Trend Micro installer executing arbitrary code (video)

Enju

New Member
Joined
Jul 16, 2014
Messages
444
#1
I got bored and wanted to take a peek at Trend Micro... let's just say nobody should consider using this.
I downloaded their official downloader from the German Trend Micro Website and hijacked the download, so instead of the Trend Micro Setup file I ended up with Firefox. Why not check the downloaded file for a certificate or even hash? Don't ask me, ask them.
The best part is: It runs as administrator! Imagine all the posibilities... ;)


The video was made in a rush - I hope it's ok!
 

Spawn

Administrator
MalwareTips Staff
Joined
Jan 8, 2011
Messages
17,108
OS
Windows 10
Antivirus
Microsoft
#4
Your title is misleading, since Trend Micro isn't installed during this process.
Do you know if the Downloader is developed by them, or a third-party source?
 

jamescv7

Level 61
Trusted
Joined
Mar 15, 2011
Messages
12,638
OS
Windows 10
Antivirus
Microsoft
#5
Well I got that point, actually those installer can really manage to edit any content nowadays especially if its a server location which can easily change with a decent tool.
 
Likes: Enju

NekoJonez

New Member
Joined
Jun 3, 2015
Messages
191
#6
Almost every school I worked for either used F-Secure or Trend Micro. From computers protected by both I was able to find some adware / malware they would detect on launch.

In other words, I'm not that happy with the real time protection. Since my gut feeling is saying that it mostly scans in the incoming traffic. (What I think, I haven't tested it in more depth.)

In any case, interesting video.
 
Likes: Enju

Enju

New Member
Joined
Jul 16, 2014
Messages
444
#7
Your title is misleading, since Trend Micro isn't installed during this process.
Do you know if the Downloader is developed by them, or a third-party source?
It's the only official way to download it so I assume it's written by them.
And what's wrong with the title? I explicitly didn't use any program name because it affects every new Trend Micro consumer installer, you can get it to install every application you want, I just choose Firefox because it's signed by Mozilla and not Trend.
DNS poisoning and domain hijacking are getting more and more common, hell you could even MITM it and attach your malware to the download...
 
Likes: vivid
Joined
May 6, 2014
Messages
331
#8
I agree that AVs should all change to HTTPS update/download system, but I have to agree with Huracan that your title is misleading. Failing at security is a stong term to use just because you can hijack its software download.

Almost every school I worked for either used F-Secure or Trend Micro. From computers protected by both I was able to find some adware / malware they would detect on launch.

In other words, I'm not that happy with the real time protection. Since my gut feeling is saying that it mostly scans in the incoming traffic. (What I think, I haven't tested it in more depth.)

In any case, interesting video.
Are they using the home version or Deep Defender/ enterprise products? Trend Micro is one of the top 5 enterprise security vendors with Symantec, McAfee, Sophos and Kaspersky. Anyway, I wouldn't count adware since different AV vendors have different definitions of adware.
 
Likes: Enju

Online_Sword

New Member
Trusted
Joined
Mar 23, 2015
Messages
575
#9
Does Trend Micro 10 have an offline installer?
I guess using an offline installer, if it exists:D, could avoid this issue.
 
Likes: Enju