'Bashware' Attacks Exploit Windows 10's Subsystem for Linux

Mark Wilson quote BetaNews: While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."

Easy to get administrator access?

[natex84]

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained

Really? that sounds like more of a problem than some particular tool....

Re: Easy to get administrator access?

Nonsense. If they get admin access and install this tool, then they can load malware that... Gives them admin access? They could use that to get access to the admin account!

Re:Easy to get administrator access?

[The+MAZZTer]

Yeah, like I said on the last website that posted this story, this is a non-issue. If the attacker has local admin access, they've already pwned the system, it's game over. What they do after that point is trivial and not interesting.

Re:Easy to get administrator access?

[johnnys]

Yes. If you have Administrator access, you own the system. So what they are really saying is "Hey, if you already own the Windows system then you can do bad things with the Windows system!"

So it's a meaningless and irrelevant story.

Re: Easy to get administrator access?

[Monster_user]

Not entirely meaningless.

Can drive-by-downloads install the WSL, and then install something to apt-get WINE, or complile WINE on the WSL, resulting in a virus running undetected by the Windows antivirus?

The issue here is that once it happens, there will be no way to catch it down the road. Once an id10t user gets infected, nothing will detect the infection. Only knowledgeable techs who know to remove the WSL to remove the virus.

Can an antivirus or anti-malware system detect malware installed into the WSL? Can it detect Windows viruses running in Wine?

It is only a non-issue of the installation can't be automated to only require a consenting id10t user.

Re:Easy to get administrator access?

[arglebargle_xiv]

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained

Really? that sounds like more of a problem than some particular tool....

It's a classic example of a Raymond Chen airtight hatchway attack. In order to carry out an attack with admin privs, you first need to be admin. And then a sign lights up in black on a black background telling you you've done it.

Re:Easy to get administrator access?

[Cognitive+Dissident]

No, it's not a non-issue, but it's a different kind of issue than most people realize. Remember the Alexis de Tocqueville Institution and the propaganda they pumped out last decade about how Linux and Open Source in general was a parasite on the tech industry, was enabling all sorts of illegal activities (such as terrorism - of course!), and attempted to publish a book claiming Linus Torvald's didn't really invent the Linux kernel? Microsoft was (and still is!) a major funder of this propaganda mill.

Think about the possible implications of a story like this: Could it generate calls to change the way the Linux kernel and programs that run under it are written? And now MS have their hooks sunk deeply into the kernel dev team. The SCO gambit (also funded by MS) failed, spectacularly. And the Astroturf de Tocqueville gambit failed, though not quite as spectacularly. And now we have MS "cooperating" in the development of Linux. And up pops a story that may justify an overhaul of Linux to make it controllable by MS Windows. Well, surprise, surprise! This "change of attitude" by MS is looking more and more like a subtler strategy to seize control of Linux rather than outright destroy it.

Re:Easy to get administrator access?

[mysidia]

I believe the concern is the Subsystem for Linux can work something like some cornfields or an underground labyrinth inside the castle walls, where an invading army or a few soldiers that successfully scaled the walls and gained Administrator can secretly retreat soldiers to, and hide out in, and the normal security protocols will never be able to root out all the enemies hiding in the underground maze that has secret passages going out to the treasury and all the critical areas of the kingdom.

IOW, the Subsystem for Linux can be an attacker beach-head outside the reach of the conventional security software, because Windows AV are designed to scan for Windows threats, but they don't know about scripting languages like Bash, Ruby, Python, or the WSL.

Re:Easy to get administrator access?

[TheDarkener]

It's pretty easy to get administrator access in Windows, yes. Many environments require normal domain users to be 'local administrators' of their machine to perform seemingly normal, day to day tasks.

Re: Easy to get administrator access?

Well, the idiot was created by a bunch of "knowledgeable" idiots claiming that the masses did not need to know anything about basic computer security practices and that it should all be done for them. So I have little sympathy for them, but...

Most of those "knowledgeable" idiots will not remove the virus. They will instead claim: "Your computer is infected, so you need to buy a new one / pay us to reformat it and lose all of your data not being monetized in the MS / Google / Facebook / Whatever cloud." So this is a non-issue.

People don't "remove" viruses anymore. They are extremely complex and numerous. Making sure that any specific individual virus is removed from a system is a daunting and time consuming task, that is avoided entirely by a reformat / factory reset. The only people who do are researchers or those with the money, time, and need to do so.

