Beware of the Bashware: A New Method for Any Malware to Bypass Security Solutions
With a growing number of cyber-attacks and the frequent news headlines on database breaches, spyware and ransomware, quality security products have become a commodity in every business organization. Consequently a lot of thought is being invested in devising an appropriate information security strategy to combat these breaches and providing the best solutions possible.
We have recently found a new and alarming method that allows any known malware to bypass even the most common security solutions, such as next generation anti-viruses, inspection tools, and anti-ransomware. This technique, dubbed Bashware, leverages a new Windows 10 feature called Subsystem for Linux (WSL), which recently exited Beta and is now a fully supported Windows feature.
This feature makes the popular bash terminal available for Windows OS users, and in so doing, enables users to natively run Linux operating system executables on the Windows operating system.
Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time. This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms
Watch the Demo of the Attack: https://youtu.be/fwEQFMbHIV8
Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products. We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all. This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.
Following this discovery, we updated our SandBlast Threat Prevention solutions, to protect our customers from Bashware.
We call on the security industry to take immediate action and to modify their security solutions to protect against this new method.