1.    12 Sep 2017 #1
    Join Date : Oct 2014
    Trnava
    Posts : 2,861
    Windows 10.4 Home 1709 x64

    Bashware: Malware Can Abuse Windows 10's Linux Shell


    Bashware is the name of a new technique that allows malware to use a new Windows 10 feature called Subsystem for Linux (WSL) to bypass security software installed on an endpoint.

    Bashware attack is invisible to current security software.

    Malware that reaches a Windows 10 PC needs admin-level access so it can enable the WSL feature, which comes disabled by default, and then turn on Windows 10 Development Mode.

    The bad news is that the Windows attack surface is plagued by many EoP (Elevation of Privilege) flaws that attackers can exploit to gain admin-level access to turn on WSL and load the necessary drivers using the DISM utility. Turning on WSL is a silent operation, requiring a single CLI command.

    Furthermore, researchers say that an attacker that has gained administrator privileges won't have any issues to put Windows 10 in Developer Mode. Attackers can achieve this by modifying a registry key and waiting for (or force) a user to reboot his PC.

    The service will become available on the public release, starting from the Windows 10 Fall Creators Update (FCU), scheduled for October 17.
    Read More: Bashware: Malware Can Abuse Windows 10's Linux Shell to Bypass Security Software
      My ComputerSystem Spec
  2.    12 Sep 2017 #2
    Join Date : Oct 2014
    Trnava
    Posts : 2,861
    Windows 10.4 Home 1709 x64
    Thread Starter
    Last edited by Brink; 14 Sep 2017 at 10:51. Reason: fixed video link
      My ComputerSystem Spec
  3.    12 Sep 2017 #3
    Join Date : Oct 2014
    Trnava
    Posts : 2,861
    Windows 10.4 Home 1709 x64
    Thread Starter

    Fall Upgrade is not even out yet and it is already exploitable. So much for advertised better security.

    I have started to use those tweaks thus far (to disable dev mode and to disable bash.exe):
    Code:
    Dism /Online /Disable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux /Quiet /NoRestart
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\AppModelUnlock" /f
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "bash.exe" /f

    EDIT: I have found a simpler solution. Take ownership of these keys and remove it or remove all users, it will prevent DISM from enabling WSL.

    Code:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-Lxss-Optional-Package
    Attached Thumbnails Attached Thumbnails capture_09132017_114459.jpg  
    Last edited by TairikuOkami; 14 Sep 2017 at 15:07.
      My ComputerSystem Spec
  4.    14 Sep 2017 #4
    Join Date : Sep 2015
    Colorado
    Posts : 163
    Windows 10 pro 64 bit/vs.1709/16299.19

    New Malware for Windows 10


    From DSLReports comes this interesting read. Windows 10’s Built-In Linux Shell Could Be Abused to Hide Malware, Researchers Say - Motherboard
    " As it stands now, {Windows Subsystem for Linux} or WSL is not turned on by default and users need to enable "development mode" on their systems in order to use it."
    This feature was added in beta with the anniversary update in 2016 and will become a fully supported feature in the fall update on or about October 17th.
    I don't know a thing about Linux so, those of you who do can give us Linux noobs the skinny.
    The one thing that stood out for me was that, so far as this article says, only Symantec has scanners that can recognize this stuff. And Kaspersky has said that they will adapt their scanners to be able to spot it.
    So, I have switched from Windows Defender back to Norton Security Suite for the time being.
    And now I'm off to make another set of backups to replace the ones I made this morning.
      My ComputersSystem Spec
  5.    14 Sep 2017 #5
    Join Date : Jun 2015
    UK
    Posts : 2,081
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)

    Microsoft must know about this vulnerability so what if anything are they going to do to improve security? Being an IT Luddite, I haven't yet upgraded to the CU so I'm 'safe' so far.
      My ComputersSystem Spec
  6.    14 Sep 2017 #6
    Join Date : Oct 2016
    Posts : 322
    seL4

    This isn't considered an actual security vulnerability as you are required to have admin rights to use this. The prerequisite elevation of privilege is the actual security boundary.
      My ComputerSystem Spec
  7.    15 Sep 2017 #7
    Join Date : Oct 2014
    Trnava
    Posts : 2,861
    Windows 10.4 Home 1709 x64
    Thread Starter

    Quote Originally Posted by Spectrum View Post
    This isn't considered an actual security vulnerability as you are required to have admin rights to use this. The prerequisite elevation of privilege is the actual security boundary.
    Pretty much every malware requires admin rights, especially ransomware, so that is not really a problem.
      My ComputerSystem Spec
  8.    15 Sep 2017 #8
    Join Date : Oct 2016
    Posts : 322
    seL4

    This is not crossing an access check at all, there is no compromise of the security guarantees windows tries to give. This is something that will be useful to attackers post exploitation, not an actual vulnerability to exploit. Once you have local admin, the security game is over.

    While I disagree with Microsoft on how they handle a number of things such as UAC and AppLocker bypasses, I think Raymon Chen's article series is fairly fitting here:

    It rather involved being on the other side of this airtight hatchway: Invalid parameters from one security level crashing code at the same security level The Old New Thing.
      My ComputerSystem Spec
  9.    16 Sep 2017 #9
    Join Date : Feb 2015
    Posts : 60
    10 Pro
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Solved Windows 10 linux subsystem: Run Linux desktop directly?
I watched a video about the guy using Windows subsystem and run full Linux desktop without using remote software. There is no white thing on top. He can switch between Linux and Windows using a keyboard shortcut. Linux desktop is smooth, 60 fps, no...
General Support
Solved Windows HOST, attach Linux external USB to Linux VM
Hi there I usually run a LINUX HOST for testing Windows VM's - but I need to test some new releases of various Linux distros so I've created some VM's --easy enough and running them on a Windows Host. However I can't attach a USB drive with a...
Virtualization
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 13:13.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums