0:00:00.000,0:00:18.684
35C3 preroll music
0:00:18.684,0:00:26.150
Herald: So our next speaker is Mark[br]Lechtik and he is going to talk about
0:00:26.150,0:00:33.280
SiliVaccine, North Korea's weapon of mass[br]detection. Mark is the malware research
0:00:33.280,0:00:38.470
team leader at checkpoint and he deals[br]with reverse engineering and malware
0:00:38.470,0:00:46.010
analysis both as occupation and as a[br]hobby. So a huge round of applause to Mark
0:00:46.010,0:00:54.780
applause and we are starting the talk.[br]
0:00:54.780,0:00:58.873
Mark Lechtik: Let's begin with a short video
0:00:58.873,0:01:00.094
Video
0:02:07.560,0:02:12.880
Laughter[br]Ladies and gentleman, for those of you who
0:02:12.880,0:02:19.700
don't know this lady in pink, her name is[br]리춘히, a good friend of mine, North Korea's
0:02:19.700,0:02:27.040
main news presenter. And she just turned[br]75 years old this July. Let's give her a
0:02:27.040,0:02:36.330
warm round of applause for her passionate[br]introduction to SiliVaccine. Of course I'm
0:02:36.330,0:02:41.080
lying, she's not my friend, nor did she[br]even speak about SiliVaccine in this
0:02:41.080,0:02:48.140
video. But still, kudos to her for[br]grabbing your attention. And again, hello,
0:02:48.140,0:02:53.370
thank you for joining me for this talk[br]titled "SiliVaccine - North Korea's weapon
0:02:53.370,0:03:01.590
of mass detection". Before I actually tell[br]you about the research story here, I would
0:03:01.590,0:03:08.590
like to introduce you to the two notorious[br]dissidents who are behind this infamous
0:03:08.590,0:03:13.900
research. You see them right here on the[br]screen. One of them actually happens to be
0:03:13.900,0:03:20.430
me. My name is Mark Lechtik. As previously[br]mentioned, I'm the Maleware-research team
0:03:20.430,0:03:27.880
leader at checkpoint and my partner in[br]crime for this research is named Michael
0:03:27.880,0:03:33.540
Kajiloti. Unfortunately, he couldn't be[br]here today because he's in a vacation in
0:03:33.540,0:03:39.540
Hawaii probably drinking some smoothie[br]from a coconut. So I thought this would be
0:03:39.540,0:03:47.330
a better picture. To Michael, have a lot[br]of fun in your travel. Come home safely
0:03:47.330,0:03:56.040
and beware of Koreans who stare at you[br]suspiciously. Now, we both work at
0:03:56.040,0:04:01.120
checkpoint as mentioned and without[br]further ado let me give you a little bit
0:04:01.120,0:04:09.920
of a background for this research. So this[br]whole research actually began at one point
0:04:09.920,0:04:15.470
this year around March when I was looking[br]for something to read in Twitter and then
0:04:15.470,0:04:21.079
I stumbled upon this article you see right[br]here titled "Inside North Korea's Hacker
0:04:21.079,0:04:27.260
Army" by Bloomberg and it's actually a[br]pretty interesting piece, I recommend you
0:04:27.260,0:04:37.210
to read it. It discusses particular a[br]North Korean defector who was drafted to
0:04:37.210,0:04:42.900
work for a government agency in North[br]Korea and ended up raising money for the
0:04:42.900,0:04:51.780
regime through hacking. And an interesting[br]thing I noted throughout this publication
0:04:51.780,0:04:58.570
is that the author tried to portray some[br]kind of a narrative of North Korean state
0:04:58.570,0:05:05.590
sponsored cyber operations and in[br]particular in one paragraph he gives a
0:05:05.590,0:05:10.750
representation of what seems to be the[br]North Korean government's official comment
0:05:10.750,0:05:16.540
to various hacking allegations made[br]against North Korea by the West. And
0:05:16.540,0:05:21.840
here's a quote: "So formally, North Korea[br]denies engaging in hacking and describes
0:05:21.840,0:05:27.710
accusations to that effect as 'enemy[br]propaganda'. It says its overseas computer
0:05:27.710,0:05:33.090
efforts are directed at promoting its[br]antivirus software in the global market.
0:05:33.090,0:05:36.870
The country has for more than a decade[br]been working on such programs including
0:05:36.870,0:05:43.270
one called SiliVaccine. Now looking at[br]this, you're probably asking yourselves:
0:05:43.270,0:05:48.760
What the hell is SiliVaccine? Well, as you[br]may understand by now, SiliVaccine is an
0:05:48.760,0:05:54.210
antivirus that is developed and used[br]exclusively in North Korea. So this is
0:05:54.210,0:06:01.160
basically a North Korean antivirus. Or how[br]I like to call it: The Kim Jong Un-tivirus.
