Trend Micro installer executing arbitrary code (video)

[Enju]

I got bored and wanted to take a peek at Trend Micro... let's just say nobody should consider using this.
I downloaded their official downloader from the German Trend Micro Website and hijacked the download, so instead of the Trend Micro Setup file I ended up with Firefox. Why not check the downloaded file for a certificate or even hash? Don't ask me, ask them.
The best part is: It runs as administrator! Imagine all the posibilities...



The video was made in a rush - I hope it's ok!

 

[Ink]

What's the purpose of this video?

 

[Enju]

What's the purpose of this video?

You can hijack the Trend Micro downloader to execute any file you want with admin privileges, can be done via injection or any way you want. The downloaded file doesn't get checked for legitimacy.

 

[Ink]

Your title is misleading, since Trend Micro isn't installed during this process.
Do you know if the Downloader is developed by them, or a third-party source?

 

[jamescv7]

Well I got that point, actually those installer can really manage to edit any content nowadays especially if its a server location which can easily change with a decent tool.

 

[NekoJonez]

Almost every school I worked for either used F-Secure or Trend Micro. From computers protected by both I was able to find some adware / malware they would detect on launch.

In other words, I'm not that happy with the real time protection. Since my gut feeling is saying that it mostly scans in the incoming traffic. (What I think, I haven't tested it in more depth.)

In any case, interesting video.

 

[Enju]

Your title is misleading, since Trend Micro isn't installed during this process.
Do you know if the Downloader is developed by them, or a third-party source?

It's the only official way to download it so I assume it's written by them.
And what's wrong with the title? I explicitly didn't use any program name because it affects every new Trend Micro consumer installer, you can get it to install every application you want, I just choose Firefox because it's signed by Mozilla and not Trend.
DNS poisoning and domain hijacking are getting more and more common, hell you could even MITM it and attach your malware to the download...

 

[Cch123]

I agree that AVs should all change to HTTPS update/download system, but I have to agree with Huracan that your title is misleading. Failing at security is a stong term to use just because you can hijack its software download.

Almost every school I worked for either used F-Secure or Trend Micro. From computers protected by both I was able to find some adware / malware they would detect on launch.

In other words, I'm not that happy with the real time protection. Since my gut feeling is saying that it mostly scans in the incoming traffic. (What I think, I haven't tested it in more depth.)

In any case, interesting video.

Are they using the home version or Deep Defender/ enterprise products? Trend Micro is one of the top 5 enterprise security vendors with Symantec, McAfee, Sophos and Kaspersky. Anyway, I wouldn't count adware since different AV vendors have different definitions of adware.

 

[Online_Sword]

Does Trend Micro 10 have an offline installer?
I guess using an offline installer, if it exists, could avoid this issue.

 

[jamescv7]

@Online_Sword : Yes, you will deal for license key to enter or skip for trial version.

 

[Enju]

Does Trend Micro 10 have an offline installer?
I guess using an offline installer, if it exists, could avoid this issue.

There is indeed one! It's a bit hidden on their webpage: https://esupport.trendmicro.com/en-us/home/pages/technical-support/maximum-security/1104368.aspx
If you download it normally you get the webinstaller.