The Linux subsystem on Windows 10 allows malware to hide without being detected
Last year, Microsoft surprised everyone by announcing the launch of Windows Subsystem for Linux (WSL) on Windows 10, allowing the Shell command line to be put on Linux on Windows so users could run native Linux applications right on. Windows without using virtualization tools.
However, Check Point Software Technologies researchers have discovered security issues with WSL, which may allow malware designed for Linux to target Windows computers without being detected by security software. .
Researchers have created a new attack technique called Bashware that takes advantage of the WSL feature on Windows, which is now in beta and ready to be available on Windows 10 Fall Creators Update in October this year.
Bashware cannot be detected by security software
According to researchers at Check Point, Bashware may be abused by malware on Linux because Windows security tools are unable to detect this threat.
This new type of attack allows an attacker to hide the Linux malware from all security tools, including the latest software, malware detection, virus removal, extortion codes .
The reason given is that current security software for Windows is not designed to manage Linux execution processes on Windows OS. 'Existing security tools have yet to adapt to the Linux execution process running on Windows, a hybrid concept that allows Linux and Windows to run concurrently.' 'This could open the door for an attacker to run malicious code and use the functionality provided by WSL to hide themselves from security tools.'
Who is a sinner? Microsoft or security solutions?
To run Linux applications in a standalone environment, Microsoft introduced Pico Processes - a container that allows running binary ELF on Windows. During the test run, researchers can experiment with Bashware attack on 'most existing antivirus and security products' and successfully overcome them.
That's because no software monitors the Pico process, even if Microsoft has provided Pico API, a special application programming interface used by security companies to monitor such processes.
'Bashware does not use any logic or executable errors in WSL. In fact, WSL seems to be very well designed. ' 'What allows Bashware to work is because companies that provide security software are not aware because this technology is quite new.'
Bashware attacks require admin rights, is it more difficult on a PC?
Bashware requires administrative rights to access the target machine, but it is not difficult to capture administrative rights on Windows PC through phishing attacks or theft of login information.
However, these types of attacks are easily detected by security software, causing them to be blocked before Bashware can attack.
Since WSL is not turned off by default, users must turn on 'Development Mode' on their device to use it, the risk is also reduced somewhat.
Current security software cannot detect Bashware
However, researchers at Check Point also said that there is a little known fact that the developer mode can be turned on by editing some Registry Keys, which can be done silently in the background when The attacker has the right.
Bashware attack technique automates the necessary process by silently downloading WSL elements, enabling developer mode, and even downloading and extracting Linux system files from Windows servers and running malware .
No need to write separate malware
The interesting thing about Bashware is that hackers don't need to write their own malicious software for Linux to run through WSL on a Windows machine. That's because Bashware installs software called Wine inside the downloaded Ubuntu environment, then runs the Windows malicious code over it. This malicious code will then launch in Windows as a Pico process, so security software cannot be detected.
400 million computers have potential before Bashware threat
New attack techniques do not use any WSL vulnerabilities because security products do not pay attention to WSL. Because Shell Linux is available on Windows, there may be up to 400 million PCs running Windows affected. Check Point said that its software has been upgraded to combat this type of attack and recommends that other software be updated quickly.
You should read it
- Instructions for installing Windows Linux Subsystem on Windows 10
- Malicious Code EvilGnome attacks Linux systems with many rare tricks
- How to install Windows Subsystem for Linux 2 on Windows 10
- Signs that your computer is infected with malware
- Discover a new kind of malicious code that can record the phone call to extort money
- Fileless malware - Achilles heel of traditional antivirus software
- How to run Linux desktop using Windows Subsystem for Linux
- How to Enable the Windows Subsystem for Linux
May be interested
- Billions of devices are affected by the new Bluetooth attackon tuesday, researchers at armis labs published details of a new attack that they thought could potentially affect all devices that could use bluetooth.
- The attacker can pass SKEL Protection on the macOS High Sierrathe new security feature on macos high siera (10.13), named secure kernel extension loading, can be bypassed, allowing downloading of kernel kernel extensions.
- Malicious ads dig virtual money right on the browserthe author of the malicious code uses javascript code transmitted via malvertising and digs a lot of digital currency on the user's browser without them knowing.
- Ransomware 'Your Windows has been banned' extorting users with a face value of 50 USD Bitcoinrecently, the new version of ransomware 'your windows has been banned' has been reported by many websites and warned that all computers and infected users should remember that this is a scam.
- New bank trojan detection on Android Red Alertnetwork security researchers have discovered a new android banking trojan called red alert 2.0 that has been developed for the past few months and has just been launched.
- Hackers can steal data from the Air Gap network computer using Camera IR CCTVrecently, researchers from israel's ben gurion university have described several ways to get sensitive information from computers in this closed network.