You will get a virus eventually. The real question is: What mitigations do you have in place to prolong the inevitable?

*BTW Removing the Windows Subsystem for Linux wouldn't remove any competent virus. Especially if it needs Windows API support. It would use WSL to chainload the real payload.

BTW: Most of WINE's critical bits will not compile on a Non-posix system. (It's a desire of the WINE devs, but it hasn't been implemented yet, and it's been a desire for years.) Even if it did, a downloaded Windows API will not suddenly give control over the system. It still has to go through the host's API, which means at best you'll gain control over the downloaded API, and WINE runs in userland. So the host's kernel is still safe, a bunch of harddisk space has been overwritten and used up (less "deleted" private data to slurp up), and you haven't really gained anything useful considering you could already execute arbitrary commands. (Oh! We can now use our downloaded API to run Windows Executables on a Windows Machine!!!!....Yay?)

Also, most of those drive by downloads that auto execute crap are either zero days, or new functionality. They also get patched pretty quickly due to their rate of infection, but you'd need to couple some privilege escalation exploit with it to install / enable anything like a new API layer. Which would render the need to install a new API useless for taking over the system as you already had control. (Unless you just wanted to run some other tool that's incompatible with the enabled APIs on the target.)

Re:Easy to get administrator access?

Nothing you said makes any sense.

If you have admin access, then yes, you can generate calls to change the way the kernel runs, that's what admin access is -- but you can't do that to the Linux kernel, because there isn't a Linux kernel in this story, there is the Windows kernel that is running the subsystem for Linux.

It's clear you don't understand what you're talking about at a technical level.

Microsoft was (and still is!) a major funder of this propaganda mill.

Bullshit, that organization ceased operation a decade ago and Microsoft backed it for 5 years, not "still is" funding it (https://en.wikipedia.org/wiki/Alexis_de_Tocqueville_Institution). It's clear that you are a liar.

I'm not interested in defending just about anything regarding a conservative think-tank, but nothing about that organization you're citing has any obvious relevance to this story, anyway. If the cites I see about it are true (I'm short on primary sources, but honestly, I didn't look very hard), it was ridiculous, in basically the exact same way you're being ridiculous, by mixing a complete disregard for facts with a confident ignorance for technical details.

You are proposing something like this:

1. Microsoft "seizes control of Linux"
2. ?????
3. Microsoft profits

You need to fill in the blanks for #2, and that's where rational debate can occur. Right now, it looks like your argument is:

1. Microsoft is evil.
2. Seizing control of Linux is evil.
3. Therefore Microsoft is seizing control of Linux.

Re: Easy to get administrator access?

[Monster_user]

The biggest threwat is probably from botnets. Any malware that needs access to anything outside the WSL risks its ability to evade detection.

Re:Easy to get administrator access?

[Greyfox]

I'm pretty sure if you popped up a dialog that said something to the effect of "Can we have administrator access so we can install a botnet on your computer and steal your identity?" a surprising number of people would reflexively click OK. That'd be an interesting study to do, come to think of it.

Re:Easy to get administrator access?

we have systemd already. No need for m$ to fuck anything up on top of that.

Average Joe? or Linux Admins?

[Monster_user]

So Windows has a Linux subsystem.

Does that mean all copies of the Windows 10 operating system are vulnerable? Meaning grandma or bubba and their propensity to give everything and its kid brother root access?

Or are we just talking about systems being administered by Linux admins, where root access by an untrusted application carries this risk implicitly.

Re:Average Joe? or Linux Admins?

[hackwrench]

It's an optional component like IIS.

Re:Average Joe? or Linux Admins?

[Tablizer]

Now we get all the holes of Windows AND Linux in one OS. Jeenius!

Re:Average Joe? or Linux Admins?

[Zero__Kelvin]

The WSL must be installed. It does not exist in a default install. For 32 bit systems it isn't available at all. In the end though this is not a vulnerability any more than most of the "vulnerabilities" you see these "researchers" finding on Linux systems. It is the classic "OMFG if you have admin / root / ring0 privs then you can do things!" Chicken Little cry.

Re: Average Joe? or Linux Admins?

