Ubuntu in Windows 10 brings new techniques to circumvent security

Experts. Security from Check Point Software Technologies have found a new "door" for hacking on computers that are running Windows 10. The technique uses WSL, that allows you to run Linux executables. "Bashware" can potentially threaten the more than 400 million devices with Windows 10.

Recently we have found a new and disturbing method that allows any malware to circumvent even the most popular security solutions, such as next-generation antivirus tools for auditing and antyrasomware. This technique, called Bashware, uses a new feature called Windows 10 named Subsystem for Linux (WSL), which recently was launched as a beta, and is now fully supported in Windows. -inform the experts Gal Elbaz and Dvir Atias on the pages of the blog Check Point.

Linux in Windows 10.

WSL function makes the popular bash terminal is available for Windows users, and thus allows users to natively running executable files of the Linux operating system in the Windows operating system 10. Existing security solutions still are not designed to monitor processes in Linux operating system running at the same time, under the Windows operating system in the hybrid concept, which allows simultaneous running a combination of Linux and Windows. This may open the door for criminals who want to run malicious code and allow them to use the features provided by the WSL to hide before security, which have not yet been integrated into appropriate mechanisms of detection.

According to experts, the Bashware should be a serious warning, because it shows how easy it is to use the mechanism of the WSL to steer clear of security products.

We have tested this technique on most leading antivirus products and security devices on the market, apart from all. This means that the Bashware program can potentially affect 400 million Windows-based computers 10 around the world. -Add Gal Elbaz and Dvir Atias of Check Point Software Technologies.

As representatives of the Check Point, about the new method were informed all missile defence companies and called for immediate action modifying their own security systems.

Company Check Point has published on YouTube a video showing the use of the technique of Bashware:

Presented material shows use malicious code to enable development mode and activate the bash shell on Windows 10. Since all NTFS partitions are automatically installed in the directory/mnt in the Linux environment and allow you to read, save, and run files from within the Subsystem for Linux (WSL), it is possible to manipulation of the Windows settings 10 using commands in PowerShell or CMD.

Anti-viruses are not suitable. Really?

Perhaps a new threat Bashware for Windows 10 is not especially sophisticated, but you have to remember, that brings the possibility of circumvention of security means that long ago warned experts. Bashware is one of those threats, that uses malicious scripts CMD or PowerShell (and consequently further operations also Linux command). Defense against such threats is possible but not all producers are successful. Security handling techniques that have been applied by AVLab test test for protection against drive-by download, use very similar methods of cheating antivirus software. What's going on? About scripting command executed using trusted processes "cmd" or "powershell", and following the "bash". These processes are most protective programmes considered as safe (digitally signed by Microsoft). And just before that warn employees Check Point.

Linux on Windows for some great stuff, for others a curse. Either way, a new feature of Linux in Windows developed by Microsoft, creates a huge playing field for authors of malicious code. Let's hope that the producers cope with a new problem.

To protect computers from a range of above threats, we recommend products that are characterized by a comprehensive protection, including components protection against malicious scripts.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.