Bashware: Malware Can Abuse Windows 10's Linux Shell to Bypass Security Software

-


Bashware is the name of a new technique that allows malware to use a new Windows 10 feature called Subsystem for Linux (WSL) to bypass security software installed on an endpoint.
Back in 2016, Microsoft announced WSL as a way to run a Linux shell (Bash) inside the Windows 10 operating system. This was done to appeal to the developer community who primarily uses Linux due to its ease of use when it comes to programming-related tasks.
WSL works by taking Bash commands users type in a CLI, converting the shell commands to their Windows counterparts, processing the data inside the Windows kernel, and sending back a response, to both the Bash CLI and a local Linux file system.
The WSL feature has been under development in a beta stage since March 2016, but Microsoft recently announced WSL would reach a stable release this autumn with the release of the Windows 10 Fall Creators Update, scheduled for October 17.

Bashware attack is invisible to current security software

In a report issued late last night, security researchers from Check Point have published technical details about Bashware, a technique that allows malware devs to use Windows 10's secret Linux shell to hide malicious operations.
Researchers say that current security software, including next-gen antivirus solutions, fail to detect these operations.
This happens because all lack support for Pico processes, a new class of Windows processes that Microsoft added to handle WSL operations.

Bashware needs admin access, but that may not be a problem

The Bashware attack is not a surefire method to run malicious operations undetected on Windows. A Bashware attack, above all, requires administrator privileges.
Malware that reaches a Windows 10 PC needs admin-level access so it can enable the WSL feature, which comes disabled by default, and then turn on Windows 10 Development Mode.
The bad news is that the Windows attack surface is plagued by many EoP (Elevation of Privilege) flaws that attackers can exploit to gain admin-level access to turn on WSL and load the necessary drivers using the DISM utility. Turning on WSL is a silent operation, requiring a single CLI command.
Furthermore, researchers say that an attacker that has gained administrator privileges won't have any issues to put Windows 10 in Developer Mode. Attackers can achieve this by modifying a registry key and waiting for (or force) a user to reboot his PC.
At this stage, the attacker has enabled WSL, but the Linux system install doesn't yet exist on the user's computer. Researchers say that tools present on the user's system allow the attacker to silently download the Linux file system from Microsoft's servers and complete the WSL installation.
When this process finishes, the attacker can utilize the newly installed Bash CLI to run malicious operations. Researchers say the attacker can use Linux commands to interact with Windows PCs, WSL translating everything for the attacker, but if the attacker doesn't want to modify already existing scripts, he can install Wine — a Windows emulator for Linux.
Basically, Wine allows the attacker to execute malicious Windows commands that Wine translates to Linux commands, that WSL transforms back to Windows operations, and runs on a targeted system.

Security software will need to support Pico processes

Researchers published details about the Bashware attack, so security software vendors can research and add support for WSL and Pico processes before the release of the Windows 10 Fall Creators Update.
Technical details about the Bashware attack are available in Check Point's report. Researchers also published a video demoing a Bashware attack.
The first security researcher to point out that WSL is an attack surface for Windows 10 was CrowdStrike's Alex Ionescu in a talk he gave at the Black Hat Europe 2016 security conference.
Researchers that want to keep up to date with WSL development can do so via Microsoft's WSL portal.

Comments

Post a Comment

Popular posts from this blog

Avet – Open Source Anti-Virus Evasion Tool

-
Image
When we want to perform an exploitation to a windows target, we need a payload that is undetectable to Antivirus Solutions. Msfvenom on its own is not enough. So we need an AV evasion tool to make this easy for us. Avet is a tool for building exe files with shellcode payloads for antivirus evasion. Installing Avet First clone the repository to our machine. git clone https://github.com/govolution/avet.git   After that go inside the folder and run the setup file to install wine and other missing components. cd avet/       Run the setup file to install the missing components.   ./setup.sh     Select create  for new installation   Running Avet There are two ways to run avet. Run avet by typing the command below. python avet_fabric.py   There are two ways to run avet. Either by compiling the make_avet script as shown below, or by  running the avet_fabric.py script, as shown. gcc -0 make_avet make_avet.c
Read more

PDFCrack - Password Cracking Tool for PDF-files

-
Image
PDFcrack is a GNU/Linux tool for cracking password protected PDF files. It is a very small command line application. It is not preinstalled in kali linux. We can install through command line. For installing pdfcrack open a terminal and enter apt install pdfcrack Syntax and options Usage: pdfcrack -f filename [OPTIONS]           : pdfcrack -f filenmae -w passwordfile.txt OPTIONS : -b, --bench perform benchmark and exit -c, --charset=STRING Use the characters in STRING as charset -w, --wordlist=FILE Use FILE as source of passwords to try -n, --minpw=INTEGER Skip trying passwords shorter than this -m, --maxpw=INTEGER Stop when reaching this passwordlength -l, --loadState=FILE Continue from the state saved in FILENAME -o, --owner Work with the ownerpassword -u, --user Work with the userpassword (default) -p, --password=STRING Give userpassword to speed up breaking ownerpassword (implies -o) -q, --quiet Run quietly -s,
Read more

How to Repair Kali Linux grub after installing Windows in Dual boot System

-
Image
If your System has primary OS Windows then you install your secondary OS Kali Linux. That will be OK, Kali Linux puts boot entry of Windows automatically for you. At initial boot menu you can see both OS entry to boot. If your windows is corrupt in dual boot system or if you want to install windows as secondary OS after installing Kali Linux as primary OS. You may face corrupt boot-loader menu. You wont be able to boot Kali Linux any more because Windows wont put entry of Kali Linux automatically in their boot menu. So this post motive is to help those guys which are facing those problems subjecting to corrupt Boot-loader. There are mainly two methods: 1. Repair Grub via Kali Linux live USB. 2. Repair Grub Via Boot-rapair-disk. Method 1# Repair Grub via Kali Linux live USB It is up to you which you want to choose but if you are Linux familiar then go for this method. Requirements 1. A Kali Linux ISO image. You can download here: Download Kali Linux
Read more