[Monster_user]

The issue isn't in the install vector (typical user clicking "yes" to every UAC prompt). It is that no existing anti-malware utilities will automatically catch and remove the malware. This is a serious risk.

Re:Average Joe? or Linux Admins?

[K.+S.+Kyosuke]

And thank space for that; the average Joe doesn't want no ISIS in his computer!

Re: Average Joe? or Linux Admins?

[Zero__Kelvin]

Why wouldn't they be able to catch it? Surely you don't think they work by waiting until the virus runs and has already done its damage?

Re: Average Joe? or Linux Admins?

[Monster_user]

I'm going off the OP, which references it being disquised from anti-malware applications.

"that makes it possible for malware to use the Linux shell to bypass security software."

So, neither definitions, nor AI, nor heuristics would detect something not running natively on the OS. May as well be running in a virtual machine.

Re: Average Joe? or Linux Admins?

[Zero__Kelvin]

OK. Reality check time. First, the following: "It is said that the attack vector could place all 400 million computers running Windows 10 at risk." So we immediately know that these people are disingenuous at best, since no 32 bit system can even run WSL, most 64 bit systems won't have it, and detecting attempts to install it outside the normal manual channel is trivial.

Next, the exploit example requires you to install WINE, (which they misspell as Wine), so suddenly they sound quite foolish indeed don't they?

Finally, we get to the real reason they are sounding alarms so loudly when it is much ado about nothing: "Following this discovery, we updated our SandBlast Threat Prevention solutions, to protect our customers from Bashware."

As to your remark that it May as well be running in a virtual machine, that is simply wrong. In order for the malware to infect the system it has to pass through the Windows system in order to get to the WSL subsystem, at which point it could be detected. They say they created examples that weren't detected. No shit Sherlock. New viruses aren't detected all the time that don't use the WSL. That's why they have definition updates. This is much ado about nothing, designed to leverage ignorance and sell a product. Nothing more.

Re: Average Joe? or Linux Admins?

[Monster_user]

Point about definitions updates preventing the malware from infecting hosts after the definitions have been created and pushed out to clients. Which just means the spread will be limited, and old variants will not be a threat.

I won't concede that it is much ado about nothing.

Re: Average Joe? or Linux Admins?

[Zero__Kelvin]

I'm OK with you thinking it is a major issue. Everybody has the right to be wrong :-)

Re: Average Joe? or Linux Admins?

[Monster_user]

This is an exploit waiting to be used. I could see botnets taking advantage of this exploit for quite some time. Windows 10 is already slow anyway,... And this is on a Surface Pro 4.

Re: Average Joe? or Linux Admins?

[Zero__Kelvin]

Windows has always been one big exploit waiting to be used. Ones that require admin access are NOT the low hanging fruit.

Re: Average Joe? or Linux Admins?

[Monster_user]

Ones that require admin access have been offset by an antivirus.

From a Google, it does appear that the Lxss/WSL file system can be scanned by a Windows antivirus scanner for signatures of known viruses.
%localappdata%\Lxss\rootfs
There appears to be risk when removing or quarantining files located within the WSL. So an antivirus may be able to detect, but not remove known virus signatures. Not sure that qualifies as remaining undetected as the OP suggests.

Re: Average Joe? or Linux Admins?

[gravewax]

I can't see how this can be a serious risk, the people installing WSL to start with are a fraction of a fraction of the user base. Most people installing it aren't going to be your average users that install and accept any prompt. So realistically the install base is going to be so tiny and most of that base knows what they are doing so it won't be worth trying to even target

Re: Average Joe? or Linux Admins?

how the fuck is it an exploit waiting to be used when more than 99% of machines won't even be running the required WSL to even make it work. what sort of retard would try and target a tiny population to create a botnet?

Re: Average Joe? or Linux Admins?

[Monster_user]

Those running WSL would not not likely be vulnerable to such an exploit. They wouldn't need WINE, nor whatever a Trojan Horse would be disquised as.

The ones who would be vulnerable are the ones who have no idea what WSL is. The ones who would click "Yes" to a UAC prompt on a Trojan Horse, and then install a botnet which couldn't be detected by an antivirus.

Though, from what I've just read today, signatures and definitions should be able to run against "%localappdata%\lxss\", and detect it that way. A Windows antivirus can't remove it from the file system, but it should be able to detect it.

Re: Average Joe? or Linux Admins?

