Bashware: Malware Can Abuse Windows 10's Linux Shell

    Bashware: Malware Can Abuse Windows 10's Linux Shell

    Bashware: Malware Can Abuse Windows 10's Linux Shell


    Posted: 12 Sep 2017
    Bashware is the name of a new technique that allows malware to use a new Windows 10 feature called Subsystem for Linux (WSL) to bypass security software installed on an endpoint.

    Bashware attack is invisible to current security software.

    Malware that reaches a Windows 10 PC needs admin-level access so it can enable the WSL feature, which comes disabled by default, and then turn on Windows 10 Development Mode.

    The bad news is that the Windows attack surface is plagued by many EoP (Elevation of Privilege) flaws that attackers can exploit to gain admin-level access to turn on WSL and load the necessary drivers using the DISM utility. Turning on WSL is a silent operation, requiring a single CLI command.

    Furthermore, researchers say that an attacker that has gained administrator privileges won't have any issues to put Windows 10 in Developer Mode. Attackers can achieve this by modifying a registry key and waiting for (or force) a user to reboot his PC.

    The service will become available on the public release, starting from the Windows 10 Fall Creators Update (FCU), scheduled for October 17.
    Read More: Bashware: Malware Can Abuse Windows 10's Linux Shell to Bypass Security Software
    TairikuOkami's Avatar Posted By: TairikuOkami
    12 Sep 2017

  1. TairikuOkami's Avatar
    Posts : 4,670
    Windows Home Dev 21xxx x64
       #1
    Last edited by Brink; 14 Sep 2017 at 10:51. Reason: fixed video link
      My Computer

  2. TairikuOkami's Avatar
    Posts : 4,670
    Windows Home Dev 21xxx x64
    Thread Starter
       #2

    Fall Upgrade is not even out yet and it is already exploitable. So much for advertised better security.

    I have started to use those tweaks thus far (to disable dev mode and to disable bash.exe):
    Code:
    Dism /Online /Disable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux /Quiet /NoRestart
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\AppModelUnlock" /f
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "bash.exe" /f

    EDIT: I have found a simpler solution. Take ownership of these keys and remove it or remove all users, it will prevent DISM from enabling WSL.

    Code:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-Lxss-Optional-Package
    Attached Thumbnails Attached Thumbnails Bashware: Malware Can Abuse Windows 10's Linux Shell-capture_09132017_114459.jpg  
    Last edited by TairikuOkami; 14 Sep 2017 at 15:07.
      My Computer

  3. Slippery's Avatar
    Posts : 272
    Win 10 pro 64 bit Vs. 20H2 Build 19042.630
       #3

    New Malware for Windows 10


    From DSLReports comes this interesting read. Windows 10’s Built-In Linux Shell Could Be Abused to Hide Malware, Researchers Say - Motherboard
    " As it stands now, {Windows Subsystem for Linux} or WSL is not turned on by default and users need to enable "development mode" on their systems in order to use it."
    This feature was added in beta with the anniversary update in 2016 and will become a fully supported feature in the fall update on or about October 17th.
    I don't know a thing about Linux so, those of you who do can give us Linux noobs the skinny.
    The one thing that stood out for me was that, so far as this article says, only Symantec has scanners that can recognize this stuff. And Kaspersky has said that they will adapt their scanners to be able to spot it.
    So, I have switched from Windows Defender back to Norton Security Suite for the time being.
    And now I'm off to make another set of backups to replace the ones I made this morning.
      My Computer

  4. Steve C's Avatar
    Posts : 6,287
    Windows 10 Pro 64 bit
       #4

    Microsoft must know about this vulnerability so what if anything are they going to do to improve security? Being an IT Luddite, I haven't yet upgraded to the CU so I'm 'safe' so far.
      My Computers

  5. Spectrum's Avatar
    Posts : 546
    seL4
       #5

    This isn't considered an actual security vulnerability as you are required to have admin rights to use this. The prerequisite elevation of privilege is the actual security boundary.
      My Computer

  6. TairikuOkami's Avatar
    Posts : 4,670
    Windows Home Dev 21xxx x64
    Thread Starter
       #6

    Spectrum said:
    This isn't considered an actual security vulnerability as you are required to have admin rights to use this. The prerequisite elevation of privilege is the actual security boundary.
    Pretty much every malware requires admin rights, especially ransomware, so that is not really a problem.
      My Computer

  7. Spectrum's Avatar
    Posts : 546
    seL4
       #7

    This is not crossing an access check at all, there is no compromise of the security guarantees windows tries to give. This is something that will be useful to attackers post exploitation, not an actual vulnerability to exploit. Once you have local admin, the security game is over.

    While I disagree with Microsoft on how they handle a number of things such as UAC and AppLocker bypasses, I think Raymon Chen's article series is fairly fitting here:

    It rather involved being on the other side of this airtight hatchway: Invalid parameters from one security level crashing code at the same security level The Old New Thing.
      My Computer

  8. yu gnomi's Avatar
    Posts : 82
    10 Pro
       #8
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 10:28.
Find Us




Windows 10 Forums