A technology that improves the compatibility of applications with a Linux interface on Windows continues to be used as a common weapon by cybercriminals, in attacks that allow the remote installation of malware and the evasion of systems traditional security systems. The attacks have been going on since May and, despite not registering as many cases yet, they show that more and more attempts are taking place while the bandits keep improving malicious solutions.
- Linux for Windows 10 fixes serious problem and adds important feature
starts supporting programs with Linux GUI
The heart of the coup attempts is the Windows Subsystem for Linux (WSL). The feature has been receiving special attention from criminals since mid- 2019, and recently, it also gets constant updates from Microsoft in an attempt to mitigate some of the attacks detected by experts; this cat-and-mouse fight, however, shows that the platform has increasingly been a focus.
According to Black Lotus, the research arm of security company Lumen, new exploits related to WSL appear every two to three weeks, always focused on delivering malicious files and executables remotely. The bad guys are studying new ways to use the integration of Linux and Windows to run processes, while working on hiding their own control servers and experimenting with possibilities that, at times, pass through the scrutiny of security solutions.
Want to catch up on the best tech news of the day? Go and subscribe to our new channel on youtube, Canaltech News.
Every day a summary of the main news in the tech world for you! The dangerous files were written in the Python programming language and end up compiled in a Linux format, acting as loaders when implemented in Windows. According to those responsible for the alert, this is not a very sophisticated technique, but the low rate of detections could be more indicative of attack campaigns in progress than the success of security policies, with criminals working on improvements that may make this a more dangerous threat in the future.
Detection of attacks remains a challenge for experts
Every day a summary of the main news in the tech world for you!
The dangerous files were written in the Python programming language and end up compiled in a Linux format, acting as loaders when implemented in Windows. According to those responsible for the alert, this is not a very sophisticated technique, but the low rate of detections could be more indicative of attack campaigns in progress than the success of security policies, with criminals working on improvements that may make this a more dangerous threat in the future.
Meanwhile, Lumen experts point out that very few protection software is able to detect attacks using WSL, with a sample hosted on the Virus Total website showing only positive identification until mid-year. August. The indicated version does not perform malicious actions, but is capable of displaying a message in Russian on the system, from a remote server, indicating that, yes, it would be able to load applications remotely. The detections were carried out in Ecuador and France.
The technical details were disclosed by the researchers, who now point to a race against time until such attacks become more popular and effective. On top of that, the idea is that attacks have left the theory layer and could become a practical danger in the near future, with the development of new malicious solutions and scams that take advantage of other known vulnerabilities in Windows devices and servers.
The experts are in a hurry now, who need to work on methods of detecting and mitigating such campaigns, whether from the IPs of remote connections or from threat indicators that can detect an intrusion attempt. In addition, the recommendation for system administrators where WSL is enabled is to constantly monitor connections and elements, in order to quickly identify anything that goes out of the ordinary.
Did you like this article?
Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.