ATTK of the Pwns: Trend Micro's antivirus tools 'will run malware – if its filename is cmd.exe'

Try not to save files to your Windows PC called cmd.exe or regedit.exe

Video A flaw in the Trend Micro Anti-Threat Toolkit can be exploited by hackers to run malware on victims' Windows computers.

Bug-hunter John "hyp3rlinx" Page took credit for uncovering CVE-2019-9491, an arbitrary code execution flaw in the security tool.

In short, the Trend software can be tricked into executing any old piece of software under the sun, including malware, when it is scanned, provided the filename is cmd.exe or regedit.exe. No, really.

"Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of 'cmd.exe' or 'regedit.exe'" hyp3rlinx explained on Saturday.

"And the malware can be placed in the vicinity of the ATTK when a scan is launched by the end user."

The Catholic Church's erosary

Deus ex hackina: It took just 10 minutes to find data-divulging demons corrupting Pope's Click to Pray eRosary app

READ MORE

In other words, your Trend antivirus software can be tricked into running a virus. That's… not good. It means if you can save a file on someone's PC as cmd.exe or regedit.exe, via a download or email or something like that, and they're running ATTK, you can now run malicious code on their machine.

"Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware," the flaw-finder added.

Needless to say, remote code execution flaws are not a good thing in a security tool. The software you want to protect your machine can be tricked into executing malware. Don't believe us? Here's a proof of concept video of the attack in action:

Youtube Video

The bug is no secret, either. According to hyp3rlinx, Trend was warned of the flaw back on September 9, and confirmed the bug on the 25th of that month.

The Register asked Trend Micro for comment on the report, and to confirm a patch has been issued, but has yet to hear back at the time of publication. ®

Updated to add

Trend's software was patched on Friday. Make sure you're running version 1.62.0.1223 or higher.

Sponsored: Beyond the Data Frontier

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019