​Check Point's bogus Windows Subsystem for Linux attack

If you deliberately set out to make your Windows system open to attack via WSL, yes, you could be attacked by Bashware.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Microsoft offers new Windows security features

Security companies, desperate for attention and headlines, love to come up with flashy, dangerous-sounding security hole names. The latest is Check Point's Bashware. This one, Check Point claims, can render 400 million Windows 10 PCs open to malware using Windows Subsystem for Linux (WSL) to launch Windows malware from a WSL Linux instance, thus bypassing most Windows security products in the process.

Check Point claims Bashware is "a new and alarming method that allows any known malware to bypass even the most common security solutions." Further, "Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products."

Easy? You got to be kidding me!

A Microsoft representative said: "We reviewed and assessed this to be of low risk. One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default."

At the Linux Security Summit in Los Angeles, Calif., a developer close to WSL told me, "The only way you could be attacked by this bug is if you set out to make your PC attackable."

They're both right.

To be attacked via Bashware, you must first log on as an administrator. Then, you must enable WSL. Check Point claims Bashware could invisibly load WSL's Pico drivers using Windows' Deployment Image Servicing and Management (DISM) utility. Wait. How could Bashware do this without Windows already being compromised? Check Point doesn't explain this inconsistency.

Let's ignore that and say WSL has been properly installed. How many Windows 10 users will activate WSL? Desktop surveys show Linux desktop use at about 1 percent of all users. Users of such systems as Linux Mint, openSUSE, and Ubuntu tend to use Linux interfaces such as Cinnamon, KDE, and GNOME. Only developers and system administrators tend to use WSL's BASH shell. Let's be generous and say 1 percent of desktop Linux users would use WSL. That leaves us with a vulnerable audience of 400,000 potential victims.

But, wait! There's more. You still can't attack a PC via WSL, because Windows malware doesn't run on Linux.

So, now, to make yourself open to a Bashware attack, you must install Wine. Wine is an open-source project, which implements the Windows API on top of the Unix/Linux operating system family. It works by translating Windows API calls into POSIX calls on the fly. This enables you to run Windows applications on Macs, BSD Unix, and desktop Linux. Or, in this case, on WSL.

Anyone see why most people wouldn't do this? That's right! Other than a stunt just to see if you can do it, there's no point in running a Windows program on top of a Linux shell on top of Windows. Let's say that's 0.1 percent of all users. We're now down to a potential 4,000 possible targets.

Finally, the Windows malware EXE file need to be converted by Wine, so its NT syscalls would turn these into POSIX syscalls. Then, the Pico provider (lxcore.sys) would convert the POSIX syscalls back to NT syscalls. And then, after all this rigmarole, an attacker can finally drop a malicious payload on your Windows system.

Could someone do this if they broke into your computer? Sure, they could. But why? If they've already hacked their way in this deep, why bother with this elaborate run-around?

Yes, WSL adds another attack surface to Windows. Yes, someone will eventually work out a way to exploit it. This, however, isn't it. It's a Rube Goldberg machine of no practical value to an attacker

Related stories:

Editorial standards