Researchers at a security firm Check Point Software Technologies have discovered a potential security vulnerability in the WSL that allows Linux specific malwares to target windows. To make matters worse the malwares are totally undetectable by existing windows security solutions. This makes it a dangerous attack vector because even known Linux malwares work. This is because most windows antimalware solutions are not designed to detect and stops such threats.
Microsoft released a Linux sub system (WSL) for windows last year with the Windows 10 Anniversary Update. This sub system allows users to run native Linux application on windows without virtualization. It is a popular tool for developers as it eliminates the need for virtual machines and its interoperable with windows.
They devised a new attack technique which they dubbed bashware. It takes advantage of WSL feature in windows 10. This allows attackers to hide any Linux malwares from most security solutions. Researchers argue that existing security software packages for Windows systems have not yet been modified to monitor processes of Linux executables running on Windows operating system.
“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time,” Check Point researchers say.
“This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”
To execute this attack, one requires to have windows administrator access, but that’s not enough to stop a motivated hacker who can get them through social engineering, phishing or stealing admin credential through other means. This threat is like attacks that were ran on Linux systems, where attackers would install Wine to hide and run windows malwares.
About 400 Million windows 10 PCs are vulnerable to bashware attack. Even when developer mode is not enabled – it’s not enabled by default – an attacker can activate the developer mode by changing a few keys in the registry and install everything else like the Linux image from Microsoft servers in the background and the users would be none the wiser. Hopefully, antivirus designers will enhance their solutions to detect such attacks before they can become very common.
Source: The Hackers News