Windows 10’s Built-In Linux Shell Could Be Abused to Hide Malware, Researchers Say
'Bashware' is a clever new type of malware that major antivirus programs can't detect.
Microsoft surprised the technology world last year when it announced that users will be able to run native Linux applications in Windows 10 without virtualization. While this feature is meant to help developers, researchers believe it could be abused by attackers to hide malware from security products.
Researchers from security firm Check Point Software Technologies developed a technique that uses Bash, the Linux command-line interface—or shell—that's now available in Windows, to make known malware undetectable. They named the result Bashware.
"We tested this technique on most of the leading anti-viruses and security products in the market, successfully bypassing them all," Check Point researchers Gal Elbaz and Dvir Atias said in a report shared with me.
The Windows 10 feature, called the Windows Subsystem for Linux (WSL), tricks Linux applications into believing they're communicating with the Linux kernel—the core part of the operating system that includes hardware drivers and essential services. In reality, those applications communicate with the WSL, which translates their system calls into equivalents for the Windows kernel.
WSL was first announced in March 2016 and was added as a beta feature in the Windows 10 Anniversary Update, which was released in August 2016. Microsoft announced that it will become a fully supported feature in the upcoming Fall Creators Update.
"WSL seems to be well designed. What allows Bashware to operate the way it does is the lack of awareness by various security vendors"
WSL makes it easier for developers who need to write and test code both in Windows and Linux to do so without the overhead of a virtual machine. Many developers, whether they prefer Windows as their primary desktop OS or just need it for Visual Studio and other development tools, also like the simplicity of the Linux command line utilities for interacting with different programming language interpreters and component repositories.
As it stands now, WSL is not turned on by default and users need to enable "development mode" on their systems in order to use it. However, Check Point claims that its Bashware attack automates the steps needed to silently enable WSL, download the Ubuntu-based userspace environment that comes with it, and then run malware inside.
Linux programs executed through WSL will appear in Windows as "pico processes," a new type of process that is structurally different than those spawned by regular Windows applications.
During their tests, the Check Point researchers found no security products that monitor pico processes, even though Microsoft provides a special application programming interface called the Pico API that can be used to do this.
"Bashware does not leverage any logic or implementation flaws in WSL's design," the researchers wrote in their report. "In fact, WSL seems to be well designed. What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system."
This apparent lack of interest by security vendors towards WSL might be the result of a widespread belief that users need to enable the feature manually and most of them won't do it because they don't have a need for it.
"We reviewed and assessed this to be of low risk," a Microsoft spokesperson told me in an email about Check Point's technique. "One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default."
However, according to Bashware's creators, "it's a little-known fact" that entering the developer mode can be achieved by modifying a few registry keys and this can be done silently in the background by an attacker who has the right privileges.
A system reboot is indeed required under normal circumstances to enable WSL, but attackers could simply wait for victims to turn off their computers or could trigger a critical error to force a reboot, the Check Point researchers told me in an email. There might also be a way to load the WSL drivers manually without restarting the computer, but this method is still being investigated, they said.
"We see it as both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware"
What's interesting about Bashware is that attackers don't have to write malware programs for Linux in order to run them through WSL on Windows. Thanks to a program called Wine, they can use the technique to directly hide known Windows malware. In some ways, Wine is the equivalent of WSL on Linux, as it allows Linux users to run Windows programs on their systems without virtualization.
The Bashware attack installs Wine inside the downloaded Ubuntu userspace environment and then launches Windows malware through it. Thanks to WSL, those malicious programs will be spawned back into Windows as pico processes, hiding them from security software.
Check Point's Gal Elbaz and Dvir Atias are not the first security researchers to warn that attackers could abuse WSL to run malware. Reputed Windows internals expert Alex Ionescu called attention to the same risks in 2016 in talks at Black Hat USA and Microsoft's BlueHat conference. Ionescu, who is the vice president of endpoint detection and response strategy at security firm CrowdStrike, maintains a GitHub repository with his research on WSL.
To some extent Bashware builds on Ionescu's prior findings, but the technique is adapted to the current state of WSL. It shows that one year later many security vendors are still not prepared to deal with this new technology.
The good news is that in order to use Bashware, attackers need to already have administrator privileges on their victims' computers. This means they need to first compromise those systems using more traditional methods: phishing emails with malicious attachments, documents rigged with exploits for unpatched vulnerabilities, social engineering tricks, stolen administrative credentials and so on.
Gaining admin rights on Windows computers is not necessarily a hard thing to do, and attackers do it all the time. However, these extra steps give security products a chance to detect and break attack chains before Bashware can be used to hide malicious payloads.
The Check Point researchers declined to name the security products whose detection mechanisms they managed to bypass, noting that their goal is for this research to serve as a wakeup call for the entire security industry.
"We see [it] as both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware," they said in their report.
WSL is not a common attack vector and if attackers were to use it as a source of attacks, they would first need to download malware onto the targeted computer, said Adam Bromwich, senior vice president of security technology and response at Symantec. "Based on this WSL architecture, Symantec's scanners, machine learning and protection technologies are designed to scan and detect malware created using WSL."
Kaspersky Lab told me in an email it plans to modify its antivirus software to detect this type of malware in the future.
"Kaspersky Lab is aware of the possibility to create malware for Windows Subsystem for Linux (WSL) and is working on technologies to detect this type of malware on user devices," the company told me in an emailed statement. "In fact, in 2018, all Kaspersky Lab solutions for Windows will be updated with special technologies that detect behaviorally and heuristically and block any Linux and Windows threats when WSL mode is on."
Currently, all of the company's products can detect malware downloaders and other Windows-based parts of such attacks, Kaspersky Lab said.
Antivirus firm Bitdefender did not immediately respond to a request for comment. We will update this post if we hear back.
Update: This post has been updated with comment from Kaspersky, and has been updated to include more context about previous research in this area.