Tech's Volkswagen moment? Trend Micro accused of cheating Microsoft driver QA by detecting test suite
AV maker denies allegation, says researcher is 'looking for attention'
Updated Trend Micro is on the defensive after it was accused of engineering its software to cheat Microsoft's QA testing, branding the allegation "misleading."
Bill Demirkapi, an 18-year-old computer security student at the Rochester Institute of Technology in the US, told The Register on Tuesday he was researching methods for detecting rootkits when he came across Trend's Rootkit Buster for Windows PCs.
While reverse-engineering Trend's rootkit-hunting tool and its kernel-mode driver, which appears to be common among Trend products, Demirkapi found some shortcomings in the code, and publicly documented them. You need administrator access to exploit the holes he found, though that's beside the point: they are an easy way into the kernel for, ironically enough, rootkits and other malware that have gained admin access.
"Most of the security concerns I have with Trend Micro's driver were shocking because most of them were not mistakes," said Demirkapi, who has presented at hacking super-conference DEF CON and is due to discuss Windows rootkits at Black Hat USA 2020.
"Trend Micro simply designed the driver to provide a significant amount of functionality to privileged callers in user-mode, allowing attackers to misuse the driver in several ways. The problem is that Trend Micro's driver is insecure by design, making it a perfect candidate for abuse by malicious actors around the world."
Crucially, a function named
IsVerifierCodeCheckFlagOn() in the kernel-level driver code caught Demirkapi's eye. Digging in further, he said he made a startling discovery.
IsVerifierCodeCheckFlagOn() appears to detect whether or not a specific Microsoft test suite – the driver verifier – is running on the computer, by querying the registry key
This test suite is designed to ensure drivers meet Microsoft's Windows Hardware Quality Labs (WHQL) requirements. If a driver meets this standard, it can be digitally signed by Microsoft, is trusted by Windows, and potentially can be distributed via Windows Update and similar mechanisms.
11 MILLION VW cars used Dieselgate cheatware – what the clutch, Volkswagen?READ MORE
Demirkapi believes Trend's kernel driver is cheating on Microsoft's WHQL driver verification test: if the driver detects it is installed on a computer running the test, it alters its behavior to pass the examination, whereas outside the test, it would fail to meet Microsoft's quality standards.
So, what is the driver allegedly covering up? To pass Microsoft's tests, the software should, as a security precaution, allocate its memory from the operating system's no-execute non-paged pool, aka NonPagedPoolNx. This is memory marked as non-executable for the system's CPU cores. That means even if miscreants or malware manage to stash malicious code in this memory, by exploiting a security hole, they can't just jump to these instructions and run them.
Microsoft's tests ensure a driver uses this non-executable memory. When Trend's driver is running on a computer under test, it is claimed, the software requests memory from the no-execute non-paged pool as expected; when the test isn't running, it requests memory from the executable non-paged pool, which would fail Microsoft's tests.
"Passing [Microsoft's] driver verifier has been a long-time requirement of obtaining WHQL certification," Demirkapi noted on his website.
"On Windows 10, the driver verifier enforces that drivers do not allocate executable memory. Instead of complying with this requirement designed to secure Windows users, Trend Micro decided to ignore their user’s security and designed their driver to cheat any testing or debugging environment which would catch such violations.
"Honestly, I’m dumbfounded. I don’t understand why Trend Micro would go out of their way to cheat in these tests ... The only working theory I have is that for some reason most of their driver is not compatible with NonPagedPoolNx, and that only their entry point is compatible, otherwise there really isn’t a point."
Demirkapi went on:
I reverse a lot of drivers, and you do typically see some pretty dumb stuff, but I was shocked ... Most of the driver feels like proof-of-concept garbage that is held together by duck tape.
Although Trend Micro has taken basic precautionary measures, such as restricting who can talk to their driver, a significant amount of the code inside of the IOCTL handlers includes very risky direct kernel object manipulation.
In response, Trend Micro criticized Demirkapi's decision to disclose his findings publicly rather than privately, and attempted to downplay the research. It also denied it was circumventing Microsoft's tests.
"We believe this allegation is misleading," a spokesperson for the antivirus maker told The Register.
"The researcher did not inform us whereas standard and effective reporting for the industry would have required that he contact us first. Given this approach, one might assume the researcher is looking for attention over resolution.
We believe this allegation is misleading
"We are working closely in partnership with the Microsoft security driver team, and at no time was the Trend Micro team avoiding certification requirements.”
When pressed for an explanation as to why the driver was behaving in the manner described by the undergraduate, Trend had nothing more to offer. Demirkapi, meanwhile, said he can think of no reason for the inclusion of the
IsVerifierCodeCheckFlagOn() code, aside from evading the driver security test.
Microsoft said it is aware of the issue, and is "working closely with Trend Micro to investigate these claims."
Those of you with a good memory will remember way, way back to October when Trend's antivirus tools, during file scans, automatically ran malware if its filename was
Updated to add
Trend has pulled its Rootkit Buster downloads from its website, and its driver has been blocked on Windows 10 20H1. Trend Micro denies any wrongdoing.