[Monster_user]

An antivirus to detect infections is key to keeping infected machines under control

Malware which can evade detection is a serious threat.

Most infections of this sort boil down to a user clicking "Yes" on every UAC prompt they get. The antivirus compensates for this weakness in security, but only if it can detect an infection. Though I now believe that these infections can be detected by a Windows based antivirus solution.

Re:Average Joe? or Linux Admins?

Keep it in space, where it belongs.

Too late

[jabberw0k]

Windows 10 itself is malware, isn't it?

Re:Too late

[K.+S.+Kyosuke]

You're too late bashing Windows 10; Microsoft apparently already bashed them.

Question ?

[Alain+Williams]

Why is bashware not a problem on a Linux system ? After all: if all that Windows Subsystem for Linux does is to provide Linux functionality then you would expect the same malware to also have been a problem on native Linux systems.

Re: Question ?

[Monster_user]

Linux users are expected to be more knowledgeable. You grant root access to malware or a rootkit, and its your problem. Microsoft Windows is marketed towards masses of naive idiots. They have no clue, and unleash botnets on the rest of the world. So if we can't protect them from themselves, we have a problem. If an antivirus can't remove an infection, nor even detect it, we have a problem.

Re:Question ?

A WSL user is starting out as the root on the Linux subsystem, which is equivalent to the current user rights on the Windows side. So it may take a privilege escalation on the Windows side and if Microsoft's mitigations fail to prevent an issue from being exploited, the security package might as well in this case.

Re: Question ?

[nashv]

The masses are not enabling Windows Subsystems for Linux either. If someone is, they are supposed to know what they are doing.

Re: Question ?

[Monster_user]

The malware they installed to get emoticons installed WSL. So their Avast or AVG or Kasperky isn't picking up the WSL botnet infection running on Wine.

Re:Question ?

[PPH]

Completely different security philosophies. Windows depends too much on 'trusted' executables to prevent bad things. And they attach Admin rights to a subset of normal users. So if a user with admin privileges happens to run an evil command accidentally, too bad. *NIX controls access to privileged functions in the OS. And treats root (admin) as a separate user. Even if you write an 'evil' executable, a normal user can only do limited damage (usually to their own files) when running it. And you just don't go around running as root except for special circumstances.

Re: Question ?

That's like saying the software used to install emoticons will install IIS internet information services which then will install trojans.

Why not attach a payload to the emoticons software?

Re: Question ?

[Monster_user]

Because by attaching it to WSL, they can continue to avoid detection AFTER the infection. Even AFTER Antivirus definitions are updates.

Re: Question ?

They are already admin/root access, they can simply disable any AV software anyway. This is a stupid article, once you are admin their are far simpler and more reliable ways to maintain your root level access that can be hidden from AV and admins.

Re:Question ?

bullshit, you are showing complete ignorance of NT kernel, it doesn't rely on trusted executables at all, it may have checks on executables to verify them but it actually relies on privileged access rings to determine rights to functions, for better or worse it actually has a far more fine grained privilege model than *NIX.

Re: Question ?

[Monster_user]

Since Vista, antivirus applications have been more tightly integrated with the OS to mitigate viruses which have admin access from being able to evade detection. Such exploits would either disable the antivirus, making their presence obvious, or be detected by it via a definitions update.

The WSL provides an entirely different layer to utilize which is outside the purview of the antivirus. Similar to a virtual machine, but more discreet.

Re:Question ?

[drinkypoo]

for better or worse it actually has a far more fine grained privilege model than *NIX.

That's not at all what they meant, or said. The issue is how it is used. Linux actually has a far more fine grained privilege model than Windows, if you use SElinux. But nobody does, or at least, it's grossly underused. The same is true of Windows permissions. They have all these fancy-pants fine-grained permissions, and then they basically force you in practice to take on the rights to all those permissions at once to do the most trivial things. I have to run WinUAE as an administrator just to give it access to one compact flash reader. Now that program has access to all of those fine-grained permissions, when it only need one. This is the problem with the overall Windows security model: they have all kinds of wonderful functionality and then you wind up having to bypass it constantly, rendering it completely meaningless.

Holy crap!

[Ecuador]

Holy crap! If someone gets administrator access on my system, they can do bad things? With the SUBSYSTEM FOR LINUX, SPECIFICALLY???
Seriously, /., what is this shit?

