Checkpoint researchers developed a proof of concept method dubbed Bashware which they claim allows any known malware to bypass most common security solutions, including next generation anti-viruses, inspection tools, and anti-ransomware.
The attack leverages a new Windows 10 feature called Subsystem for Linux (WSL), which allows native Linux ELF binaries to run on Windows, and could potentially affect nearly 400 million computers currently running Windows 10 PC globally, according to a Sept. 11 blog post.
Researchers described the exploit as a cross platform technique that uses the WSL in order to allow running both ELF an EXE malicious payloads in a stealthy manner and said the key to the technique is within the design of the Pico process structure.
The proof of concept could allow an attacker to load the malware using only four steps which include loading the WSL components, enabling developer mode, installing Linux and using Wine to translate Windows API calls into POSIX (Portable Operating System Interface).
“Although WSL has become a stable feature and many of its issues are now resolved, it seems the industry has still not adapted to the existence of this strange hybrid concept which allows a combination of Linux and Windows systems to run at the same time,” researchers said in the report. “This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”
Checkpoint researchers said existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS as the technique leverages the underlying mechanism of WSL but not everyone is convinced the vulnerability is as critical as it’s claimed to be.
While he agreed the research itself seemed to be accurate, Lastline Director of Sales Engineering Dan Mathews, said the findings appear to be a bit sensationalistic.
“While WSL is out of beta, it is disabled and a base Linux OS is not installed on any Windows 10 host by default,” Mathews said. “In order for this threat to be credible, a user would need to follow several very intentional steps to enable WSL and install a Linux guest machine onto an updated Windows 10 host.”
Mathews added that administrative privileges are required to install the optional WSL feature so it further reduces the number of those vulnerable to a small fraction of PCs.
For those who may be at risk, the threat is valid and users should ensure they have adequate zero-day protections in place such as behavior-based breach protection technology, Matthews said.