A new attack method – termed Bashware – could permit hackers to download malware to Windows 10 computing devices without being discovered by security software, according to research published by Check Point.
The Windows Subsystem for Linux (WSL) was brought in to make it simpler for developers to run Linux tools on Windows without having to use to virtualization; however, the decision to implement this feature could open the door to cybercriminals and allow them to install and run malware unnoticed.
Checkpoint experts have run tests on Bashware attacks against leading antivirus and antimalware security solutions and in all instances, the attacks went unnoticed. Check Point says no existing antivirus or security solutions are capable of noticing Bashware attacks as they have not been set up to search for these threats. Unless cybersecurity solutions are updated to search for the processes of Linux executables on Windows systems, attacks will not be noticed.
Microsoft says the Bashware method has been reviewed and has been found to be of minimal risk, since WSL is not turned on by default and several steps would need to be taken before the attack can happen.
For an attack to take place, administrator privileges would need to be obtained. As has been displayed on numerous occasions, those details could easily be obtained by conducting phishing or social engineering attacks.
The computer must also have WSL switched on. By default, WSL is enabled, so the attacks would either be restricted to computers with WSL turned on or users would have to turn on WSL manually, switching to development mode and rebooting their computing device. The possibility for Bashware attacks to succeed is therefore somewhat low.
That said, Check Point researchers said that WSL mode can be switched on by amending a few registry keys. The Bashware attack method automates this process and will download all the necessary components, turn on WSL mode and could even be used to install and extract the Linux file system from Microsoft.
It is also not a requirement for Linux malware to be created for use in these attacks. The Bashware method downloads a program titled Wine that allows Windows malware to be launched and run unnoticed.
WSL is now a fully supported feature of Windows. Check Point says approximately 400 million computers are running Windows 10 are currently under threat from Bashware attacks.
Experts Gal Elbaz and Dvir Atias at Check Point said in a recent blog post: “Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products.”
Check Point has already updated its solutions to discover these types of attacks, and Kaspersky Lab is creating updates for its solutions to stop these types of attacks. Symantec said its solutions already check for malware set up with WSL.