Re:Holy crap!

The second part of the Microsoft EEE Routine.

First part: "Embrace" Linux and give stuff to "update" the kernel and design stuff in Windows to run Linux on.
Second part: Give Linux a bad name by painting it as very dangerous for Windows.
Third part: Linux gets a bad name and Windows is painted as more reliable. Microsoft starts new campaign with "undeniable proof" that Linux is to be abandoned and has to be replaced by more "reliable" Windows-only stuff. Exit Linux...

Well - In theory that is....

Anybody have a problem with Wine being used?

[Trax3001BBS]

Under Windows 10 install Linux, load Linux and install Wine = Exploit. Video is now private, I can see why.

Re:Anybody have a problem with Wine being used?

Lets put a 75 ford pinto engine in a 2017 chevy corvette but use the old chevy spark plugs in the pinto engine. Gee... why do the pistons have holes burnt into them?

Re:Anybody have a problem with Wine being used?

[drinkypoo]

Lets put a 75 ford pinto engine in a 2017 chevy corvette but use the old chevy spark plugs in the pinto engine.

If they fit, and you gap them correctly, they'll probably work fine.

Non-attack

If you have administrator (root) access, you own the machine. No need to use another attack: you already have succeed. In other words, if you already are inside the house, it's not a problem that you can get the spare key.

Also, is it "easy" to get administrator access in Windows? Really? Looks like whoever wrote this don't know Window's security model, or runs it with UAC disabled (which also proves the former).

Re: Non-attack

Your mind is very limited. There is a reason you aren't a hacker. There's a reason you do desk jockey IT work. Think outside the box. Stop thinking like they do, and think like a hacker would.

Steve Martin Joke from 70s

"I'm gonna tell you how to make a MILLION dollars tax free. First, get a million dollars."

"I'm gonna tell you how to get root access on a Linux machine. First, get admin access."

Eh, needs work before it's ready for Steve if he ever does a Linux show.

HAH! And they just said Linux is Windows future

[Noishkel]

And to think there was just a headline here on /. that asked 'Will Linux Innovation Be Driven By Microsoft?'

Well here's hoping not.

Obtaining Administrator access: Win10 vs Linux

[DrYak]

The thing is, on the platform usually targetted by malware written in Bash script - like GNU/Linux systems - "Administrative access" isn't something trivial.
It's rare that regular users run everyday tasks as "root".

You needed Microsoft to bring the GNU userspace and "linux ABI" to their NT kernel for suddenly things to run sour.

----

And joke aside about NT user running as "administrators" 24/24 hours and 7/7 days, this was bound to happen :
In order to not have ridiculous performance (as opposed to solution like Cygwin which is a user-land translation layer that must leverage whatever meagre functions the Win32 API offers to provide its POSIX compatibility) "WSL" takes a lot of shortcuts when providing "linux API" ("picothreads" was a widely advertised capability introduced inside the NT kernel and leveraged by WSL so it could provide posix-threads to linux ELFs that doesn't suck as much at multi-threading/multi-processing as the rest of Windows).
Some of these "not that much secure" performance shortcuts was bound to blow back on WSL users' face.

Again, remember : WSL is only exclusively to be used in testing/development environment (so that devs can directly test linux binary ELFs without needing, e.g., a full blown Ubuntu VirtaulBOX VM image).
WSL is currently NOT to be used in production (keep it away from production servers - obviously those will be running some GNU/Linux flavor), otherwise such blow-in-your-face accident could happen on critical machines with critical data.

Re:Obtaining Administrator access: Win10 vs Linux

[MightyMartian]

So really, the better solution is to actually run Linux on VMWare, VirtualBox, Hyper-V, and so on.

Got it, avoid another MS integration clusterfuck.

Re:Obtaining Administrator access: Win10 vs Linux

[KiloByte]

So really, the better solution is to actually run Linux on VMWare, VirtualBox, Hyper-V, and so on.

And why would I do that instead of running Windows in qemu-kvm, VirtualBox or even VMWare? You want the more secure system as the host rather than the other way around.

