Researcher Contends Trend Micro's RootkitBuster BustedTrend Micro Says It's Working With Microsoft to Revamp Driver
Last week, security researcher Bill Demirkapi said that Trend Micro used a trick to get one of its drivers to pass Microsoft's approval process.
In a blog post, Demirkapi outlined his meticulous research into the driver, which is part of Trend Micro's RootkitBuster product, The Register first reported. He contended Trend Micro designed the driver to avoid failing Microsoft's Windows Hardware Quality Labs certification test.
We'll eventually find out if Demirkapi's findings, in fact, influenced Trend Micro's decision to withdraw and perhaps change how the driver works. Once RootkitBuster is updated, it will be possible for Demirkapi to take a look at the driver and see if the company has removed the check for the Driver Verifier.
Under the WHQL process, drivers are vetted and then signed off on by Microsoft and subsequently trusted by Windows.
Demirkapi said the driver in its unsafe state could ironically be exploited to install a rootkit, which is exactly what Trend Micro's product is designed to avoid. An attacker would have to already have admin access to a machine, but Demirkapi claimed to show how easy it would be to slip a rootkit onto the machine.
Trend Micro called the accusation "misleading" and characterized Demirkapi as a researcher seeking attention, according to The Register.
But one week on, it appears that the RootkitBuster from 2018 isn't going to work on the forthcoming version of Windows, which will be version 20H1/2004/19041.264. So what's happening? It's fuzzy.
Suspicious Driver Behavior
Demirkapi, 18, is a freshman at the Rochester Institute of Technology of New York. He's a wunderkind security researcher whose technical acumen is complemented by the clarity and detail in his writing (see: Researcher Finds Flaws in HP's Software Assistant Tool).
His research focused on RootkitBuster's "tmcomm" driver. The behavior of the driver is odd, Demirkapi contended. It appears to only use secure memory allocations if it believes it Microsoft's Driver Verifier is running.
On Windows 10, Microsoft's Driver Verifier bans drivers from accessing executable memory, or spots where unauthorized code could potentially run, Demirkapi wrote. It should only run in NonPagedPoolNx, short for No-Execute Nonpage Pool. But Trend Micro's driver appears to use executable memory when it believes Microsoft isn't watching, Demirkapi wrote.
It's not clear why the driver is designed this way, he said. "The only working theory I have is that for some reason most of their driver is not compatible with NonPagedPoolNx and that only their entry point is compatible, otherwise there really isn't a point," he wrote.
Demirkapi didn't notify Trend Micro before going public with his findings, but he has a solid rationale for that. It's not a security issue per se because Trend Micro requires administrator access for any communication with the driver, he said. And Microsoft doesn't consider having admin-to-kernel privileges a security boundary, he said. But he did notify Microsoft.
"Weeks before I published my research, I reached out to Microsoft Security to report that Trend Micro was cheating their WHQL certification standard," he wrote.
It appears that RootkitBuster now won't work on the upcoming version of Windows. Security researcher and Windows Internals expert Alex Ionescu tweeted that he tried to replicate Demirkapi's test and found that it doesn't work in the upcoming Windows release.
The plot thickens. Last week, @TrendMicro attacked me directly calling me an attention seeker and strongly denied my research that exposed them cheating @Microsoft's WHQL certification. Now, they're getting what they deserve. Thank you @msftsecurity. https://t.co/EKQuOiBIRm— Bill Demirkapi (@BillDemirkapi) May 27, 2020
Trend Micro: Working With Microsoft
Microsoft says it didn't force the driver to stop working, but rather Trend Micro withdrew it. In a statement, Trend Micro indicated the behavior uncovered by Ionescu was not unexpected and is unrelated to Demirkapi's findings.
"Per existing Microsoft processes, before major Windows update releases (the next one is the May Windows 10 release), vendors are able to request to proactively block an update in order to prevent compatibility issues with major releases," Trend Micro says. "We continue to work closely with Microsoft and Trend Micro's request for this proactive block was made for issues found in internal compatibility testing before the next major Windows 10 update and is completely unrelated to the original."
So Microsoft and Trend Micro are on the same page, apparently, and Demirpaki's findings didn't have anything to do with it - or so the two companies say. It certainly isn't uncommon for two large tech companies to be reluctant to cross each other in public. And arguably a tangle of this kind is of interest to a small, highly technical audience.
Trend Micro already mildly disparaged Demirkapi publicly, so it's probably not eager to get drawn in further, especially given his reputation. Demirkapi is due to give a presentation at Black Hat 2020 titled Demystifying Modern Windows Rootkits.
We'll eventually find out if Demirkapi's findings did, in fact, influence Trend Micro's decision to withdraw and perhaps change how the driver works. Once RootkitBuster is updated, it will be possible for Demirkapi to take a look at the driver and see if the company has removed the check for the Driver Verifier. If it has, it validates Demirkapi's concerns and aligns with Microsoft's intent in setting boundaries for drivers. And there's no arguing with that.