Windows 10's Subsystem for Linux: Here's how hackers could use it to hide malware

But the Bashware attack is complicated.
Written by Liam Tung, Contributing Writer

The researchers say Bashware doesn't exploit flaws in Microsoft's WSL, but rather that WSL "expands the known borders" of Windows for which most security products currently scan. (Image: Microsoft)

Researchers at Check Point say they've found a way to use Microsoft's Windows 10 Subsystem for Linux (WSL) to allow malware to slip by antivirus.

WSL allows Linux ELF binaries to run on Windows. Microsoft introduced the feature to broaden Windows command-line tool support and help developers run the Bash terminal on Windows 10 for things like administration and managing app development.

It will be a fully supported feature in the Windows 10 Fall Creators Update, due out in October.

The researchers have coined the term Bashware to describe the technique, which uses the WSL environment to run Windows malware from a Linux instance and bypass most Windows security products in the process. Since WSL only comes with Windows 10, it could potentially affect the 500 million PCs running it.

WSL's capabilities come through an emulated Linux kernel and 'pico processes', or containers, within which ELF binaries run. WSL also directs Linux system calls to the Windows kernel. As noted by Check Point, two key .sys drivers emulate the Linux kernel and translate Linux calls for the Windows NT kernel's APIs.

Bashware allows an attacker to run ELF or Windows EXE malware in a stealthy manner by exploiting the similarity between the capabilities of pico processes and Windows NT processes, according to Check Point.

The attack has four steps, which are likely to reduce the number of vulnerable machines. First, it needs to check that WSL is enabled, which would be unlikely for most consumers. Then the attacker would need to manually enable developer mode.

Microsoft has a greater focus on attacks on Windows in user mode. For example, its bug bounty programs like the $200,000 mitigation bypass bounty exclude attacks on Windows defenses in developer mode.

In any case, if a Bashware attacker can achieve all these steps, they'd then need to install a Linux instance on the Windows target, as well as a Linux file system, and Wine, an open-source program for running Windows software on Linux, macOS, and other systems.

The researcher's ultimate goal was to prove they can run malware that attacks Windows from the Linux instance, which isn't what WSL was intended for. Wine also allowed them to run Windows malware from WSL, providing the attack with cover from security products.

As the researchers note, Bashware doesn't exploit flaws in Microsoft's implementation of WSL, but rather that WSL is a new tool that "expands the known borders" of Windows for which most security products currently scan.

However, security vendors should be taking advantage of the WSL antivirus and firewall compatibility tools that Microsoft has made available.

Microsoft told The Register that it considered the risk of this attack to be low due to the steps required for the attack to be effective.

Previous and related coverage

Security flaws put billions of Bluetooth phones, devices at risk

It's thought to be the most widescale set of vulnerabilities based on the number of devices affected, hitting Windows desktops, Android devices, older iPhones and iPads, and smart devices.

Windows 10 Fall Creators Update: What's coming on the security front

Microsoft will be adding a number of new security features to Windows 10 Fall Creators Update, but for Enterprise and Windows Server users only.

More on Windows 10 security

Editorial standards