Re:Obtaining Administrator access: Win10 vs Linux

[140Mandak262Jamuna]

Again, remember : WSL is only exclusively to be used in testing/development environment (so that devs can directly test linux binary ELFs without needing, e.g., a full blown Ubuntu VirtaulBOX VM image). WSL is currently NOT to be used in production (keep it away from production servers - obviously those will be running some GNU/Linux flavor), otherwise such blow-in-your-face accident could happen on critical machines with critical data.

But some stupid shop is going to underbid you writing a thin layer on top of some free opensource code, and install/enable WSL behind the back. PHBs, dimwitted people masquerading as chief of cyber security, all the layers of CXOs, all bent "upon making the numbers" for the coming quarter to get an additional million dollar stock options all will claim that is the fair price for that module that faces the world from the landing page of corporate web site.

You lose immediately

They lose after some time

We all lose eventually

Re:Obtaining Administrator access: Win10 vs Linux

[Billly+Gates]

Yes. The upcoming release of Windows Server 2016 will come with containers for Redhat support using docker. Redhat and Microsoft have a partnership

Re:Obtaining Administrator access: Win10 vs Linux

[Billly+Gates]

Incorrect. Windows has a VMS security system with tokens since NT evolved from VMS. Unlike Unix a user is not really admin under Windows but rather requests a token to perform and admin task from ACL access control lists

WSL doesn't do shortcuts. The NT kernel was designed by David Cutler to be as portable as possible and uses a HAL hardware access layer. 32 bit tasks run on a wow layer win64 on Win32 to the kernel below. WSL is another layer on the kernel just like native .exes.

Re:Obtaining Administrator access: Win10 vs Linux

[drinkypoo]

I think they meant for development. The only benefit to WSL over a full Linux in a vm is that it's closely coupled to Windows. But that's a drawback more than it is a benefit. It's not like it's arduous to get your data in and out of the vm.

WSL vs Win32 API

[DrYak]

It is that no existing anti-malware utilities will automatically catch and remove the malware. This is a serious risk.

Well to be more precise :

- currently the WSL subsystem that provides "linux ABI" to original linux ELFs
- and the Win32 system usually offered to normal windows userland
are too different environment which are kept (on purpose) isolated from each other.

(Just think about it: even if theoretically NTFS can store case-sensitive filenames, absolutely no Win32 userland does handle it.
That's just one of the several reasons why both environment should touch eachother's stuff.
Another reason is that for performance reason WSL uses an entirely different threading system than Win32 apps - "picothreads", there was a lot of online articles about the benefits of their introduction to NT kernels)

Only some specific forms of message passing are possible.
(- Windows' bash.exe can start ELFs in WSL (usual /bin/bash, hence the name)
Latest version of WSL can pass a little bit more data around.
WSL has a special filesystem driver to be able to safely mount windows' user data in the filesystem tree.
And that's about it.).

That mean that you copy of Kaspersky Lab for Microsoft Windows can't directly see anything happening in WSL.
...BUT!...
Absolutely nothing prevents you (or security software suites from official providers) to run the "KAV" elf inside WSL to handle the WSL side of security, in collaboration with the Win32 software.

Re: WSL vs Win32 API

[Monster_user]

Nothing prevents it, except for two things.

1. The user doesn't know the Linux subsystem is installed.
2. The user doesn't know anything about Linux, and expects their Windows anti-virus to protect them.

Re: WSL vs Win32 API

Unless you have two files that only differ by case it is not going to be a problem for win32, most apps are case preserving.

One more for the airtight hatchway list

[mhkohne]

AKA: Code execution results in code execution.
Raymond has a whole series of these things:
https://blogs.msdn.microsoft.com/oldnewthing/20070807-00/?p=25683

Once you're able to run arbitrary programs as admin on a Windows box, the box is lost. Which particular set of arbitrary weirdness you choose to do to crash, compromise, or exfiltrate the data is pretty much irrelevant.

WSL is optionnal

[DrYak]

The user doesn't know the Linux subsystem is installed.

WSL isn't installed by default on Windows 10.
It's an optional component that you need to explicitly select in the corresponding control-pannel-thingy.
(like IIS).

If the user is clueless, chances are high that they don't have WSL installed.

The user doesn't know anything about Linux, and expects their Windows anti-virus to protect them.

