Bashware attack, how to run Linux malware on Windows systems

Experts found a new alarming method dubbed Bashware attack that allows attackers to silently run malware to bypass even the most common security solutions,

The new Windows 10 feature Windows Subsystem for Linux (WSL) that implements the Linux bash terminal in Microsoft operating system could be exploited by malware to run undetected.

The feature was recently included in beta versions and it will be available for all users in the upcoming Windows 10 Fall Creators Update (FCU), set to be released by Microsoft in October 2017.

According to Because researchers with security firm Check Point, a malware designed for Linux can run undetected on Windows systems.

Bashware Linux of Windows

The new attack technique was dubbed Bashware, it allows the malicious code to evade the detection of antivirus solutions written for Windows, for this reason, it could be implemented also by Linux malware.

“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time.” reads the analysis published by Check Point. “This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”

Below a video PoC of the Bashware attack:

Loading video

Security researchers have demonstrated that the Bashware attack goes undetected with most of the security solutions, it may potentially affect more of 400 million Windows systems that already run Windows 10 PC.

“Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products. We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all. This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.” continues the analysis.

According to the experts, the risk is anyway limited because the WSL feature must be explicitly enabled by the Windows user, it is disabled by default.

Check Point also added that the WSL could be silently enabled in the background, allowing the malware to run.

Microsoft downplayed the risks to end-users because the feature is disabled by default.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux on Windows, Bashware)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.