Endpoint //

Privacy

5/1/2018
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

North Korea's AV Software Contains Pilfered Trend Micro Software

Researchers get hold of a copy of Kim Jong Un regime's mysterious internal 'SiliVaccine' antivirus software, provided only to its citizens, and find a few surprises.

A rare hands-on analysis of the antivirus software that North Korea provides its citizens shows the proprietary tool is based on a 10-year-old version of Trend Micro's AV scanning engine that also was customized to ignore a specific type of malware rather than flag it.

Researchers at Check Point today published new research from their exclusive study of the so-called SiliVaccine AV program that is used only inside the cloistered nation. North Korea blocks its citizens from the public Internet and runs its own intranet; only North Korea's ruling elite are allowed access to the global Internet.

Check Point obtained a sample of the malware from a freelance journalist specializing in North Korean technology who had received a suspicious email message with a link to the AV program. The researchers say it's unclear just how North Korea got its hands on Trend Micro's AV engine, but since Trend doesn't do business with North Korea, it's most likely a case of stolen intellectual property.

Jon Clay, director of global threat communications at Trend Micro, told Dark Reading that the software was not stolen via a hack of Trend Micro systems. Rather, Trend Micro suspects its software was pirated somehow. "We strongly believe this is a case of software piracy, in which our software is being used illegally. North Korea has been repackaging software for sale locally for years, including Adobe Reader in 2013," for example, he says.

"This was not a data breach and no evidence suggests they are using stolen source code," he says. "It appears they obtained a public version of our scan engine DLL and modified it."

What is clear is that the North Korean AV was built to appear as its own software. "Every aspect was well-written and they had a lot to hide … the signatures are encrypted and the fields are protected," says MichaelKajiloti, malware research team leader at Trend Micro.

SiliVaccine uses Trend-Micro AV pattern files but renamed Trend's malware signature names with names of its own, for example, and the Trend Micro engine's identity is well-masked, according to Check Point.

"They went the extra mile to hide the fact they stole intellectual property," says Mark Lechtik, one of the Check Point security researchers who studied SiliVaccine.

But Trend Micro's Clay maintains that North Korea's SiliVaccine does not have access to Trend Micro's AV signature updates, and that the AV program instead is using homegrown signatures of its own.

Malware Whitelist

SiliVaccine operates with another hidden twist: it whitelists a specific malware signature that Trend Micro identifies as MAL_NUCRP-5, which detects files that employ behavior patterns used in various types of malware, including fake antivirus installers and droppers, Check Point found. That may allow the North Korean government to run malware on its citizens' machines without their knowledge, possibly for some type of surveillance, according to the researchers. "Or the signature gives them the option to create any malware they want to target citizens and build it in such a way that the AV will never catch it," says Kajiloti.

Lechtik says Check Point's team concluded that the development of SiliVaccine has been ongoing for several years. "I highly doubt it was reverse-engineered," he says. "We think its more likely that it's much more a part of their" getting access to the software, he says.

Check Point shared its findings with Trend Micro, which confirmed that the software uses a module based on an older version of its AV scanning engine from more than ten years ago - VSAPI Scan Engine 8.9x - and that no source code is included in the software. Trend believes it's a case of software piracy, and that the fraudsters reverse-engineered the software as its own.

"It appears that a compiled code library was illegally copied, repacked, and then wrapped with additional application code not originating from Trend Micro to build a normal AV scanning application called SiliVaccine," Trend Micro's Clay says. "The authors of the SiliVaccine product intentionally removed a specific heuristic detection in their product's version of the pattern file."

In the end, there doesn't appear to be any risk to legitimate users of Trend Micro's AV software since it's such an old version, and SiliVaccine has its own encrypted files that can't be used by existing Trend Micro AV products. "The result is that it would be impossible for a Trend Micro product to accidentally or even intentionally use a SiliVaccine modified pattern file since Trend Micro products perform pattern integrity checks," Clay says.

Clay says the incident suggests that North Korea has programmers with reverse-engineering skills. "As such, any software vendor should be concerned that North Korea could do the same with their code."

It also indicates they didn't want to develop their own AV scanner: "They needed an AV scanner and did not want to put in the time or effort to develop their own so they illegally obtained a publicly available scanner and modified it for their own use," Clay says.

Dark Hotel Clue

Journalist Martyn Williams in July 2014 received a sketchy email from a purported Japanese engineer with a news tip that included a Dropbox-hosted zip file with SiliVaccine software and a file posing as a patch for the AV program. The phony patch turned out to be a camouflaged piece of JAKU malware, which is a Trojan dropper which has been tied to DarkHotel, a North Korean cyber espionage group.

The JAKU file was also signed with a certificate from the same "company" that had also signed malware files for the Dark Hotel nation-state hacking group thought to be out of North Korea.

"We can't really say the JAKU bundled in was part of SiliVaccine; it might be … but more likely Martyn [Williams] was the target here" of a cyber espionage campaign, Lechtik says.

JAKU to date has infected 19,000 victims mostly via malicious BitTorrent share files. It's typically known for targeting and monitoring individuals in South Korea and Japan who work for non-governmental organizations, engineering firms, government, as well as academia.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/2/2018 | 2:14:02 PM
Re: Copying
It was a quick and cheap way for NK to get its own proprietary AV for its citizens, customizing it so they can still implant malware or other tracking tools to monitor their online communciations on the NK intranet.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/2/2018 | 9:47:13 AM
Copying
They say copying is the sincerest form of flattery. Without seeing the program code, I would imagine the core logic behind most of these traditional AV's is pretty consistent. No need to really steal from one another.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.