(well, if they are running McAffee, they are toasted anyway :-P )

More seriously, it's the "security suite"'s developpers' job to develop a solution.
Again there is no technical reason preventing it (even if the current suite happens not to be able to see what happens on the WSL side).
Most of the big pro developers (e.g.: Kaspersky) already have Linux ELFs that are currently used on Linux servers, and on recovery bootdisk CD/USBs, they already have the necessary tools to be able to scan on the other side of the WSL fence.

All that is needed is some efforts to add the necessary glue code in the current suites to have them launch these processes inside WSL.
No technical limitations.

Re: WSL is optionnal

[Monster_user]

Just because the standard method of installing an optional service is through a control panel, doesn't mean that is the only way.

.NET 2, & 3 are optional on Windows 10. They are typically installed via control panel. The last time I installed a legacy application, the .NET frameworks were downloaded and installed automatically.

So we are back to Antivirus vendors providing ELFs, and providing a means of automatically installing and registering them, after installation. A means of automatically detecting the install of the WSL, and installing the appropriate ELF.

computers are a potential security issue

isn't just having a computer a "potential" computer security issue?

No access at all!

[Cutterman]

Well, I installed it on my 1703 build and there I was at the prompt:
Username? Mac
Password? This_day_we_are_gathered_together
Repeat Password: This_day_we_are_gathered_together
(rumble-rumble-rumble)
Login: q!z (or something) - [I'd typed Mac]

Evidently at login time bash decided that I was from Outer Mongolia or somewhere and gave me the appropriate keyboard. with totally strange key-mappings.

Needless to say I couldn't log in at all, either as Administrator or Mac . . .

Now that's what I call security!

Hats off to Microsoft as I return gratefully to Linux

Mac

Linux= inherently insecure

Microsoft is doing a public service by adding Linux to Windows so people can see for themselves how insecure Linux really is. And just wait until they get systemd ported.

Re: Linux= inherently insecure

[Monster_user]

Its a security flaw because of Windows.

Did they actually?

[JustNiz]

>> While many people welcomed the arrival of Windows Subsystem for Linux (WSL)

Really? No one I know cares or takes it seriously. Hardcore windows users won't go near it because like evyerhting Microsoft does, its a crap implementation and is buggy as fuck, and hardcore Linux users (like me) don't want windows anywhere near anything we do, especially not the parent layer.

Shiny Happy Windows Users

Ah, shiny happy Windows users have another problem with their OS, too bad.

Just use something else, you dolts.

Security?

[hduff]

I see that Microsoft is quickly incorporating it's patented security model into Linux!

Access rights ; read the docs

[DrYak]

Incorrect. Windows has a VMS security system with tokens since NT evolved from VMS. Unlike Unix a user is not really admin under Windows but rather requests a token to perform and admin task from ACL access control lists

These are implementation details.
My main point is that most of the time, Windows users are used to run as adminsitrator.
It doesn't matter if that is done by "holding admin level VMS tokens" or "being Unix UID=0, GID=0" is an implementation.

In practice :
- Windows user has account flagged as "admin"
- Windows user does something and UAC shows up asking authorisation for admin action
- Windows user clicks yes by habbit, because that's an entirely normal flow of actions.
My point : Windows users are completely used of running as admin.

On linux :
- Linux user clicks some begnin-looking attachment
- KDESU or any other pops up asking for root password
- Linux user : "Why the fuck do I need root to open a picture ? Kill this shit with fire !"
My point : Linux users don't normally need to run things as root.

WSL doesn't do shortcuts.

It. Fucking. Does.
Read the dozens of article and blog post, some by the Microsoft engineers behind WSL themselves.

The NT kernel was designed by David Cutler...

and was designed in a way that totally sucks at multi-threading and multi-processing.
(see any benchmark that compares code running on Linux and code running on Windows while using windows API for multi-threading).

if you take the time to read all the literature that was written around the introduction of WSL, you'll notice that a new functionality called "pico-threads" was introduced to the NT kernel.
that is the NT functionality that is used to provide "posix threads" to WSL layer ELFs.
because the traditionnal NT functionnality that is usually used to provide threads to .EXE has a subpar performance.

if you read the details, you'll notice that isolation and security is done a little bit lightly - both compared to classic NT threading and to how threads and processes work in Linux.

WSL installation

[DrYak]

Just because the standard method of installing an optional service is through a control panel, doesn't mean that is the only way. .NET 2, & 3 are optional on Windows 10.

