Windows 10: Bashware: Malware Can Abuse Windows 10's Linux Shell

Read More: Bashware: Malware Can Abuse Windows 10's Linux Shell to Bypass Security Software

:)

 

How to Install and Use the Linux Bash Shell on Windows 10

How to Install and Use the Linux Bash Shell on Windows 10

I have win 10 pro - 1511 [10586.420] can install Linux Bash Shell Now or in the Future, ...?

 

Why Windows 10 Anneverary Edition will not work on some computers...

OK, So after a little research into Ubuntu, who's version of GNU (pronounced new) Bash (a Linux 4.2 kernel-based command prompt used and customized by Ubuntu Linux developers) that Microsoft is integrating into Windows 10 Anniversary Edition, is not yet
compatible with Intel's Skylake CPU's (6th generation Intel Core i series processors).

What this means is that if your Intel CPU has a number designation wherein the first number is a 6 (ie Intel Core (insert "i3 6xxx", "i5 6xxx", or "i7 6xxx" here), and has the Intel HD 530 graphics chipset (which most Skylake processors do have on dye),
the anniversary edition will not be able to install and run. This is because Skylake's integrated graphics (Intel HD530) chipset only supports Linux 4.3- based shells whereas the Ubuntu GNU Bash shell used in Windows 10 Anniversary only supports up to Linux
4.2.

The culprit is, specifically, the lack of support for shells using Linux 4.2 kernel drivers for the Intel HD530 graphics chipset. The Ubuntu Bash shell used in Windows 10 Anniversary is based around Linux 4.2....and the Intel HD530 graphics chipset drivers are
only compatible with Linux 4.3 kernel's or newer.

 

[youtube]fwEQFMbHIV8[/youtube]

Read More: Beware of the Bashware: A New Method for Any Malware to Bypass Security Solutions

 

Fall Upgrade is not even out yet and it is already exploitable. So much for advertised better security. *Sad

I have started to use those tweaks thus far (to disable dev mode and to disable bash.exe):
Code: Dism /Online /Disable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux /Quiet /NoRestart reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\AppModelUnlock" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "bash.exe" /f[/quote]
EDIT: I have found a simpler solution. Take ownership of these keys and remove it or remove all users, it will prevent DISM from enabling WSL.

Code: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-Lxss-Optional-Package[/quote]

 

From DSLReports comes this interesting read. Windows 10’s Built-In Linux Shell Could Be Abused to Hide Malware, Researchers Say - Motherboard
" As it stands now, {Windows Subsystem for Linux} or WSL is not turned on by default and users need to enable "development mode" on their systems in order to use it."
This feature was added in beta with the anniversary update in 2016 and will become a fully supported feature in the fall update on or about October 17th.
I don't know a thing about Linux so, those of you who do can give us Linux noobs the skinny.
The one thing that stood out for me was that, so far as this article says, only Symantec has scanners that can recognize this stuff. And Kaspersky has said that they will adapt their scanners to be able to spot it.
So, I have switched from Windows Defender back to Norton Security Suite for the time being.
And now I'm off to make another set of backups to replace the ones I made this morning. *Rolleyes

 

Microsoft must know about this vulnerability so what if anything are they going to do to improve security? Being an IT Luddite, I haven't yet upgraded to the CU so I'm 'safe' so far.

 

This isn't considered an actual security vulnerability as you are required to have admin rights to use this. The prerequisite elevation of privilege is the actual security boundary.

 

Pretty much every malware requires admin rights, especially ransomware, so that is not really a problem.

 

This is not crossing an access check at all, there is no compromise of the security guarantees windows tries to give. This is something that will be useful to attackers post exploitation, not an actual vulnerability to exploit. Once you have local admin, the security game is over.

While I disagree with Microsoft on how they handle a number of things such as UAC and AppLocker bypasses, I think Raymon Chen's article series is fairly fitting here:

It rather involved being on the other side of this airtight hatchway: Invalid parameters from one security level crashing code at the same security level The Old New Thing.

 

ZDnet's take http://www.zdnet.com/article/check-p...-linux-attack/