Bashware hacking could put 400 million Windows systems at risk

News by Rene Millman

The Bashware vulnerability allows attackers to take advantage of built-in Linux shell to bypass security software.

Up to 400 million computers running Windows 10 could be vulnerable to hacking technique that uses a feature of the operating system to bypass security software.

Dubbed Bashware, the vulnerability was found by researchers at Check Point. It works by exploiting a built-in Linux shell in Windows to enable malware to evade many security software products.

The Subsystem for Linux (WSL), is a new feature of Windows 10 that makes the popular bash terminal available for Windows OS users. It allows users to natively run Linux operating system executables on the Windows operating system.

“Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products,” said Check Point threat researchers Dvir Atias and Gal Elbaz, in a blog post.

“We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all.”

The technique does not use any flaws in the design of WSL.

“What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system,” said researchers.

“However, we believe that it is both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware.”

The researchers said that Microsoft has already taken steps that should assist the security vendors to deal with the new security considerations presented by WSL, including a Pico APIs that can be used by AV companies in order to monitor these types of processes.

“With a growing number of cyber-attacks and the frequent news headlines on database breaches, spyware and ransomware, quality security products have become a commodity in every business organisation. Consequently a lot of thought is being invested in devising an appropriate information security strategy to combat these breaches and providing the best solutions possible,” they said.

Researchers also published a video demoing a Bashware attack.

Barry Scott, CTO EMEA at Centrify, told SC Media UK that like many attacks and exploits, a user must be running with admin privileges to be at risk, as the machine needs to be set up, and software installed, beyond usual out-of-the-box configuration.

“If you're at risk of this exploit happening, your machine is already vulnerable to a wide range of attacks from malware, ransomware and so on,” he says.

"Users and administrators should never run with administrative privileges, unless they are doing a specific task that requires those privileges. This is where a solution that implements a “least-privilege” model comes in – users and administrators are assigned privileges on a temporary basis for specific tasks on specific machines, meaning that if an exploit or attack occurs during the normal run of things, it will not have the privileges to cause serious damage. When the user wants to perform a privileged task, multi-factor authentication (MFA) can also be forced to happen before the task executes, improving security even further.”

Andrew Clarke - EMEA director at one Identity, told SC Media UK that it is really valuable to see security researchers testing the boundaries of the latest Windows 10 operating system.

“Microsoft has already considered the Bashware reports and regards it to be low risk since someone would have to enable developer mode [set off by default], then install the component, reboot and install Windows subsystem for Linux in order for this to be effective. Not exactly stealth-like,” he said.

“However, it is viable that the developer mode could be turned on in the background if the attacker was able to gain privileged access to the system. This points to an underpinning factor in all interconnected systems and that is a robust privileged access management system that controls and manages privilege account access and serves to safeguard the environment,' he added.

“Potential abuse of WSL technology creates a means for malware to bypass security products, many of which have not been rejigged to look for abuse of the feature. Privileged Access Management is seen as a foundational security technology that does a great job in protecting the wide range of security systems that ultimately protect our environments."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews