Researchers Find Malware Hiding in Windows Subsystem for Linux

(Image credit: Shutterstock)

Black Lotus Labs revealed on Thursday that it's discovered new malware that uses the Windows Subsystem for Linux (WSL) to avoid being detected by security tools.

WSL debuted in 2016 alongside the Windows 10 Anniversary Update as a way to access GNU and Linux tools without having to boot into a different operating system. It didn't originally provide true access to the Linux kernel—it used a compatible kernel developed by Microsoft—but that changed when WSL 2 arrived in June 2019.

That release officially brought the Linux kernel to Windows, and while that's usually a good thing for people who don't want to fuss with dual booting or using a different virtual machine environment, it turns out that it poses a security risk as well. Black Lotus Labs said the malware it found was used to covertly attack target PCs.

The researchers said the malware was distributed via Executable and Linkable Format (ELF) files intended to run on Debian, a popular Linux distribution, and its derivatives. In some cases those files contained a payload intended for a target PC; in others they received a payload from remote command and control infrastructure.

Black Lotus Labs found several versions of the malicious ELF files. One was said to have been written exclusively in Python using standard libraries that would allow it to target both Linux and Windows systems. Another used PowerShell, Microsoft's command shell and scripting language, to interact with specific Windows APIs.

The researchers said "this tradecraft could allow an actor to gain an undetected foothold on an infected machine." VirusTotal, a utility that checks submitted files for malware against 70-odd antivirus scanners, confirmed this by giving "the technique a detection rate of one or zero" when the Black Lotus Labs report was written.

"To our knowledge, this small set of samples denotes the first instance of an actor abusing WSL to install subsequent payloads," the Black Lotus Labs security researchers said. "We hope that by illuminating this distinct tradecraft, we can help drive better detection and alerting before its use becomes more rampant."

In the meantime, Black Lotus Labs is asking WSL users to ensure that they use proper logging to help prevent this type of malware from seeing widespread use.

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

Latest

Marvell develops custom HBM solution that offers higher performance in a smaller physical space

See more latest ►

3 Comments Comment from the forums

garylcamp

Not clear to me that this malware is on all Windows or is installed by user some how. If user installed, let us know how NOT TO.
Reply
DXRick

Nathaniel makes it sound like Microsoft did it, instead of hackers exploiting a weakness in WSL, until you read the who article.

Secondly is bad grammar:

"Black Lotus Labs revealed on Thursday that it's ... "

should be: "Black Lotus Labs revealed on Thursday that they... "
Reply
USAFRet

"The researchers said the malware was distributed via Executable and Linkable Format (ELF) files intended to run on Debian, a popular Linux distribution, and its derivatives. In some cases those files contained a payload intended for a target PC; in others they received a payload from remote command and control infrastructure. "

So not something in the WSL code, but it seems something the user has downloaded and tried to install.

DXRick said:
"Black Lotus Labs revealed on Thursday that it's ... "

should be: "Black Lotus Labs revealed on Thursday that they... "
Could also be:
"Black Lotus Labs revealed on Thursday that it has discovered..."
Reply

Stay On the Cutting Edge: Get the Tom's Hardware Newsletter

Most Popular