Home Security Researchers use Windows 10 Linux subsystem to run malware

Researchers use Windows 10 Linux subsystem to run malware

The provision of a Linux subsystem on Windows systems — a new Windows 10 feature known as Subsystem for Linux (WSL) — has made it possible to run known malware on such systems and bypass even the most common security solutions, security researchers at Check Point claim.

In a detailed blog post, researchers Gal Elbaz and Dvir Atias said they had dubbed this technique of getting malware onto a Windows system as Bashware, with Bash being the default shell on a large number of Linux distributions.

They said existing security solutions had not been adapted as yet to monitor processes of Linux executables running on Windows.

"This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms," Elbaz and Atias said.

They said they had tested infecting Windows machines running most of the leading anti-virus and security products on the market and successfully bypassed every single one.

"This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally," they wrote.

WSL is an optional component of Windows 10 and needs to be installed as administrator.

Describing the WSL feature, the researchers said that it had both user mode and kernel mode components. This created "a complete compatibility layer for running an environment that looks and behaves just like Linux, without having to fire up any virtual machine".

Microsoft had introduced what it called Pico processes – containers that allowed the running of ELF binaries on Windows.

"By placing unmodified Linux binaries in Pico processes, WSL enables Linux system calls to be directed into the Windows kernel," the pair wrote. "The lxss.sys and lxcore.sys drivers translate the Linux system calls into NT APIs and emulate the Linux kernel."

They outlined the four-stage method whereby Bashware loaded the malicious payloads, describing Bashware as "a generic and cross-platform technique that uses WSL in order to allow running both ELF and EXE malicious payloads in a stealthy manner that could bypass most current security solutions".

The pair said that Bashware did not leverage any logic or implementation flaws in WSL’s design.

"In fact, WSL seems to be well designed. What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system," they added.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.