A new attack method uncovered by security researchers could help hackers hide all known malware from security products and services. Dubbed Bashware, the attack technique leverages Windows' in-built Linux shell to allow any malware to bypass most common security solutions, including next-gen anti-virus, anti-ransomware and other tools.
Given that the Linux shell is now available to Windows users, researchers at Check Point, who uncovered the attack technique, suggest that "Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally."
Check Point researchers Gal Elbaz and Dvir Atias explained in a blog, "Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products. We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all."
Windows Subsystem for Linux (WSL) is a Windows 10 feature recently integrated by Microsoft which is designed to make life easier for developers testing code in both Windows and Linux. Although WSL currently requires users to manually activate it, researchers say that the Bashware technique automates the procedures required to surreptitiously enable WSL and run malware.
"Bashware does not leverage any logic or implementation flaws in WSL's design. In fact, WSL seems to be well-designed. What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system," Check Point researchers said.
Hackers using Bashware also don't require to write malware programs for Linux to run them via WSL on Windows. Instead, Bashware installs a program called Wine, which in turn launches and hides known Windows malware.
In order for hackers to use Bashware, they need to already be in possession of the victim's PC admin privileges.
However, given the recent escalation in cybercrime, gaining admin privileges via phishing attacks and/or stolen credentials is no longer all that challenging to a motivated attacker. These additional attacks could, however, alert security products and subvert an attack before Bashware can be used to hide malware.
"We believe that it is both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware."
Microsoft has already taken steps to help security vendors deal with such attacks. "We reviewed and assessed this to be of low risk," a Microsoft spokesperson told Motherboard about Bashware. "One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default."
Although it still remains unknown as to which security products Bashware was able to successfully bypass, Motherboard reports that both Symantec and Kaspersky claim that their products can detect such attacks.
"Based on this WSL architecture, Symantec's scanners, machine learning and protection technologies are designed to scan and detect malware created using WSL," said Adam Bromwich, senior vice president of Security Technology and Response at Symantec.
"Kaspersky Lab is aware of the possibility to create malware for Windows Subsystem for Linux (WSL) and is working on technologies to detect this type of malware on user devices," the firm said.
"In fact, in 2018, all Kaspersky Lab solutions for Windows will be updated with special technologies that detect behaviorally and heuristically and block any Linux and Windows threats when WSL mode is on."