The new Windows 10 feature Windows Subsystem for Linux (WSL) that implements the Linux bash terminal in Microsoft operating system could be exploited by malware to run undetected.
The feature was recently included in beta versions and it will be available for all users in the upcoming Windows 10 Fall Creators Update (FCU), set to be released by Microsoft in October 2017.
According to Because researchers with security firm Check Point, a malware designed for Linux can run undetected on Windows systems.
The new attack technique was dubbed Bashware, it allows the malicious code to evade the detection of antivirus solutions written for Windows, for this reason, it could be implemented also by Linux malware.
“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time.” reads the analysis published by Check Point. “This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”
Below a video PoC of the Bashware attack:
Security researchers have demonstrated that the Bashware attack goes undetected with most of the security solutions, it may potentially affect more of 400 million Windows systems that already run Windows 10 PC.
“Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products. We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all. This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.” continues the analysis.
According to the experts, the risk is anyway limited because the WSL feature must be explicitly enabled by the Windows user, it is disabled by default.
Check Point also added that the WSL could be silently enabled in the background, allowing the malware to run.
Microsoft downplayed the risks to end-users because the feature is disabled by default.
(Security Affairs – Linux on Windows, Bashware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.