Endpoint //


10:00 AM
Connect Directly

North Korea's AV Software Contains Pilfered Trend Micro Software

Researchers get hold of a copy of Kim Jong Un regime's mysterious internal 'SiliVaccine' antivirus software, provided only to its citizens, and find a few surprises.

A rare hands-on analysis of the antivirus software that North Korea provides its citizens shows the proprietary tool is based on a 10-year-old version of Trend Micro's AV scanning engine that also was customized to ignore a specific type of malware rather than flag it.

Researchers at Check Point today published new research from their exclusive study of the so-called SiliVaccine AV program that is used only inside the cloistered nation. North Korea blocks its citizens from the public Internet and runs its own intranet; only North Korea's ruling elite are allowed access to the global Internet.

Check Point obtained a sample of the malware from a freelance journalist specializing in North Korean technology who had received a suspicious email message with a link to the AV program. The researchers say it's unclear just how North Korea got its hands on Trend Micro's AV engine, but since Trend doesn't do business with North Korea, it's most likely a case of stolen intellectual property.

Jon Clay, director of global threat communications at Trend Micro, told Dark Reading that the software was not stolen via a hack of Trend Micro systems. Rather, Trend Micro suspects its software was pirated somehow. "We strongly believe this is a case of software piracy, in which our software is being used illegally. North Korea has been repackaging software for sale locally for years, including Adobe Reader in 2013," for example, he says.

"This was not a data breach and no evidence suggests they are using stolen source code," he says. "It appears they obtained a public version of our scan engine DLL and modified it."

What is clear is that the North Korean AV was built to appear as its own software. "Every aspect was well-written and they had a lot to hide … the signatures are encrypted and the fields are protected," says MichaelKajiloti, malware research team leader at Trend Micro.

SiliVaccine uses Trend-Micro AV pattern files but renamed Trend's malware signature names with names of its own, for example, and the Trend Micro engine's identity is well-masked, according to Check Point.

"They went the extra mile to hide the fact they stole intellectual property," says Mark Lechtik, one of the Check Point security researchers who studied SiliVaccine.

But Trend Micro's Clay maintains that North Korea's SiliVaccine does not have access to Trend Micro's AV signature updates, and that the AV program instead is using homegrown signatures of its own.

Malware Whitelist

SiliVaccine operates with another hidden twist: it whitelists a specific malware signature that Trend Micro identifies as MAL_NUCRP-5, which detects files that employ behavior patterns used in various types of malware, including fake antivirus installers and droppers, Check Point found. That may allow the North Korean government to run malware on its citizens' machines without their knowledge, possibly for some type of surveillance, according to the researchers. "Or the signature gives them the option to create any malware they want to target citizens and build it in such a way that the AV will never catch it," says Kajiloti.

Lechtik says Check Point's team concluded that the development of SiliVaccine has been ongoing for several years. "I highly doubt it was reverse-engineered," he says. "We think its more likely that it's much more a part of their" getting access to the software, he says.

Check Point shared its findings with Trend Micro, which confirmed that the software uses a module based on an older version of its AV scanning engine from more than ten years ago - VSAPI Scan Engine 8.9x - and that no source code is included in the software. Trend believes it's a case of software piracy, and that the fraudsters reverse-engineered the software as its own.

"It appears that a compiled code library was illegally copied, repacked, and then wrapped with additional application code not originating from Trend Micro to build a normal AV scanning application called SiliVaccine," Trend Micro's Clay says. "The authors of the SiliVaccine product intentionally removed a specific heuristic detection in their product's version of the pattern file."

In the end, there doesn't appear to be any risk to legitimate users of Trend Micro's AV software since it's such an old version, and SiliVaccine has its own encrypted files that can't be used by existing Trend Micro AV products. "The result is that it would be impossible for a Trend Micro product to accidentally or even intentionally use a SiliVaccine modified pattern file since Trend Micro products perform pattern integrity checks," Clay says.

Clay says the incident suggests that North Korea has programmers with reverse-engineering skills. "As such, any software vendor should be concerned that North Korea could do the same with their code."

It also indicates they didn't want to develop their own AV scanner: "They needed an AV scanner and did not want to put in the time or effort to develop their own so they illegally obtained a publicly available scanner and modified it for their own use," Clay says.

Dark Hotel Clue

Journalist Martyn Williams in July 2014 received a sketchy email from a purported Japanese engineer with a news tip that included a Dropbox-hosted zip file with SiliVaccine software and a file posing as a patch for the AV program. The phony patch turned out to be a camouflaged piece of JAKU malware, which is a Trojan dropper which has been tied to DarkHotel, a North Korean cyber espionage group.

The JAKU file was also signed with a certificate from the same "company" that had also signed malware files for the Dark Hotel nation-state hacking group thought to be out of North Korea.

"We can't really say the JAKU bundled in was part of SiliVaccine; it might be … but more likely Martyn [Williams] was the target here" of a cyber espionage campaign, Lechtik says.

JAKU to date has infected 19,000 victims mostly via malicious BitTorrent share files. It's typically known for targeting and monitoring individuals in South Korea and Japan who work for non-governmental organizations, engineering firms, government, as well as academia.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/2/2018 | 2:14:02 PM
Re: Copying
It was a quick and cheap way for NK to get its own proprietary AV for its citizens, customizing it so they can still implant malware or other tracking tools to monitor their online communciations on the NK intranet.
User Rank: Ninja
5/2/2018 | 9:47:13 AM
They say copying is the sincerest form of flattery. Without seeing the program code, I would imagine the core logic behind most of these traditional AV's is pretty consistent. No need to really steal from one another.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-21
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC web server, which, when launched, will result i...
PUBLISHED: 2019-03-21
Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, ...
PUBLISHED: 2019-03-21
A vulnerability has been identified in SICAM A8000 CP-8000 (All versions < V14), SICAM A8000 CP-802X (All versions < V14), SICAM A8000 CP-8050 (All versions < V2.00). Specially crafted network packets sent to port 80/TCP or 443/TCP could allow an unauthenticated remote attacker to cause a D...
PUBLISHED: 2019-03-21
Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed...
PUBLISHED: 2019-03-21
An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted X...