The difference is that .NET is a platform that is extensively used by Windows software.
It was designed with this purpose by Microsoft and is distributed widely.
It's completely expected that a lot of users will install it, because there are tons of legit use cases for that.

By the time a use clicks on a virus running on .NET, it is pretty expected that .NET will be installed.

WSL is a platform developed by Microsoft that currently only targets developers (so they can test linux code without a VM).
There might be a few rare other cases (I mainly think of running some scientific data pre-processing before submitting to the Linux nodes on the HPC for further processing).
But there are no practical reason for a clueless user to run WSL.
It's not something that is expected to be used by regular everyday software.
(At least that's not how Microsoft sees it, and not how it's marketed)

If a clueless click on a bash malware, chances are that he won't have it installed already.
And it would sound really weird if, when clicking to view an attachment in an e-mail, suddenly 2 installers pop-up (one for WSL itself, one to install the GNU userland from Ubuntu).

So we are back to Antivirus vendors providing ELFs, and providing a means of automatically installing and registering them, after installation. A means of automatically detecting the install of the WSL, and installing the appropriate ELF.

My entire point :
- antivirus need to pack the ELFs (that they already have for servers and for recovery bootdisks) together in their suits.
- if WSL happens to be deployed on that machine, they need to start the ELFs.

And all these "WSL hidden from windows app such as antivirus" problems go "poof!".

The hardest part (having antivirus software as linux ELFs) is already done. What is left is merely integration (which is already provided to some point in BASH.exe)

Re: WSL installation

[Monster_user]

My point is that the bashware is a Trojan Horse which installs the WSL, as you described. The average Joe ain't gonna know they don't need WSL, they have to trust the program they are installing, the Trojan Horse.

"if WSL happens to be deployed on that machine, they need to start the ELFs." Still confused on this terminology. If the WSL happens to be deployed after the antivirus was installed, will the ELFs be available to the WSL so they can be started? The Lxss folder is not safely writeable by Windows native applications, file corruption usually occurs. So writing it to the filesystem beforehand is not an option.

Also, Linux ELFs sounds like a business or Enterprise feature, not a home use feature.

Implementation

[DrYak]

My point is that the bashware is a Trojan Horse which installs the WSL, as you described. The average Joe ain't gonna know they don't need WSL, they have to trust the program they are installing, the Trojan Horse.

Which sound a little bit stretching the average Joe's trust, just to click on some attachement.
(But on the other hand if the torjan begin its life as a "bloatware" that is co-installed with a big software suite, that sounds more realistic :
the joe wants to install a copy of Adobe premiere that he managed to download for free from some website. he IS going to expect a tons of aditionnal platform and libraries to get installed with it. An installation of WSL to get an invisible zombie node of a botnet can very easily smuggle in that case).

If the WSL happens to be deployed after the antivirus was installed, will the ELFs be available to the WSL so they can be started? The Lxss folder is not safely writeable by Windows native applications, file corruption usually occurs. So writing it to the filesystem beforehand is not an option.

If I was a Security Suite developer, the most likely route I would go for :
- software reside in a directory accessible to *windows* - typically a subfolder in the antivirus suite's installation folder
- main reason: so it is trivial to update through the main update system, and can potentially share the same data files (signatures, etc.) as the main windows anti-virus.
- this includes a Linux ELF executable (lifted from the recovery bootdisk)
- this includes a small bash script that can :
+- mount the Windows data with the proper VFS driver, e.g.: under "/opt/SecuritySuite"
+- start the Linux ELF with apropriate options.
- the above is launched by *PIPING* it to the stdin of BASH.exe
- the stdout of BASH.exe is picked up by the software to display result in the Windows GUI.
- this solves the chicken and egg problems of how to handle concurrent WSL installation

Possible improvement :
- the API and message passing used by BASH.exe to talk with Linux process under WSL has recently been improved.
(e.g.: it's possible since recently to invoke "start" from within WSL to launch windows process outside of WSL)

Also, Linux ELFs sounds like a business or Enterprise feature, not a home use feature.

Currently, it is *ALSO* marketed as a home (power) user feature, mainly as free "Recovery Bootdisk".
(In addition to the classical expensive Linux server feature).
So how they will market it depends on what they want to achieve :
- do they want to cover extensively end users ? (it might also come as a premieum feature)
- do they want only to offer it as an extra protection for Business users ?