'Bashware' Attacks Exploit Windows 10's Subsystem for Linux

Mark Wilson quote BetaNews: While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."

Easy to get administrator access?

[natex84]

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained

Really? that sounds like more of a problem than some particular tool....

Re:Easy to get administrator access?

[The+MAZZTer]

Yeah, like I said on the last website that posted this story, this is a non-issue. If the attacker has local admin access, they've already pwned the system, it's game over. What they do after that point is trivial and not interesting.

Re:Easy to get administrator access?

[johnnys]

Yes. If you have Administrator access, you own the system. So what they are really saying is "Hey, if you already own the Windows system then you can do bad things with the Windows system!"

So it's a meaningless and irrelevant story.

Re:Easy to get administrator access?

[Cognitive+Dissident]

No, it's not a non-issue, but it's a different kind of issue than most people realize. Remember the Alexis de Tocqueville Institution and the propaganda they pumped out last decade about how Linux and Open Source in general was a parasite on the tech industry, was enabling all sorts of illegal activities (such as terrorism - of course!), and attempted to publish a book claiming Linus Torvald's didn't really invent the Linux kernel? Microsoft was (and still is!) a major funder of this propaganda mill.

Think about the possible implications of a story like this: Could it generate calls to change the way the Linux kernel and programs that run under it are written? And now MS have their hooks sunk deeply into the kernel dev team. The SCO gambit (also funded by MS) failed, spectacularly. And the Astroturf de Tocqueville gambit failed, though not quite as spectacularly. And now we have MS "cooperating" in the development of Linux. And up pops a story that may justify an overhaul of Linux to make it controllable by MS Windows. Well, surprise, surprise! This "change of attitude" by MS is looking more and more like a subtler strategy to seize control of Linux rather than outright destroy it.

Re:Easy to get administrator access?

[Greyfox]

I'm pretty sure if you popped up a dialog that said something to the effect of "Can we have administrator access so we can install a botnet on your computer and steal your identity?" a surprising number of people would reflexively click OK. That'd be an interesting study to do, come to think of it.

Too late

[jabberw0k]

Windows 10 itself is malware, isn't it?

Holy crap!

[Ecuador]

Holy crap! If someone gets administrator access on my system, they can do bad things? With the SUBSYSTEM FOR LINUX, SPECIFICALLY???
Seriously, /., what is this shit?

Obtaining Administrator access: Win10 vs Linux

[DrYak]

The thing is, on the platform usually targetted by malware written in Bash script - like GNU/Linux systems - "Administrative access" isn't something trivial.
It's rare that regular users run everyday tasks as "root".

You needed Microsoft to bring the GNU userspace and "linux ABI" to their NT kernel for suddenly things to run sour.

----

And joke aside about NT user running as "administrators" 24/24 hours and 7/7 days, this was bound to happen :
In order to not have ridiculous performance (as opposed to solution like Cygwin which is a user-land translation layer that must leverage whatever meagre functions the Win32 API offers to provide its POSIX compatibility) "WSL" takes a lot of shortcuts when providing "linux API" ("picothreads" was a widely advertised capability introduced inside the NT kernel and leveraged by WSL so it could provide posix-threads to linux ELFs that doesn't suck as much at multi-threading/multi-processing as the rest of Windows).
Some of these "not that much secure" performance shortcuts was bound to blow back on WSL users' face.

Again, remember : WSL is only exclusively to be used in testing/development environment (so that devs can directly test linux binary ELFs without needing, e.g., a full blown Ubuntu VirtaulBOX VM image).
WSL is currently NOT to be used in production (keep it away from production servers - obviously those will be running some GNU/Linux flavor), otherwise such blow-in-your-face accident could happen on critical machines with critical data.

Re:Obtaining Administrator access: Win10 vs Linux

[KiloByte]

So really, the better solution is to actually run Linux on VMWare, VirtualBox, Hyper-V, and so on.

And why would I do that instead of running Windows in qemu-kvm, VirtualBox or even VMWare? You want the more secure system as the host rather than the other way around.

One more for the airtight hatchway list

[mhkohne]

AKA: Code execution results in code execution.
Raymond has a whole series of these things:
https://blogs.msdn.microsoft.com/oldnewthing/20070807-00/?p=25683

Once you're able to run arbitrary programs as admin on a Windows box, the box is lost. Which particular set of arbitrary weirdness you choose to do to crash, compromise, or exfiltrate the data is pretty much irrelevant.