'Bashware' Attacks Exploit Windows 10's Subsystem for Linux

Mark Wilson quote BetaNews: While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."

Easy to get administrator access?

[natex84]

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained

Really? that sounds like more of a problem than some particular tool....

Re:Easy to get administrator access?

[The+MAZZTer]

Yeah, like I said on the last website that posted this story, this is a non-issue. If the attacker has local admin access, they've already pwned the system, it's game over. What they do after that point is trivial and not interesting.

Re:Easy to get administrator access?

[johnnys]

Yes. If you have Administrator access, you own the system. So what they are really saying is "Hey, if you already own the Windows system then you can do bad things with the Windows system!"

So it's a meaningless and irrelevant story.

Obtaining Administrator access: Win10 vs Linux

[DrYak]

The thing is, on the platform usually targetted by malware written in Bash script - like GNU/Linux systems - "Administrative access" isn't something trivial.
It's rare that regular users run everyday tasks as "root".

You needed Microsoft to bring the GNU userspace and "linux ABI" to their NT kernel for suddenly things to run sour.

----

And joke aside about NT user running as "administrators" 24/24 hours and 7/7 days, this was bound to happen :
In order to not have ridiculous performance (as opposed to solution like Cygwin which is a user-land translation layer that must leverage whatever meagre functions the Win32 API offers to provide its POSIX compatibility) "WSL" takes a lot of shortcuts when providing "linux API" ("picothreads" was a widely advertised capability introduced inside the NT kernel and leveraged by WSL so it could provide posix-threads to linux ELFs that doesn't suck as much at multi-threading/multi-processing as the rest of Windows).
Some of these "not that much secure" performance shortcuts was bound to blow back on WSL users' face.

Again, remember : WSL is only exclusively to be used in testing/development environment (so that devs can directly test linux binary ELFs without needing, e.g., a full blown Ubuntu VirtaulBOX VM image).
WSL is currently NOT to be used in production (keep it away from production servers - obviously those will be running some GNU/Linux flavor), otherwise such blow-in-your-face accident could happen on critical machines with critical data.

Re:Obtaining Administrator access: Win10 vs Linux

[MightyMartian]

So really, the better solution is to actually run Linux on VMWare, VirtualBox, Hyper-V, and so on.

Got it, avoid another MS integration clusterfuck.

Re:Obtaining Administrator access: Win10 vs Linux

[KiloByte]

So really, the better solution is to actually run Linux on VMWare, VirtualBox, Hyper-V, and so on.

And why would I do that instead of running Windows in qemu-kvm, VirtualBox or even VMWare? You want the more secure system as the host rather than the other way around.