Bashware: Malware Can Abuse Windows 10's Linux Shell to Bypass Security Software

[LASER_oneXM]

Bashware is the name of a new technique that allows malware to use a new Windows 10 feature called Subsystem for Linux (WSL) to bypass security software installed on an endpoint.

Back in 2016, Microsoft announced WSL as a way to run a Linux shell (Bash) inside the Windows 10 operating system. This was done to appeal to the developer community who primarily uses Linux due to its ease of use when it comes to programming-related tasks.

WSL works by taking Bash commands users type in a CLI, converting the shell commands to their Windows counterparts, processing the data inside the Windows kernel, and sending back a response, to both the Bash CLI and a local Linux file system.

The WSL feature has been under development in a beta stage since March 2016, but Microsoft recently announced WSL would reach a stable release this autumn with the release of the Windows 10 Fall Creators Update, scheduled for October 17.

Bashware attack is invisible to current security software
In a report issued late last night, security researchers from Check Point have published technical details about Bashware, a technique that allows malware devs to use Windows 10's secret Linux shell to hide malicious operations.

Researchers say that current security software, including next-gen antivirus solutions, fail to detect these operations.

This happens because all lack support for Pico processes, a new class of Windows processes that Microsoft added to handle WSL operations.

Bashware needs admin access, but that may not be a problem
The Bashware attack is not a surefire method to run malicious operations undetected on Windows. A Bashware attack, above all, requires administrator privileges.

 

[TairikuOkami]

I have put those tweaks to my config, to disable dev mode and WSL upon shutdown.
But bashware already has admin access, so it can easily alter those, still it might help a bit.

Dism /Online /Disable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux /Quiet /NoRestart
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\AppModelUnlock" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "bash.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "9" /t REG_SZ /d "nc.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "nc64.exe" /f

But I wonder, how to block wine64, since it is not running as exe. I guess, it is launched via bash.exe?

EDIT: I have found a simpler solution. Take ownership of these keys and remove it or remove all users, it will prevent DISM from enabling WSL.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-Lxss-Optional-Package