Bashware Attack Targets Windows System for Linux (WSL)

September 18, 2017

Microsoft introduced a compatibility layer for Windows 10 called the Windows Subsystem for Linux (WSL)—set to arrive in October 2017—that would allow Linux applications to run in Windows without the need to use virtualization. While this move made life easier for users who regularly use both Windows and Linux systems, it seems that a new technique that leverages WSL could allow attackers to bypass security solutions installed in the user’s system.  

First discovered by Check Point, this technique, dubbed as "Bashware" is able to work because many security solutions in Windows are not designed to deal with Linux malware. This discrepancy abuses what is essentially the foundation of WSL—“Pico processes”, which are containers that allow the use of Linux’s Executable and Linkable Format (ELF) binaries on the Windows 10 OS.

How does it work?

Attackers that use the Bashware technique will first load WSL components on the target system and enable developer mode. Bashware will then download and extract Linux from Microsoft’s servers. The final step in the process involves the installation of Wine, which allows Windows applications to run on UNIX-based operating systems. The attacker can then use Windows malware to infect the system, while rendering them undetectable by traditional security software by initiating them via pico processes.

How risky is it?

According to its researchers, the use of Bashware is like a very relevant threat—by using a legitimate Windows process, attackers are seemingly able to infect systems without being detected by security systems.

It should be noted, however, that there are many hurdles to get to before attackers can target systems. For Bashware to work, not only would a system administrator need to enable developer mode (which is not enabled by default), they also have to both install the component and WSL. The chances that all of these would happen is certainly low, especially given the niche user base for something like WSL.

In addition, many organizations have not yet migrated to Windows 10, as Windows 7 still represents a very large share of the enterprise operating system market. And even for organizations that use Windows 10, end users will still have to install WSL and run the processes needed for Bashware, eliminating a large amount of casual users.

Currently, Bashware is more of a Proof of Concept (PoC) than an actual threat. However, this does not mean that users can play it safe against potential threats such as this. As stated earlier, this attack works under very specific scenarios—many of which users initiate themselves.

One way to minimize the risks is to refrain from downloading and installing WSL unless its usage is actually needed. Users should also regularly update their systems as this will not only help in the event that Microsoft releases a patch that will address Bashware, it will also protect their computers from malicious threats in general.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.