Microsoft Windows Subsystem for Linux (WSL) Exploited as a Safe Malware Gateway
While the Windows 10 Anniversary update, which came out in August 2016, offers a lot of enhancements, it was the introduction of the Windows Subsystem for Linux (WSL) that garnered the greatest attention. Developed in partnership with Canonical Ltd., the publisher of the Ubuntu distribution of Linux, the WSL provides an environment for running Linux applications on 64-bit Windows 10 machines in much the same way in which the Wine open-source compatibility layer gives Linux users the opportunity to run software programs tailored for Microsoft Windows on their Unix-based machines. While both platforms seem poised to make life easier for the supporters of the two operating systems, they could also pose significant security risks if used for the wrong reasons. A recent survey has shown that cyber criminals could smuggle malware into a Windows 10 system using a technique known as Bashware. Named after the popular Bash Linux shell, Bashware uses a combination of WSL and Wine commands to bypass AV scanners until it is too late to avert an infection.
Table of Contents
The Main Prerequisite
To launch Linux binary executables in Executable and Linkable Format (ELF) on Windows 10, the WSL relies on the traditional Linux Borne-Again SHell (BASH shell). Since WSL does not contain a standard Linux kernel, those ELF binaries must redirect the Linux system calls they make to the Windows kernel instead. That is possible due to the new Pico processes which transform the Linux system calls into NT APIs with the help of a paired driver. Unfortunately, this hybrid system, which allows Windows and Linux programs to run in two different environments at the same time, give crooks plenty of opportunities to turn a legitimate feature such as the WSF into an undetectable malware gateway.
Since most AV security programs have not embedded tools for scanning Linux executables running on Windows 10 yet, all the crooks need is to run a malicious .EXE in WSF.
Wait a Second, Are .EXEs Not Detected by AV Scanners by Default?
Yes, they are. However, antivirus programs will only detect the malware executable if it runs as a standard Windows NT process. By contrast, Linux binary executables run in Pico processes. Although both may share similar functions, they are fundamentally different, which is why NT processes fall under AVs' radar while Pico processes don't.
OK, I Got It. How Does the Actual Infection Unfold?
Should a crook decide to attack via Bashware, he/she will have to:
- Turn on the system's developer mode
- Enable WSF
- Install the Linux image
- Execute malware on WSL and hiding it using Wine
In theory, the first two actions can only be done manually by the user. In reality, cyber criminals can do this remotely by tampering with a couple of registry keys (to enable developer mode) and utilize Microsoft's DISM tool to activate WSF before downloading the Ubuntu image from the Windows Store. Finally, they install the Wine compatibility layer to run the Windows-targeted malware on a Linux environment. Since Wine transforms NT system calls into Portable Operating System Interface (POSIX) Calls, it also converts the malicious .EXE file. By the time Pico processes restore POSIX calls to NT APIs, the infection has already commenced.
Although it is a matter of time before most security firms implement a solution to the Bashware threat, Microsoft's researchers have compiled a set of guidelines for AV vendors regarding Bashware.