Endpoint //


10:00 AM
Connect Directly

North Korea's AV Software Contains Pilfered Trend Micro Software

Researchers get hold of a copy of Kim Jong Un regime's mysterious internal 'SiliVaccine' antivirus software, provided only to its citizens, and find a few surprises.

A rare hands-on analysis of the antivirus software that North Korea provides its citizens shows the proprietary tool is based on a 10-year-old version of Trend Micro's AV scanning engine that also was customized to ignore a specific type of malware rather than flag it.

Researchers at Check Point today published new research from their exclusive study of the so-called SiliVaccine AV program that is used only inside the cloistered nation. North Korea blocks its citizens from the public Internet and runs its own intranet; only North Korea's ruling elite are allowed access to the global Internet.

Check Point obtained a sample of the malware from a freelance journalist specializing in North Korean technology who had received a suspicious email message with a link to the AV program. The researchers say it's unclear just how North Korea got its hands on Trend Micro's AV engine, but since Trend doesn't do business with North Korea, it's most likely a case of stolen intellectual property.

Jon Clay, director of global threat communications at Trend Micro, told Dark Reading that the software was not stolen via a hack of Trend Micro systems. Rather, Trend Micro suspects its software was pirated somehow. "We strongly believe this is a case of software piracy, in which our software is being used illegally. North Korea has been repackaging software for sale locally for years, including Adobe Reader in 2013," for example, he says.

"This was not a data breach and no evidence suggests they are using stolen source code," he says. "It appears they obtained a public version of our scan engine DLL and modified it."

What is clear is that the North Korean AV was built to appear as its own software. "Every aspect was well-written and they had a lot to hide … the signatures are encrypted and the fields are protected," says MichaelKajiloti, malware research team leader at Trend Micro.

SiliVaccine uses Trend-Micro AV pattern files but renamed Trend's malware signature names with names of its own, for example, and the Trend Micro engine's identity is well-masked, according to Check Point.

"They went the extra mile to hide the fact they stole intellectual property," says Mark Lechtik, one of the Check Point security researchers who studied SiliVaccine.

But Trend Micro's Clay maintains that North Korea's SiliVaccine does not have access to Trend Micro's AV signature updates, and that the AV program instead is using homegrown signatures of its own.

Malware Whitelist

SiliVaccine operates with another hidden twist: it whitelists a specific malware signature that Trend Micro identifies as MAL_NUCRP-5, which detects files that employ behavior patterns used in various types of malware, including fake antivirus installers and droppers, Check Point found. That may allow the North Korean government to run malware on its citizens' machines without their knowledge, possibly for some type of surveillance, according to the researchers. "Or the signature gives them the option to create any malware they want to target citizens and build it in such a way that the AV will never catch it," says Kajiloti.

Lechtik says Check Point's team concluded that the development of SiliVaccine has been ongoing for several years. "I highly doubt it was reverse-engineered," he says. "We think its more likely that it's much more a part of their" getting access to the software, he says.

Check Point shared its findings with Trend Micro, which confirmed that the software uses a module based on an older version of its AV scanning engine from more than ten years ago - VSAPI Scan Engine 8.9x - and that no source code is included in the software. Trend believes it's a case of software piracy, and that the fraudsters reverse-engineered the software as its own.

"It appears that a compiled code library was illegally copied, repacked, and then wrapped with additional application code not originating from Trend Micro to build a normal AV scanning application called SiliVaccine," Trend Micro's Clay says. "The authors of the SiliVaccine product intentionally removed a specific heuristic detection in their product's version of the pattern file."

In the end, there doesn't appear to be any risk to legitimate users of Trend Micro's AV software since it's such an old version, and SiliVaccine has its own encrypted files that can't be used by existing Trend Micro AV products. "The result is that it would be impossible for a Trend Micro product to accidentally or even intentionally use a SiliVaccine modified pattern file since Trend Micro products perform pattern integrity checks," Clay says.

Clay says the incident suggests that North Korea has programmers with reverse-engineering skills. "As such, any software vendor should be concerned that North Korea could do the same with their code."

It also indicates they didn't want to develop their own AV scanner: "They needed an AV scanner and did not want to put in the time or effort to develop their own so they illegally obtained a publicly available scanner and modified it for their own use," Clay says.

Dark Hotel Clue

Journalist Martyn Williams in July 2014 received a sketchy email from a purported Japanese engineer with a news tip that included a Dropbox-hosted zip file with SiliVaccine software and a file posing as a patch for the AV program. The phony patch turned out to be a camouflaged piece of JAKU malware, which is a Trojan dropper which has been tied to DarkHotel, a North Korean cyber espionage group.

The JAKU file was also signed with a certificate from the same "company" that had also signed malware files for the Dark Hotel nation-state hacking group thought to be out of North Korea.

"We can't really say the JAKU bundled in was part of SiliVaccine; it might be … but more likely Martyn [Williams] was the target here" of a cyber espionage campaign, Lechtik says.

JAKU to date has infected 19,000 victims mostly via malicious BitTorrent share files. It's typically known for targeting and monitoring individuals in South Korea and Japan who work for non-governmental organizations, engineering firms, government, as well as academia.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/2/2018 | 2:14:02 PM
Re: Copying
It was a quick and cheap way for NK to get its own proprietary AV for its citizens, customizing it so they can still implant malware or other tracking tools to monitor their online communciations on the NK intranet.
User Rank: Ninja
5/2/2018 | 9:47:13 AM
They say copying is the sincerest form of flattery. Without seeing the program code, I would imagine the core logic behind most of these traditional AV's is pretty consistent. No need to really steal from one another.
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
8 Security Tips to Gift Your Loved Ones For the Holidays
Steve Zurier, Freelance Writer,  12/18/2018
How to Engage Your Cyber Enemies
Guy Nizan, CEO at Intsights Cyber Intelligence,  12/18/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-19
sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.
PUBLISHED: 2018-12-19
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on th...
PUBLISHED: 2018-12-19
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior ...
PUBLISHED: 2018-12-19
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and even...
PUBLISHED: 2018-12-19
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, a...