Have you heard of Bashware? It’s apparently a new way for malware to compromise a previously unavailable Windows 10 feature called Subsystem for Linux. The so-called Bashware can be deployed to bypass security applications on an endpoint.
Check Point researchers recently came across “a new and alarming method that allows any known malware to bypass even the most common security solutions”, including next-gen AV programs, inspection tools, and anti-ransomware tools. The malicious technique has been named Bashware and is aimed at a brand new Windows 10 feature known as Subsystem for Linux.
The WSL makes the bash terminal available for Windows users. Thanks to it, users can run Linux executables on Microsoft’s OS. Unfortunately, security solutions are still not adapted to this hybrid concept, researchers say, creating an opportunity for hackers to exploit systems and hide their malicious code.
Why Is the Bashware Attack so Dangerous and Alarming?
First of all, the exploit reveals how easy it is to manipulate the WSL feature which can be leveraged by any known malware. Check Point has tested the technique on most of the leading security products available to the public, and the results were quite distressing. In a nutshell, “Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally,” researchers claim.
Even though the attack needs admin privileges to be successfully executed on a system, it is still poses a great danger. Nonetheless, malware aiming at Microsoft’s latest operating system still requires administrative control to enable to WSL feature, as it is disabled by default. After the feature is enabled, the malware should turn on Windows 10 Development Mode.
The bad news is that the Windows attack surface is plagued by many EoP (Elevation of Privilege) flaws that attackers can exploit to gain admin-level access to turn on WSL and load the necessary drivers using the DISM utility. Turning on WSL is a silent operation, requiring a single CLI command.
Despite these technicalities, there are plenty of Elevation of Privilege vulnerabilities within Windows which doesn’t make it much harder for attackers to find their way around the WSL, researchers point out.
Bashware does not leverage any logic or implementation flaws in WSL’s design. In fact, WSL seems to be well designed. What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system, researchers conclude.