running it.
WSL’s capabilities come through an emulated Linux kernel and ‘pico processes’, or containers, within which ELF binaries run. WSL also directs Linux system calls to the Windows kernel. As noted by Check Point, two key .sys drivers emulate the Linux kernel and translate Linux calls for the Windows NT kernel’s APIs.
Bashware allows an attacker to run ELF or Windows EXE malware in a stealthy manner by exploiting the similarity between the capabilities of pico processes and Windows NT processes, according to Check Point.
The attack has four steps, which are likely to reduce the number of vulnerable machines. First, it needs to check that WSL is enabled, which would be unlikely for most consumers. Then the attacker would need to manually enable developer mode.
Microsoft has a greater focus on attacks on Windows in user mode. For example, its bug bounty programs like the $200,000 mitigation bypass bounty exclude attacks on Windows defenses in developer mode.
In any case, if a Bashware attacker can achieve all these steps, they’d then need to install a Linux instance on the Windows target, as well as a Linux file system, and Wine, an open-source program for running Windows software on Linux, macOS and other systems.
The researcher’s ultimate goal was to prove they can run malware that attacks Windows from the Linux instance, which isn’t what WSL was intended for. Wine also allowed them to run Windows malware from WSL, providing the attack with cover from security products.

As the researchers note, Bashware doesn’t exploit flaws in Microsoft’s implementation of WSL, but rather that WSL is a new tool that “expands the known borders” of Windows for which most security products currently scan.
However, security vendors should be taking advantage of the WSL antivirus and firewall compatibility tools that Microsoft has made available.
Microsoft told The Register that it considered the risk of this attack to be low due to the steps required for the attack to be effective. Previous and related coverageSecurity flaws put billions of Bluetooth phones, devices at risk It’s thought to be the most widescale set of vulnerabilities based on the number of devices affected, hitting Windows desktops, Android devices, older iPhones and iPads, and smart devices.Windows 10 Fall Creators Update: What’s coming on the security front Microsoft will be adding a number of new security features to Windows 10 Fall Creators Update, but for Enterprise and Windows Server users only.More on Windows 10 securityWindows 10: Microsoft’s new Insider Preview is packed with security featuresWindows 10 security: Microsoft offers free trial of latest Defender ATP featuresMicrosoft fixes ‘critical’ security bugs affecting all versions of WindowsVulnerabilities discovered in Windows security protocolsWindows 10: Here’s how Microsoft thinks Defender Security Center will make life safer


网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
中国003航母或配核动力及电磁弹射 有望在3年内下水

US Senator Jeanne Shaheen (D-NH) simply can’t wait to banish Kaspersky Lab’s antivirus from American government computers on the grounds it’s a security risk.
Her plan is to amend the nation’s latest National Defense Authorization Act, which is legislation that has to be passed each year to green-light funding and policies for the US military. It’s also a handy vehicle for sneaking pet agendas into law, each piggybacking the proposed act: there are 341 amendments on the House version of the bill already, and eight on the Senate version.
In June, Shaheen successfully lobbied the Senate Armed Services Committee to back her call to ban Kaspersky’s code from Uncle Sam’s systems. The panel duly concluded its scrutiny of the funding bill with the following recommendation, among others:
A provision that would prohibit any component of the Department of Defense from using, whether directly or through work with or on behalf of another element of the United States Government, from using any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.
And thus the Senate version of the defense funding act was updated to include the following text to rid US federal government computers of Kaspersky’s security tools by October 2018:

(a) Prohibition.—No department, agency, organization, or other element of the Department of Defense may use, whether directly or through work with or on behalf of another organization or element of the Department or another department or agency of the United States Government, any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.
(b) Severance Of Network Connections.—The Secretary of Defense shall ensure that any network connection between a department, agency, organization, or other element of the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform described in subsection (a) is immediately severed.
(c) Effective Date.—This section shall take effect on October 1, 2018.
This text has yet to be voted on by the Senate as a whole, which is due to debate the wording in the next few weeks. The provisions also have to pass the House before a finalized law can be presented to President Donald Trump to sign off. The House version of the military funding act has yet to include sanctions specifically against Kaspersky, we note.
In the meantime, Shaheen is on the offensive, drumming up support for her ban via her website and a New York Times op-ed on Tuesday.
“To close this alarming national security vulnerability, I am advancing bipartisan legislation to prohibit the federal government from using Kaspersky Lab software,” she explained.
“The Senate Armed Services Committee in June adopted my measure to prohibit the Department of Defense from using Kaspersky Lab software, to limit fallout from what I fear is already a huge breach of national security data.”
Shaheen claims Kaspersky software potentially gives Russian President Putin an “all-access pass” to the computers it is on and beams sensitive information back to Kremlin servers. Under Russian law, the software biz has a responsibility to aid its home country’s internal security agencies, she posited, and as such the code has no place on US computers.
The banishment was previously floated as a way of “countering Russian aggression,” and follows years of Kaspersky-bashing inside Congress and outside. Amid the Senate advisory committee’s deliberations, Eugene Kaspersky offered up the source code of his software for review – an offer no one in the US government has taken up.
Earlier, in May, five US spy bosses and the acting FBI chief were unanimous in saying they would not use Kaspersky software – although, like Senator Shaheen, they offered no evidence as to why. The following month the FBI raided the homes of some Kaspersky employees, but no arrests were made.
And in July the General Services Administration removed the biz from its list of government-approved purchases, severely limiting its further use. Senator Shaheen wants it banned outright.
“Kaspersky Lab doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company,” the outfit told The Register.
“The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.” ®
CyberSecurity Law Introduction 网络安全法宣传视频系列
The Joy and Pain of Buying IT – Have Your Say


网络安全法普法宣传 004《网络安全法》的突出亮点