Tech's Volkswagen moment? Trend Micro accused of cheating Microsoft driver QA by detecting test suite

AV maker denies allegation, says researcher is 'looking for attention'

Updated Trend Micro is on the defensive after it was accused of engineering its software to cheat Microsoft's QA testing, branding the allegation "misleading."

Bill Demirkapi, an 18-year-old computer security student at the Rochester Institute of Technology in the US, told The Register on Tuesday he was researching methods for detecting rootkits when he came across Trend's Rootkit Buster for Windows PCs.

While reverse-engineering Trend's rootkit-hunting tool and its kernel-mode driver, which appears to be common among Trend products, Demirkapi found some shortcomings in the code, and publicly documented them. You need administrator access to exploit the holes he found, though that's beside the point: they are an easy way into the kernel for, ironically enough, rootkits and other malware that have gained admin access.

"Most of the security concerns I have with Trend Micro's driver were shocking because most of them were not mistakes," said Demirkapi, who has presented at hacking super-conference DEF CON and is due to discuss Windows rootkits at Black Hat USA 2020.

"Trend Micro simply designed the driver to provide a significant amount of functionality to privileged callers in user-mode, allowing attackers to misuse the driver in several ways. The problem is that Trend Micro's driver is insecure by design, making it a perfect candidate for abuse by malicious actors around the world."

Crucially, a function named IsVerifierCodeCheckFlagOn() in the kernel-level driver code caught Demirkapi's eye. Digging in further, he said he made a startling discovery. IsVerifierCodeCheckFlagOn() appears to detect whether or not a specific Microsoft test suite – the driver verifier – is running on the computer, by querying the registry key VerifyDriverLevel.

This test suite is designed to ensure drivers meet Microsoft's Windows Hardware Quality Labs (WHQL) requirements. If a driver meets this standard, it can be digitally signed by Microsoft, is trusted by Windows, and potentially can be distributed via Windows Update and similar mechanisms.

Volkswagen Beetle

11 MILLION VW cars used Dieselgate cheatware – what the clutch, Volkswagen?


Demirkapi believes Trend's kernel driver is cheating on Microsoft's WHQL driver verification test: if the driver detects it is installed on a computer running the test, it alters its behavior to pass the examination, whereas outside the test, it would fail to meet Microsoft's quality standards.

So, what is the driver allegedly covering up? To pass Microsoft's tests, the software should, as a security precaution, allocate its memory from the operating system's no-execute non-paged pool, aka NonPagedPoolNx. This is memory marked as non-executable for the system's CPU cores. That means even if miscreants or malware manage to stash malicious code in this memory, by exploiting a security hole, they can't just jump to these instructions and run them.

Microsoft's tests ensure a driver uses this non-executable memory. When Trend's driver is running on a computer under test, it is claimed, the software requests memory from the no-execute non-paged pool as expected; when the test isn't running, it requests memory from the executable non-paged pool, which would fail Microsoft's tests.

"Passing [Microsoft's] driver verifier has been a long-time requirement of obtaining WHQL certification," Demirkapi noted on his website.

"On Windows 10, the driver verifier enforces that drivers do not allocate executable memory. Instead of complying with this requirement designed to secure Windows users, Trend Micro decided to ignore their user’s security and designed their driver to cheat any testing or debugging environment which would catch such violations.

"Honestly, I’m dumbfounded. I don’t understand why Trend Micro would go out of their way to cheat in these tests ... The only working theory I have is that for some reason most of their driver is not compatible with NonPagedPoolNx, and that only their entry point is compatible, otherwise there really isn’t a point."

Demirkapi went on:

I reverse a lot of drivers, and you do typically see some pretty dumb stuff, but I was shocked ... Most of the driver feels like proof-of-concept garbage that is held together by duck tape.

Although Trend Micro has taken basic precautionary measures, such as restricting who can talk to their driver, a significant amount of the code inside of the IOCTL handlers includes very risky direct kernel object manipulation.

In response, Trend Micro criticized Demirkapi's decision to disclose his findings publicly rather than privately, and attempted to downplay the research. It also denied it was circumventing Microsoft's tests.

"We believe this allegation is misleading," a spokesperson for the antivirus maker told The Register.

"The researcher did not inform us whereas standard and effective reporting for the industry would have required that he contact us first. Given this approach, one might assume the researcher is looking for attention over resolution.

We believe this allegation is misleading

"We are working closely in partnership with the Microsoft security driver team, and at no time was the Trend Micro team avoiding certification requirements.”

When pressed for an explanation as to why the driver was behaving in the manner described by the undergraduate, Trend had nothing more to offer. Demirkapi, meanwhile, said he can think of no reason for the inclusion of the IsVerifierCodeCheckFlagOn() code, aside from evading the driver security test.

Microsoft said it is aware of the issue, and is "working closely with Trend Micro to investigate these claims."

Those of you with a good memory will remember way, way back to October when Trend's antivirus tools, during file scans, automatically ran malware if its filename was cmd.exe or regedit.exe. ®

Updated to add

Trend has pulled its Rootkit Buster downloads from its website, and its driver has been blocked on Windows 10 20H1. Trend Micro denies any wrongdoing.

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021