
Bash on Windows: a hidden Bitcoin goldmine? - Mojah
https://ma.ttias.be/bash-windows-hidden-bitcoin-goldmine/
======
tallanvor
Hopefully this gets fixed, but to be fair, if an attacker can enable the
subsystem, download the image, and run the commands to install a miner and run
them, you're already beyond screwed.

~~~
iheartmemcache
Resolved already.
[https://github.com/Microsoft/BashOnWindows/issues/122](https://github.com/Microsoft/BashOnWindows/issues/122)

Edit: A comment how easy it would be to theoretically have this functionality
accidentally enabled --

Note that the odds of Grandma 'accidentally' enabling Bash on Windows is more
or less none. You have to 1: Associate your Win10 account with a MSDN account.
2: Enable Developer Mode from the Update Settings. 3: Sign into MSDN and click
through a few pages to enable Insider features. 4: Finally, Go back to the
Update settings and enable Insider updates along with the "Fast" feature-set.
5: Reboot. 6: Enable the "Server" Service (most users are just running
"Workstation" on 10; 'Server' isn't even offered on non-Pro,Enterprise. (At
least, I _think_ )).

Only then will you be able to even have the option of installing the Bash
feature (which isn't an "oops" situation - you have to be a power user to even
get access to it with an Admin user [See: (1,2) for what's visible on a stock
install of Windows, even to administrators - none of which offer the Feature
selection.]

It's intentionally obscured for power users, just like the Group Policy, MMC,
etc functionality. You can even tell by [3] ("Features") and the other
Features in there (Active Directory, Hyper V, etc) that this functionality is
clearly targeted to power-users (in fact, there's a large overlap between
WinServer 2012's Feature screen & this).

TL;DR - This isn't something which will accidentally get turned on, and if
Grandma is rooted, you can hide the process from Process Manager _easily_
anyways. Even from Sysinternals' Procexp, with some ease.

[1] [https://i.imgur.com/EPgcrrR.png](https://i.imgur.com/EPgcrrR.png)
Standard settings page [2]
[https://i.imgur.com/Lim8eFv.png](https://i.imgur.com/Lim8eFv.png) Standard
Control Panel [3]
[https://i.imgur.com/xDyQzHd.png](https://i.imgur.com/xDyQzHd.png) Features

------
3pt14159
It isn't worth CPU mining Bitcoin. Furthermore, even when it _was_ botnet
owners quickly saturated not just the CPU mining but the GPU mining as well.
It wasn't until FPGA Bitcoin software and ASICs started coming out that this
generally stopped.

One of the dark bits with people calling for a more democratic Proof of Work
based cryptocurrency is that it will dramatically increase monetary flows to
organized cyber criminals.

~~~
monocasa
It totally is if someone else is paying for the power.

~~~
duskwuff
You may be underestimating how wildly inefficient CPU mining is. Even if an
attacker isn't paying for the hardware or the power, there's still a
significant opportunity cost. (Especially given that Bitcoin mining is a
rather conspicuous way to use an exploited computer; users are likely to
notice the increase in fan noise.)

------
TazeTSchnitzel
OS X gets this right. Activity Monitor, essentially the OS X equivalent to the
Windows Task manager, shows all types of processes. Furthermore, OS X's "Apps
Using Significant Energy" list will contain Terminal if an app running within
it is eating CPU.

~~~
tomsmeding
That isn't a fair comparison. OSX is itself a unix system and as such, there
isn't any work involved in showing all processes equal (they _are_ equal). In
Windows, the subsystem is probably running an entirely different and separate
process model, regulated by the kernel. That's way harder to nicely unify in
task manager or something like that. (Disclaimer: I know zilch of the new
linux subsystem on windows, so please forgive any errors)

~~~
chris_wot
I don't know how bash is running processes, but I do know that there used to
be a POSIX subsystem, and processes would show in the task manager.

~~~
TazeTSchnitzel
IIRC the POSIX subsystem was impure and its apps also used user32.dll and
such, which might explain why its processes showed up.

~~~
chris_wot
Actually, the POSIX subsystem is part of the user mode portion of Windows.
It's classed as an environmental subsystem.

The portion of Windows that handles processes is in the kernel mode part of
Windows, and is part of its executive subsystem - I believe Microsift call it
the process manager.

Windows just ran POSIX compliant programs in a POSIX environment, so the
process manager shouldn't have had any problems.

 _Edit:_ I researched this years ago whilst studying for the MCP, and
documented it on Wikipedia [1] - I even drew a diagram in Word which has since
been converted to SVG :-) Since then someone else has written an article about
the POSIX subsystem of Windows and it notes:

"The runtime environment of the subsystem is provided by two files: psxss.exe
and psxdll.dll. A POSIX application uses psxdll.dll to communicate with the
subsystem while communicating with posix.exe to provide display capabilities
on the Windows desktop." [2]

1\.
[https://en.m.wikipedia.org/wiki/Architecture_of_Windows_NT](https://en.m.wikipedia.org/wiki/Architecture_of_Windows_NT)

2\.
[https://en.wikipedia.org/wiki/Microsoft_POSIX_subsystem](https://en.wikipedia.org/wiki/Microsoft_POSIX_subsystem)

------
igl
Clickbait.

