Endpoint //

Privacy

5/1/2018
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

North Korea's AV Software Contains Pilfered Trend Micro Software

Researchers get hold of a copy of Kim Jong Un regime's mysterious internal 'SiliVaccine' antivirus software, provided only to its citizens, and find a few surprises.

A rare hands-on analysis of the antivirus software that North Korea provides its citizens shows the proprietary tool is based on a 10-year-old version of Trend Micro's AV scanning engine that also was customized to ignore a specific type of malware rather than flag it.

Researchers at Check Point today published new research from their exclusive study of the so-called SiliVaccine AV program that is used only inside the cloistered nation. North Korea blocks its citizens from the public Internet and runs its own intranet; only North Korea's ruling elite are allowed access to the global Internet.

Check Point obtained a sample of the malware from a freelance journalist specializing in North Korean technology who had received a suspicious email message with a link to the AV program. The researchers say it's unclear just how North Korea got its hands on Trend Micro's AV engine, but since Trend doesn't do business with North Korea, it's most likely a case of stolen intellectual property.

Jon Clay, director of global threat communications at Trend Micro, told Dark Reading that the software was not stolen via a hack of Trend Micro systems. Rather, Trend Micro suspects its software was pirated somehow. "We strongly believe this is a case of software piracy, in which our software is being used illegally. North Korea has been repackaging software for sale locally for years, including Adobe Reader in 2013," for example, he says.

"This was not a data breach and no evidence suggests they are using stolen source code," he says. "It appears they obtained a public version of our scan engine DLL and modified it."

What is clear is that the North Korean AV was built to appear as its own software. "Every aspect was well-written and they had a lot to hide … the signatures are encrypted and the fields are protected," says MichaelKajiloti, malware research team leader at Trend Micro.

SiliVaccine uses Trend-Micro AV pattern files but renamed Trend's malware signature names with names of its own, for example, and the Trend Micro engine's identity is well-masked, according to Check Point.

"They went the extra mile to hide the fact they stole intellectual property," says Mark Lechtik, one of the Check Point security researchers who studied SiliVaccine.

But Trend Micro's Clay maintains that North Korea's SiliVaccine does not have access to Trend Micro's AV signature updates, and that the AV program instead is using homegrown signatures of its own.

Malware Whitelist

SiliVaccine operates with another hidden twist: it whitelists a specific malware signature that Trend Micro identifies as MAL_NUCRP-5, which detects files that employ behavior patterns used in various types of malware, including fake antivirus installers and droppers, Check Point found. That may allow the North Korean government to run malware on its citizens' machines without their knowledge, possibly for some type of surveillance, according to the researchers. "Or the signature gives them the option to create any malware they want to target citizens and build it in such a way that the AV will never catch it," says Kajiloti.

Lechtik says Check Point's team concluded that the development of SiliVaccine has been ongoing for several years. "I highly doubt it was reverse-engineered," he says. "We think its more likely that it's much more a part of their" getting access to the software, he says.

Check Point shared its findings with Trend Micro, which confirmed that the software uses a module based on an older version of its AV scanning engine from more than ten years ago - VSAPI Scan Engine 8.9x - and that no source code is included in the software. Trend believes it's a case of software piracy, and that the fraudsters reverse-engineered the software as its own.

"It appears that a compiled code library was illegally copied, repacked, and then wrapped with additional application code not originating from Trend Micro to build a normal AV scanning application called SiliVaccine," Trend Micro's Clay says. "The authors of the SiliVaccine product intentionally removed a specific heuristic detection in their product's version of the pattern file."

In the end, there doesn't appear to be any risk to legitimate users of Trend Micro's AV software since it's such an old version, and SiliVaccine has its own encrypted files that can't be used by existing Trend Micro AV products. "The result is that it would be impossible for a Trend Micro product to accidentally or even intentionally use a SiliVaccine modified pattern file since Trend Micro products perform pattern integrity checks," Clay says.

Clay says the incident suggests that North Korea has programmers with reverse-engineering skills. "As such, any software vendor should be concerned that North Korea could do the same with their code."

It also indicates they didn't want to develop their own AV scanner: "They needed an AV scanner and did not want to put in the time or effort to develop their own so they illegally obtained a publicly available scanner and modified it for their own use," Clay says.

Dark Hotel Clue

Journalist Martyn Williams in July 2014 received a sketchy email from a purported Japanese engineer with a news tip that included a Dropbox-hosted zip file with SiliVaccine software and a file posing as a patch for the AV program. The phony patch turned out to be a camouflaged piece of JAKU malware, which is a Trojan dropper which has been tied to DarkHotel, a North Korean cyber espionage group.

The JAKU file was also signed with a certificate from the same "company" that had also signed malware files for the Dark Hotel nation-state hacking group thought to be out of North Korea.

"We can't really say the JAKU bundled in was part of SiliVaccine; it might be … but more likely Martyn [Williams] was the target here" of a cyber espionage campaign, Lechtik says.

JAKU to date has infected 19,000 victims mostly via malicious BitTorrent share files. It's typically known for targeting and monitoring individuals in South Korea and Japan who work for non-governmental organizations, engineering firms, government, as well as academia.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/2/2018 | 2:14:02 PM
Re: Copying
It was a quick and cheap way for NK to get its own proprietary AV for its citizens, customizing it so they can still implant malware or other tracking tools to monitor their online communciations on the NK intranet.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/2/2018 | 9:47:13 AM
Copying
They say copying is the sincerest form of flattery. Without seeing the program code, I would imagine the core logic behind most of these traditional AV's is pretty consistent. No need to really steal from one another.
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.