Tech's Volkswagen moment? Trend Micro accused of cheating Microsoft driver QA by detecting test suite

AV maker denies allegation, says researcher is 'looking for attention'

Updated Trend Micro is on the defensive after it was accused of engineering its software to cheat Microsoft's QA testing, branding the allegation "misleading."

Bill Demirkapi, an 18-year-old computer security student at the Rochester Institute of Technology in the US, told The Register on Tuesday he was researching methods for detecting rootkits when he came across Trend's Rootkit Buster for Windows PCs.

While reverse-engineering Trend's rootkit-hunting tool and its kernel-mode driver, which appears to be common among Trend products, Demirkapi found some shortcomings in the code, and publicly documented them. You need administrator access to exploit the holes he found, though that's beside the point: they are an easy way into the kernel for, ironically enough, rootkits and other malware that have gained admin access.

"Most of the security concerns I have with Trend Micro's driver were shocking because most of them were not mistakes," said Demirkapi, who has presented at hacking super-conference DEF CON and is due to discuss Windows rootkits at Black Hat USA 2020.

"Trend Micro simply designed the driver to provide a significant amount of functionality to privileged callers in user-mode, allowing attackers to misuse the driver in several ways. The problem is that Trend Micro's driver is insecure by design, making it a perfect candidate for abuse by malicious actors around the world."

Crucially, a function named IsVerifierCodeCheckFlagOn() in the kernel-level driver code caught Demirkapi's eye. Digging in further, he said he made a startling discovery. IsVerifierCodeCheckFlagOn() appears to detect whether or not a specific Microsoft test suite – the driver verifier – is running on the computer, by querying the registry key VerifyDriverLevel.

This test suite is designed to ensure drivers meet Microsoft's Windows Hardware Quality Labs (WHQL) requirements. If a driver meets this standard, it can be digitally signed by Microsoft, is trusted by Windows, and potentially can be distributed via Windows Update and similar mechanisms.

Volkswagen Beetle

11 MILLION VW cars used Dieselgate cheatware – what the clutch, Volkswagen?


Demirkapi believes Trend's kernel driver is cheating on Microsoft's WHQL driver verification test: if the driver detects it is installed on a computer running the test, it alters its behavior to pass the examination, whereas outside the test, it would fail to meet Microsoft's quality standards.

So, what is the driver allegedly covering up? To pass Microsoft's tests, the software should, as a security precaution, allocate its memory from the operating system's no-execute non-paged pool, aka NonPagedPoolNx. This is memory marked as non-executable for the system's CPU cores. That means even if miscreants or malware manage to stash malicious code in this memory, by exploiting a security hole, they can't just jump to these instructions and run them.

Microsoft's tests ensure a driver uses this non-executable memory. When Trend's driver is running on a computer under test, it is claimed, the software requests memory from the no-execute non-paged pool as expected; when the test isn't running, it requests memory from the executable non-paged pool, which would fail Microsoft's tests.

"Passing [Microsoft's] driver verifier has been a long-time requirement of obtaining WHQL certification," Demirkapi noted on his website.

"On Windows 10, the driver verifier enforces that drivers do not allocate executable memory. Instead of complying with this requirement designed to secure Windows users, Trend Micro decided to ignore their user’s security and designed their driver to cheat any testing or debugging environment which would catch such violations.

"Honestly, I’m dumbfounded. I don’t understand why Trend Micro would go out of their way to cheat in these tests ... The only working theory I have is that for some reason most of their driver is not compatible with NonPagedPoolNx, and that only their entry point is compatible, otherwise there really isn’t a point."

Demirkapi went on:

I reverse a lot of drivers, and you do typically see some pretty dumb stuff, but I was shocked ... Most of the driver feels like proof-of-concept garbage that is held together by duck tape.

Although Trend Micro has taken basic precautionary measures, such as restricting who can talk to their driver, a significant amount of the code inside of the IOCTL handlers includes very risky direct kernel object manipulation.

In response, Trend Micro criticized Demirkapi's decision to disclose his findings publicly rather than privately, and attempted to downplay the research. It also denied it was circumventing Microsoft's tests.

"We believe this allegation is misleading," a spokesperson for the antivirus maker told The Register.

"The researcher did not inform us whereas standard and effective reporting for the industry would have required that he contact us first. Given this approach, one might assume the researcher is looking for attention over resolution.

We believe this allegation is misleading

"We are working closely in partnership with the Microsoft security driver team, and at no time was the Trend Micro team avoiding certification requirements.”

When pressed for an explanation as to why the driver was behaving in the manner described by the undergraduate, Trend had nothing more to offer. Demirkapi, meanwhile, said he can think of no reason for the inclusion of the IsVerifierCodeCheckFlagOn() code, aside from evading the driver security test.

Microsoft said it is aware of the issue, and is "working closely with Trend Micro to investigate these claims."

Those of you with a good memory will remember way, way back to October when Trend's antivirus tools, during file scans, automatically ran malware if its filename was cmd.exe or regedit.exe. ®

Updated to add

Trend has pulled its Rootkit Buster downloads from its website, and its driver has been blocked on Windows 10 20H1. Trend Micro denies any wrongdoing.

Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022