Microsoft has blocked a free antivirus tool developed by Trend Micro after the security firm was accused of designing its driver to “cheat” hardware tests through coding trickery.
After reverse-engineering the ‘tmcomm’ driver, which sits at the heart of Trend Micro’s Rootkit Buster software, security researchers have blasted several aspects of the code. Not only were they able to run exploits, but they also ascertained how the software can circumvent hardware certification tests.
Microsoft’s has, by consequence, banned the Rootkit Buster from Windows 10, with researchers Bill Demirkapi and Alex Ionescu confirming the software can’t load on the latest version of Windows 10, dubbed 20H1. Trend Micro has also removed download links to the software from its website.
Rootkit Buster is a free tool released in 2018 that hunts down rootkits designed to evade detection by scanning hidden files, registry entries, processes, drives and the master boot record. The software also examines kernel code patches, operating system service hooks, file streams, ports, and services to identify and remove malicious rootkits.
The code at the heart of Rootkit Buster is not just “really, really bad”, however, but allocates memory in such a way that it only uses secure memory if it knows it's being watched by Microsoft’s Driver Verifier, according to research published by Demirkapi.
WHQL, of which Driver Verifier is a key component, is a procedure for certifying that hardware for peripherals and other components is compatible and works as expected with Windows operating systems. In passing the test, a driver is digitally verified and can even be potentially distributed through Windows Update.
The software performs checks for Driver Verifier, and can thus adapt to behave differently on systems running the examination. Therefore, the driver at the heart of Rootkit Buster can "cheat" these hardware examinations and gain WHQL certification.
To pass the test, any software must use memory from the operating system's no-execute non-paged pool, as a precaution. This is non-executable for the CPU, meaning if hackers manage to hide malicious code in the memory, by exploiting a security lapse in the code, for instance, then it’s extremely difficult to run.
Driver Verifier tests for whether drivers use non-executable memory in this way. When tmcomm runs on a machine with the test in play, it demands memory from the no-execute non-paged pool, as expected. When the test isn’t running, however, it requests memory from the executable non-paged pool. This would fail the WHQL standard.
“Passing Driver Verifier has been a long-time requirement of obtaining WHQL certification,” Demirkapi said in his research.
“On Windows 10, Driver Verifier enforces that drivers do not allocate executable memory. Instead of complying with this requirement designed to secure Windows users, Trend Micro decided to ignore their user’s security and designed their driver to cheat any testing or debugging environment which would catch such violations.
“Honestly, I’m dumbfounded. I don’t understand why Trend Micro would go out of their way to cheat in these tests. Trend Micro could have just left the Windows 10 check, why would you even bother creating an explicit check for Driver Verifier?”
Trend Micro previously faced the ire of Apple in 2018 after Malwarebytes researchers spotted that six apps were needlessly exfiltrating data to a server in China. Trend Micro flatly denied the charges it was stealing user data.
IT Pro approached Trend Micro and Microsoft for a statement.
