Tech’s Volkswagen moment? Trend Micro accused of cheating Microsoft driver QA by detecting test suite

Trend Micro is on the defensive after it was accused of engineering its software to cheat Microsoft’s QA testing, branding the allegation “misleading.”

Bill Demirkapi, an 18-year-old computer security student at the Rochester Institute of Technology in the US, told The Register on Tuesday he was researching methods for detecting rootkits when he came across Trend’s Rootkit Buster for Windows PCs.

While reverse-engineering Trend’s rootkit-hunting tool and its kernel-mode driver, which appears to be common among Trend products, Demirkapi found some shortcomings in the code, and publicly documented them. You need administrator access to exploit the holes he found, though that’s beside the point: they are an easy way into the kernel for, ironically enough, rootkits and other malware that have gained admin access.

“Most of the security concerns I have with Trend Micro’s driver were shocking because most of them were not mistakes,” said Demirkapi, who has presented at hacking super-conference DEF CON and is due to discuss Windows rootkits at Black Hat USA 2020.

“Trend Micro simply designed the driver to provide a significant amount of functionality to privileged callers in user-mode, allowing attackers to misuse the driver in several ways. The problem is that Trend Micro’s driver is insecure by design, making it a perfect candidate for abuse by malicious actors around the world.”

Crucially, a function named MysteriousCheck() in the kernel-level driver code caught Demirkapi’s eye. Digging in further, he said he made a startling discovery. MysteriousCheck() appears to detect whether or not a specific Microsoft test suite – the driver verifier – is running on the computer.

This test suite is designed to ensure drivers meet Microsoft’s Windows Hardware Quality Labs (WHQL) requirements. If a driver meets this standard, it can be digitally signed by Microsoft, is trusted by Windows, and potentially can be distributed via Windows Update and similar mechanisms.

Volkswagen Beetle

11 MILLION VW cars used Dieselgate cheatware – what the clutch, Volkswagen?


Demirkapi believes Trend’s kernel driver is cheating on Microsoft’s WHQL driver verification test: if the driver detects it is installed on a computer running the test, it alters its behavior to pass the examination, whereas outside the test, it would fail to meet Microsoft’s quality standards.

So, what is the driver allegedly covering up? To pass Microsoft’s tests, the software should, as a security precaution, allocate its memory from the operating system’s no-execute non-paged pool, aka NonPagedPoolNx. This is memory marked as non-executable for the system’s CPU cores. That means even if miscreants or malware manage to stash malicious code in this memory, by exploiting a security hole, they can’t just jump to these instructions and run them.

Microsoft’s tests ensure a driver uses this non-executable memory. When Trend’s driver is running on a computer under test, it is claimed, the software alters its operations to use the no-execute non-paged pool as expected; when the test isn’t running, it allocates memory from the executable non-paged pool, which can be exploited and would fail Microsoft’s tests. One reason for using executable dynamically allocated memory is to run code decompressed, decrypted, or otherwise generated or loaded on the fly; this is dangerous for kernel-level software.

“Passing [Microsoft’s] driver verifier has been a long-time requirement of obtaining WHQL certification,” Demirkapi noted on his website.

“On Windows 10, the driver verifier enforces that drivers do not allocate executable memory. Instead of complying with this requirement designed to secure Windows users, Trend Micro decided to ignore their user’s security and designed their driver to cheat any testing or debugging environment which would catch such violations.

“Honestly, I’m dumbfounded. I don’t understand why Trend Micro would go out of their way to cheat in these tests … The only working theory I have is that for some reason most of their driver is not compatible with NonPagedPoolNx, and that only their entry point is compatible, otherwise there really isn’t a point.”

Demirkapi went on:

In response, Trend Micro criticized Demirkapi’s decision to disclose his findings publicly rather than privately, and attempted to downplay the research. It also denied it was circumventing Microsoft’s tests.

“We believe this allegation is misleading,” a spokesperson for the antivirus maker told The Register.

“The researcher did not inform us whereas standard and effective reporting for the industry would have required that he contact us first. Given this approach, one might assume the researcher is looking for attention over resolution.

We believe this allegation is misleading

“We are working closely in partnership with the Microsoft security driver team, and at no time was the Trend Micro team avoiding certification requirements.”

When pressed for an explanation as to why the driver was behaving in the manner described by the undergraduate, Trend had nothing more to offer. Demirkapi, meanwhile, said he can think of no reason for the inclusion of the MysteriousCheck() code, aside from evading the driver security test.

Microsoft said it is aware of the issue, and is “working closely with Trend Micro to investigate these claims.”

Those of you with a good memory will remember way, way back to October when Trend’s antivirus tools, during file scans, automatically ran malware if its filename was cmd.exe or regedit.exe. ®

Sponsored: Webcast: Simplify data protection on AWS