Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

General discussion and chat (archived)
Thehandyman1957

Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by Thehandyman1957 » 2017-09-14, 21:30

Just when you might have thought things for W10 were finally settling down.
http://thehackernews.com/2017/09/window ... lware.html

This reminds me of a movie scene. :mrgreen:
https://www.youtube.com/watch?v=RrxlbLVcpqI

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by Moonchild » 2017-09-14, 22:53

And this, kids, is why running on the bleeding edge or rolling releases is a bad thing :)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

tuxman

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by tuxman » 2017-09-14, 23:02

See: The Linux part is the largest security problem of Windows. :)
No surprises here.

Thehandyman1957

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by Thehandyman1957 » 2017-09-14, 23:37

tuxman wrote:See: The Linux part is the largest security problem of Windows. :)
No surprises here.
Uh, no. :think:
According to CheckPoint researchers, the Bashware attack technique could be abused even by a known Linux malware family,
because security solutions for Windows are not designed to detect such threats.
This is actually Microsoft's fault for not seeing this as an issue in the first place.

To relate this, it's like having a screen door designed for certain bugs and then installing it where the bugs are smaller and can fly right through.

So is it the fault of the screen maker or the idiot that installed the door in the wrong region? :crazy:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by Moonchild » 2017-09-15, 02:22

Thehandyman1957 wrote:This is actually Microsoft's fault for not seeing this as an issue in the first place.
No, this is the problem with new technology in Windows that the malware scanners are slow to pick up on. The tech is solid, an API is available and documented, but it's "too new".
On top, this is also disabled by default, only to be enabled by developers.

So you can blame Microsoft but their tech is fine, here (if you want to ignore the fact that it might not be a particularly good idea to mix in a completely different OS's executable formats...). Just slow to be picked up by AV companies (probably because most big ones don't actually write the engines, just use them...)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite


Thehandyman1957

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by Thehandyman1957 » 2017-09-15, 04:50

Moonchild wrote:So you can blame Microsoft but their tech is fine, here (if you want to ignore the fact that it might not be a particularly good idea to mix in a completely different OS's executable formats...).
That's kinda what I was referring to. ;)

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by Moonchild » 2017-09-15, 10:07

Thehandyman1957 wrote:
Moonchild wrote:So you can blame Microsoft but their tech is fine, here (if you want to ignore the fact that it might not be a particularly good idea to mix in a completely different OS's executable formats...).
That's kinda what I was referring to. ;)
Ah, I get that , but it's probably from the desire that everything must do everything in 2017. It does make me wonder how Linux deals with WINE running Windows malware, and how secure (or not) that was when it was first introduced. Can Linux AV scanners detect Windows malware running under WINE today? If the answer is "No" then Linux is much worse off since WINE has been around for so much longer; it's not new tech.

I'm pretty sure the AV people will catch up, though.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Thehandyman1957

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by Thehandyman1957 » 2017-09-15, 19:44

Here is a interesting tidbit from https://en.wikipedia.org/wiki/Wine_%28software%29
Security

Because of Wine's ability to run Windows binary code, concerns have been raised over native Windows viruses and malware affecting Unix-like operating systems.[93] Wine can run most malware, but programs running in Wine are confined to the current user's privileges, restricting some undesirable consequences. For this reason the developers of Wine recommend never running it as the superuser.[94] Malware research software such as ZeroWine[95] runs Wine on Linux in a virtual machine, to keep the malware completely isolated from the host system.

Another security concern is when the implemented specifications are ill-designed and allow for security compromise. Because Wine implements these specs, it will also implement any security vulnerabilities they contain.[96]
And if you care to read a bit, there is a conversation about it here. https://linux.slashdot.org/story/09/10/ ... s-via-wine

As for your question about Wine and AV's. I only found one mainline virus scanner for Linus and it was Comodo. After doing some digging I found this on their forums.
Screenshot - Friday,9,15,17 , 12_58_02 PM.png
They mention Apparmor so I went digging and found this. https://askubuntu.com/questions/236381/what-is-apparmor
Apparmor is a security framework that prevents applications from turning evil. For example: If I run Firefox and visit a bad site that tries to install malware that will delete my home folder, Apparmor has limits on Firefox though preventing it from doing anything I don't want (like accessing my music, documents, etc). This way even if your application is compromised, no harm can be done.
Interesting stuff. ;)

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by Moonchild » 2017-09-16, 20:50

programs running in Wine are confined to the current user's privileges, restricting some undesirable consequences
So, in fact exactly the same as this on Windows, then.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

hobbledehoy899

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by hobbledehoy899 » 2017-09-16, 21:47

Moonchild wrote:And this, kids, is why running on the bleeding edge or rolling releases is a bad thing :)
But this isn't even related to Arch or any Arch-based distros!

mrmivo

Re: Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

Unread post by mrmivo » 2017-09-17, 04:24

The article also says:
Yes, Bashware requires administrator access on the target computers, but gaining admin privileges on Windows PCs via phishing attacks and/or stolen admin credentials is not a difficult task for a motivated attacker.
The article glosses over this, but doesn't it, in the end, come down to users being careless and negligent?

Locked