~~~
dragontamer
100% agreed. Its really about Bash on Windows not showing up processes in the
task manager.

There's no BTC goldmine here.

~~~
chris_wot
... because processes that run within Bash don't show in the task manager! So
you can run Linux processes and they don't show up in normal Windows
monitoring tools.

You don't think that's a problem or could be used to hide processes from the
average sysadmin? I do!

~~~
justinlardinois
It's a problem and could be used to hide processes from the average sysadmin,
but Bitcoin mining is not a likely use of this exploit.

~~~
chris_wot
Possibly, but bitcoin mining is the reason for a fair bit of malware on the
average PC/laptop.

~~~
igl
It's a beta release only available for insider subscribers. They also mention
this issue in a channel9 video and are very well aware of the issue.

~~~
chris_wot
That's not the point I was responding to though. The OP was saying that
bitcoin mining would be an unlikely motivation to exploit this, all I'm saying
is that a lot of Windows malware is written precisely to steal CPU cycles in
order to mine cryptocurrencies.

~~~
igl
It's a loose assumption based on a chain of unlikely events, not a distinct
outcome like the title suggests.

It's a ubuntu based subsystem. Apt-get probably uses their official repo and
you would have to get your malware into that first and then make some windows
beta-user install your new and unknown package.

------
koolba
Are bash processes entirely hidden from the task manager or just not shown by
default (i.e. similar system services)?

------
chris_wot
There's an issue logged about this:

[https://github.com/Microsoft/BashOnWindows/issues/122](https://github.com/Microsoft/BashOnWindows/issues/122)

------
username3
Show processes from all users

Resource Monitor

Sysinternals Process Explorer

Run as administrator

------
bitslayer
Bash for Windows is still beta.

------
manojlds
I wonder what Process Explorer shows. [https://technet.microsoft.com/en-
us/sysinternals/processexpl...](https://technet.microsoft.com/en-
us/sysinternals/processexplorer.aspx)

~~~
besselheim
It correctly displays those processes, as does the tasklist.exe command line
tool, and taskmgr.exe from earlier versions of Windows. Looks like this is
just a bug in the Windows 10 Task Manager.

~~~
ygra
Or maybe they forgot to show processes from all users.

~~~
besselheim
There appears to be no option that will make these processes appear, even if
you run the Task Manager as an administrator. It shows all the other processes
on the system, just not the ones running in the Linux subsystem.

------
tgsovlerkhgsel
If my computer suddenly spins up the fans for no reason, I will check the task
manager. If it is showing 99% CPU without being able to attribute it, it's
_way_ more suspicious than if it attributed to e.g. the browser.

------
qjighap
Does this mean that the bash/root runs as Local System and not as admin (or
the current admin user)? I am guessing, but it seems like a likely way this
got missed.

------
Zekio
If I remember correctly, it should show up in the details tab. At least the
subsystem process that is.

~~~
Mojah
Just tested this (and updated the article): no, does not show up.

------
Nr7
The screenshots don't show the "Details" tab. Maybe the process can be seen
there?

~~~
Mojah
Hi! Author of the article here.

I've updated it, because that's a good remark: the list doesn't show the
process's name either.

------
mschuster91
Ew. Reminds me of the infamous Sony toolkit...

------
awinter-py
bash is for bitcoin and android is for pirates?

------
exelius
This is actually the fault of the new Task Manager in Windows 10. If you click
the "Details" tab, you should see all processes.

There are a lot of things that only show up in the "Details" tab. Any user who
needs to kill a process in Windows (which is 70% of Windows users) will
quickly learnt that the "Details" tab is the only one that matters.

~~~
guidopallemans
Have you read the article? He accesses the Details tab and it's not there
either.

~~~
exelius
Actually he updated the article after I read it and commented (he replied to
another comment saying this). But if so, yeah, that's scary and hopefully
something that will be fixed before general release.

