 |
 |
|---|
Posted on 09/17/2017 4:59:04 PM PDT by dayglored
While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.
While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."
In a blog post highlighting the Bashware problem, Check Point Research says: "We have recently found a new and alarming method that allows any known malware to bypass even the most common security solutions, such as next generation anti-viruses, inspection tools, and anti-ransomware. This technique, dubbed Bashware, leverages a new Windows 10 feature called Subsystem for Linux (WSL), which recently exited Beta and is now a fully supported Windows feature."
The researchers say that the technique is very easy to exploit, and it can be used to bypass "most of the leading anti-virus and security products on the market." It is said that the attack vector could place all 400 million computers running Windows 10 at risk.
[...much more including video of the attack, at the link...]
(Excerpt) Read more at betanews.com ...
|
|
|---|
Do you need physical access to the computer to execute this attack? Do you need to be sitting at the keyboard typing in the evil shell commands?
While administrator access is needed to execute a Bashware attack...
I'm not a big Windows guy - I only use it when I have to at work and the systems are administered by the IT staff... But it seems to me once an attacker has admin rights, pretty much the entire machine is his/her playground. I'm not seeing anything startling about being able to screw up a machine via this or that once you're an admin on it.
Physical access, plus admin rights, has -always- been "game over", so maybe this isn't as big a deal as it's made out to be. Nonetheless, worth a close look.
Oh, well...
I went back to paying bills by post and purchasing with cash quite a while back, knowing that the private computer age would eventually come crashing down due to all the ‘wares’ out there. Just too bloody risky.
Yes, with administrator rights you can do just about anything you want to do on that Windows computer, but these “things” will be detected when a malware/virus detector is run on the system. But with this new exploit the admin rights are used to install the malware under the linux subsystem whose processes are not currently monitored by many of the popular malware/virus detection products. This allows the malware to remain undetected and continue doing its evil work while your protection software still thinks everything is hunky-dory. These products will be updated shortly to monitor linux subsystem.
If you have physical access then you can get into Linux.
ok I’m a big dummy when it comes to this stuff- My question is- this isn’t a linux virus that causes this is it? It’s a windows virus that exploits the linux code somehow?
My second question then becomes- if it’s a windows virus that exploits linux- then when using linux only, and browsing to a site with the virus- linux users are still safe, no? Windows woudl have to be running at same time, right?
“While administrator access is needed to execute a Bashware attack ...”
doesn’t sound like a promising attack vector if you have to have administrator access.
once you have administrator access then the rest of any attack is mere details anyway.
Ah, that makes sense, and I see the reason for concern. It’s one thing to have a problem, it’s another thing entirely to have a problem but not know you have a problem.
I think I see the real problem here.
Not so easy anymore with RHEL 7. Even single user mode requires admin password. It's no longer optional.
> I think I see the real problem here.
Yep.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.