back to article ATTK of the Pwns: Trend Micro's antivirus tools 'will run malware – if its filename is cmd.exe'

A flaw in the Trend Micro Anti-Threat Toolkit can be exploited by hackers to run malware on victims' Windows computers. Bug-hunter John "hyp3rlinx" Page took credit for uncovering CVE-2019-9491, an arbitrary code execution flaw in the security tool. In short, the Trend software can be tricked into executing any old piece of …

  1. Hans 1
    FAIL

    So they will run any cmd.exe / regedit.exe if the file is in the same folder ... not good, should not be hard to fix, right ? Where is the patch ?

    1. Pascal Monett Silver badge

      And those are known system files, with known sizes and locations. Why does an anti-virus program, of all things, find it normal to run either of those files without checking their size and location ?

      1. Doctor Syntax Silver badge

        But can Trend trust known sizes and locations after the next Windows update?

        1. Michael Wojcik Silver badge

          Locations, probably yes. Those haven't changed since NT4, as far as I remember.

          Checking the size is pointless. If an attacker has overwritten the files in their canonical locations, it's already Game Over. The attacker has scope to cause all sorts of damage.

          What Trend should do is check the signature, except cmd.exe and regedit.exe aren't signed, just like most of the software Microsoft ships. I have no idea why not; they promote Authenticode to VARs and provide (admittedly clumsy) tooling for it. There have been problems in the past with expiring signatures, but Authenticode has supported timestamping for years. And some MS binaries are signed - like the debuggers in the Debugging Tools for Windows package.

          Or, better, anti-malware software shouldn't execute cmd.exe and regedit.exe. Why the hell does it do either of those things? Looks like injection vulnerabilities just waiting to be found.

    2. Roland6 Silver badge

      From the YouTube video, it would seem the cmd.exe could be anywhere; in the video it was being run from the user's desktop. So it does seem strange that Trend was only using filename and not file pathname and signature/hash.

  2. Anonymous Coward
    Anonymous Coward

    This is a new low.

    Make no mistake, this comes from a company that prides itself in securing our networks.

  3. jake Silver badge

    It's nearly 2020 ...

    ... and your OS of choice still requires a full-time anti-malware program chewing up memory and CPU?

    1. CypherDragon

      Re: It's nearly 2020 ...

      Is this where you tell us "Macs don't get viruses"?

      EVERY OS has vulnerabilities, and every OS can have malicious files run on them. Not even air-gapped industrial control networks are safe, as Stuxnet proved. For the average user, antimalware is a requirement...unless you like just wiping your computer every few months because it got infected, again.

      1. jake Silver badge

        Re: It's nearly 2020 ...

        There is a big difference between "every OS can have malicious files run on them" and "every OS is likely to have malicious files run on them by a remote attacker".

        My personal systems have been connected to the TCP/IP version of TehIntraWebTubes with un*x-type OSes since Flag Day with no issues. That's every minute of every day since midnight on January 1st, 1983. (The Morris Worm affected systems at work that I was not allowed to lock down until after the fact. My home systems were unaffected. That's as close as I've ever come to being infected.)

        Anti-malware is snake-oil sold to users of insecure-by-design operating systems. Have you not noticed that it so very frequently fails? Ever ask yourself why?

        To answer your question, I don't generally use Apple anything ... but the one Apple machine here looks more like a proper BSD than the bastardized kludge that is shipped by Cupertino.

        1. LDS Silver badge
          Facepalm

          Re: It's nearly 2020 ...

          Even my Commodore 64 was never hacked....

          1. jake Silver badge

            Re: It's nearly 2020 ...

            I'd wager that your C64 was never connected to any network but sneakernet.

            1. LDS Silver badge

              Re: It's nearly 2020 ...

              Wrong. I had a modem for it.

              1. jake Silver badge
                Pint

                Re: It's nearly 2020 ...

                I stand corrected. A pint being the usual wager around here, have a beer.

                (I think I still have a couple each of the 1650, 1660 and 1670 modems for a C64 floating around here somewhere ... Odd the things you pick up over the years. Odder still the things you hang onto for no apparent reason.)

        2. Tilda Rice

          Re: It's nearly 2020 ...

          Unix bla bla

          OpenBSD, definitely ready for prime time soccer mom usage. Yes sireeee, totally secure.

          1. jake Silver badge

            Re: It's nearly 2020 ...

            My mom and aging GreatAunt have been using the Slackware distribution of Linux for years ... and haven't had any malware problems the entire time, with zero anti-malware software running. Both are functionally computer illiterate. I could have put them on BSD instead, the interface that they interact with would look and act the same on either OS.

            1. Doctor Syntax Silver badge

              Re: It's nearly 2020 ...

              Don't bother, Jake. Check Tilda Rice's short posting history. Even hardware has to be Microsoft. We've seen a stack of them here over the years.

              1. Snorlax

                Re: It's nearly 2020 ...

                Don't bother, Jake. Check Tilda Rice's short posting history.

                lol, as if a high post count was some kind of guarantee of quality...

                1. Michael Wojcik Silver badge

                  Re: It's nearly 2020 ...

                  Whoosh.

        3. Snorlax
          Facepalm

          Re: It's nearly 2020 ...

          Anti-malware is snake-oil sold to users of insecure-by-design operating systems. Have you not noticed that it so very frequently fails? Ever ask yourself why?

          Durr. I'm going to go ahead and answer your question by saying that, unlike you, the malware scene isn't frozen in time and is constantly evolving - hence the need for updates, patches and bugfixes.

          In this particular case, from what I can see ATTK is a free support tool and not an antivirus product in itself. The snake-oil sold to users is where exactly??

          1. jake Silver badge

            Re: It's nearly 2020 ...

            Instead of patching the snake-oil du jour, I keep my distro patched. If having a patched, functional, reliable OS available is old fashioned, just call me Granddad ... and keep your marketing-driven unreliable, badly engineered pseudoOS to yourself.

    2. Mayday
      Gimp

      Re: It's nearly 2020 ...

      "OS of choice"

      I run anti virus/malware on my OS of choice, which is MacOS (I also do so on my Windows PC).

      I also have chosen to not install the latest malware which is otherwise known as Catalina.

    3. LDS Silver badge

      Re: It's nearly 2020 ...

      Sure, just ask Equifax...

      1. jake Silver badge

        Re: It's nearly 2020 ...

        Equifax is hardly a good example. Weren't they the ones who were breached through an Apache bug that had been patched a couple months prior to the breach?

        1. LDS Silver badge

          Re: It's nearly 2020 ...

          So what? It's not only zero days you should fear only - which may not be trapped by an AV anyway - there's a lot of malware you have to trap before it gets executed - including those targeting unpatched applications, and then hinder their attempts to expand the attack - often using tools that aren't malware per se, but can be used as such and an AV can identify and warn the user.

          1. jake Silver badge

            Re: It's nearly 2020 ...

            So what? So the fact is that I just don't see malware being an issue with BSD and Linux systems in the wild. Sure, there is occasionally proof of concept code out there, but patches for the vulnerable bits are available before miscreants make use of it.

      2. Snorlax

        Re: It's nearly 2020 ...

        Sure, just ask Equifax...

        Who needs malware when your username/password is admin/admin ?

  4. CaptSmegHead

    Why is the full screen option turned off for the video. Bigger = better

  5. Tim99 Silver badge
    Coat

    But

    I thought that regedit and cmd were viruses?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021