Bashware: the technique that makes malware bypass security

Every time we find more sophisticated malware, which in many occasions escapes all security controls. Partly it's thanks to a technique called Bashware. This technique allows malware to use a feature of Windows 10 called Subsystem for Linux (WSL) and thus prevents security software installed on the computer.

Bashware: The technique that makes malware bypass security

This WSL works with Bash commands, which users type into a CLI. In this way, they make shell commands their Windows counterparts. The data is processed within the Windows kernel and a response is sent. Both the Bash CLI and a Linux file.

Bashware active since 2016

Bash was developed by Microsoft in its day with the idea that users using Linux would see how easy it is to use in Windows 10. The WSL function has been in development since 2016. Although Microsoft has already announced the arrival of a stable version with Windows 10 Fall Creators Update. If we focus specifically on Bashware, it is a technique that allows you to use the secret Linux shell in Windows 10. In this way malicious operations are hidden.

Researchers say that current antivirus does not detect these operations. Because they lack support for Pico processes. Although luckily Bashware is not a foolproof method. Mainly because it requires administrator permissions. Those malicious programs that reach Windows 10 need administration level access. Only then can they enable the WSL function. Function that is disabled by default.

The problem is that the Windows attack surface has many EoP flaws. So it is not too complicated to get the administrator permissions. And when the attacker succeeds, he can put Windows 10 in developer mode. So the danger of Bashware is real.