Windows Subsystem Under Attack After Warning Dismissed

Threat actors are persistent. This is a fact that everyone within the industry has come to understand as being the only real constant and dynamic force with inexhaustible energy.


Knowing this, if intruders harbor a will to accomplish something, sooner or later they’re going to find a way. However, it is the duty of cybersecurity researchers to labor in preventing that from happening.


The following case is the poster child of “I told you so.” It serves as a perfect example of when theoretical attack scenarios and proof-of-concepts developed by researchers go unheeded.


A new form of stealthy malware targeting the Windows Subsystem for Linux (WSL) was recently uncovered by security researchers at Black Lotus Labs. The discovery came several years after Microsoft dismissed a proof-of-concept attack scenario that was initially conceived by Check Point researchers back in 2017.


According to the security researchers at the time, they explained that the Windows Subsystem was vulnerable to intrusions, by allowing a threat actor to secretly introduce malicious payloads in the form of Linux binaries, slipping the code under the radar of security scanners.


If that scenario were to unfold, it would grant an intruder the ability to install malware onto Windows 10 computers.


Almost four years later, that’s exactly what took place in September.


What Is Windows Subsystem For Linux


WSL had its first debut in 2016 as a Microsoft product, which functions as a compatibility layer. This means it allows users and developers to run a Linux bash shell command line which provides users the ability to launch executables natively on Windows 10, Windows 11, and Windows Server 2019.


Think of having the functionality of a Linux terminal inside a Windows environment, because that’s exactly what it does.


One of the highlights about WSL is that it wasn’t built upon a Linux kernel, which doesn’t necessarily harm the compatibility factor. However, the WSL platform is more than just a Linux bash shell for Windows, because it features both user mode and kernel mode functions, which allows users to enjoy the fullness of a compatibility layer for running a terminal-based environment that appears and feels just like the real thing.


This is made possible because Microsoft introduced a function called Pico processes, which basically are containers that allow ELF binaries to run on the Windows OS. By introducing unmodified Linux binaries in Pico processes, WSL allows Linux system calls to take place, which is directed into the Windows kernel.


For someone like myself who is always needing the functionality of Linux at the spur of the moment, it can be very tiresome to have to power up my virtual machines or back out of Windows and dual boot to a Linux distribution.


Another issue with virtual machines is that they also have a tendency to use up a lot of memory and disk space, which is why I prefer to use WSL for many of my command-line utilities. I download Linux packages, install and launch them in the same fashion. You get the gist.


An Attack Without A Defense


Black Lotus Labs, which is a threat research group collaborating with Lumen Technologies, explained they had found several obtrusive Python files that had been compiled using the Linux binary format ELF (Executable Linkable Format) for Debian Linux.


In a recent blog post, Black Lotus Labs elaborated:


"These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls."

Mike Benjamin, the vice president of product security at Lumen and head of Black Lotus Labs said, "Threat actors always look for new attack surfaces." He elaborated further, saying:


"While the use of WSL is generally limited to power users, those users often have escalated privileges in an organization. This creates blind spots as the industry continues to remove barriers between operating systems."

This was precisely the discovery Check Point researchers had warned Microsoft about. Their proof-of-concept attack, which they dubbed Bashware, was able to run ELF and EXE payloads. But because Windows 10 didn’t ship with WSL already installed and Windows didn’t include a Linux distro preinstalled right out of the box, the discovery was dismissed as not being a foreseeable threat.


Check Point offered an additional warning, explaining that the nature of the vulnerability allowed malware to conceal itself from security products such as antivirus software due to the lack of adequate detection signatures. Without a way for security products to recognize the malicious activity, there was no viable defense against the threat vector, which is precisely how it’s been able to slip under the radar.


To drive the point home, Check Point researchers had even conducted tests by implementing the very technique that would soon be discovered present day. Their discovery proved that most leading antivirus and security products could not detect their simulated attack, allowing for the threat vector to bypass them all unnoticed.


Dan Matthews, an engineer at anti-malware Lastline, said:


“While this is probably technically accurate research, it appears a bit sensationalistic. While WSL is out of beta, it is disabled and a base Linux OS is not installed on any Windows 10 host by default. In order for this threat to be credible, a user would need to follow several very intentional steps to enable WSL and install a Linux guest machine onto an updated Windows 10 host.”

Microsoft offered a statement to El Reg, saying:


“We reviewed and assessed this to be of low risk. One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default.”

At present, Black Lotus Labs noted that the good news about this recent development is that the attack isn’t exactly sophisticated. Regardless of the absence of complexity, the samples still had a one or zero detection rate in VirusTotal, which indicates that the unwelcomed ELF files would have evaded detection by most antivirus products.


Furthermore, they explained that the malicious scripts were written in Python 3 and then converted into an ELF executable using the tool PyInstaller. Once the scripts are executed, they activate various Windows APIs designed to retrieve a remote file, which is then added to the list of running processes, and, thus, access to the affected machine is thereby established.


Lastly, it is thought that a threat actor focused on attacking a Windows machine would somehow need to get remote code execution within the WSL platform in order to carry out the full scope of their payload.


I think there is a lesson to be gleaned from this recent turn of events. When possible vulnerabilities are found by security researchers, they can also be found by threat actors, regardless of how tedious or unconventional the attack might seem. A persistent threat will always devote time and energy to research and exploit security holes if it means illicit access can be established to desired targets.


Since the vulnerability was first discovered and its dismissal publicized and extant in the public record for years, it was only a matter of time before that record was rediscovered.


An article by Jesse McGraw Edited by Ana Alexandre Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

100 views0 comments