0:06:01.160,0:06:08.190
laughter Now obviously this is[br]a very rare product. You can't find it on
0:06:08.190,0:06:12.770
the Internet, you cannot download it[br]anywhere. It basically resides only inside
0:06:12.770,0:06:18.850
the DPRK. As far as we could tell in this[br]research it's actively developed since
0:06:18.850,0:06:25.320
2003 and the version that I'm going to[br]focus on here today is version 4.0, which
0:06:25.320,0:06:33.920
was released in 2013. Just as a caveat: We[br]are also in possession of another version
0:06:33.920,0:06:39.870
from 2005, which was one of the early[br]versions of SiliVaccine and I will mention
0:06:39.870,0:06:44.900
it a little bit later throughout this[br]talk. Now if you know anything about North
0:06:44.900,0:06:51.340
Korea, then one thing you should note is[br]that there is actually no internet inside
0:06:51.340,0:06:57.590
North Korea, right. Instead, what they[br]have is what's called an Intranet, which
0:06:57.590,0:07:06.729
is this highly restricted but glorified[br]local area network; and, having that in
0:07:06.729,0:07:12.110
mind, you must be thinking "Why the hell[br]would North Korea use an antivirus in the
0:07:12.110,0:07:17.340
first place?". Well, there are a few[br]interesting explanations for that: One,
0:07:17.340,0:07:23.050
the more exotic one, is to actually[br]protect against threats that might reside
0:07:23.050,0:07:28.201
within media that is smuggled to the[br]country. And for this matter as an
0:07:28.201,0:07:32.979
example, it turns out that there is[br]actually a phenomenon of USB sticks with
0:07:32.979,0:07:40.229
Western media that somehow magically find[br]their way inside North Korea. And then
0:07:40.229,0:07:46.409
they get sold in the country's black[br]market to citizens. And I know it sounds
0:07:46.409,0:07:50.860
totally fucked up, but remember, it's[br]North Korea and to convince you a little
0:07:50.860,0:07:56.460
bit better, you're invited to go to this[br]website called "flash drives for freedom",
0:07:56.460,0:08:03.699
which is actually a crowd-source funding[br]project for USB sticks that get written
0:08:03.699,0:08:14.620
with content from the West and smuggled[br]into North Korea. So just a fun fact, if
0:08:14.620,0:08:20.930
you have any kind of problems with your[br]local IRS, don't worry. The smuggled USB
0:08:20.930,0:08:28.800
stick is 100 percent tax refundable. As[br]for the content inside of it, well, it
0:08:28.800,0:08:35.650
contains just all kinds of information,[br]entertainment content from the West like
0:08:35.650,0:08:42.830
Wikipedia articles and South Korean soap[br]operas, which somehow managed to threaten
0:08:42.830,0:08:48.500
the North Korean regime. But anyways,[br]there's also another explanation for the
0:08:48.500,0:08:53.890
existence of this antivirus, and this is[br]the fact that is actually stated by North
0:08:53.890,0:08:59.650
Korea itself, is to raise money for the[br]regime by selling this product in the
0:08:59.650,0:09:05.920
worldwide market. As a matter of fact to[br]corroborate this, we can refer to the 2005
0:09:05.920,0:09:10.060
version of SiliVaccine that I mentioned[br]previously, which you can see here on the
0:09:10.060,0:09:15.700
screen, was written both in Korean and[br]English, which might hint at the fact that
0:09:15.700,0:09:20.700
whoever wrote this version tried to make[br]it more appealing for English-speaking
0:09:20.700,0:09:27.540
users as well as Korean ones. Now you also[br]must be asking yourselves: "How the hell
0:09:27.540,0:09:32.840
did we get our hands on the software in[br]the first place?" Well, the answer to this
0:09:32.840,0:09:37.590
lies in the Bloomberg article I mentioned[br]earlier. It linked to a blogpost by this
0:09:37.590,0:09:44.720
guy named Martin Williams. Martin Williams[br]is a journalist who covers various kinds
0:09:44.720,0:09:51.970
of news items related to North Korea. And[br]he actually got this particular software
0:09:51.970,0:09:57.080
through, I would say, a slightly[br]suspicious email from a guy calling
0:09:57.080,0:10:02.910
himself Kang Yong Hak, a security engineer[br]from Japan, who wanted to give it to him
0:10:02.910,0:10:08.050
as a journalistic lead. And remember this[br]email, we will talk about it a little bit
0:10:08.050,0:10:14.940
later. Now of course Martin was kind[br]enough to share the software with us and
0:10:14.940,0:10:20.420
it's the place to thank him for making[br]this whole research possible. Now what did
0:10:20.420,0:10:25.390
we want to find out in this research? So[br]first of all, we wanted to understand the
0:10:25.390,0:10:31.100
technical structure of the software. How[br]is it built? Through which we hope to get
0:10:31.100,0:10:36.779
somewhat of an anthropological view on[br]some of the practices employed by the
0:10:36.779,0:10:44.300
North Korean engineers meaning how[br]engineers with restricted resources tackle
0:10:44.300,0:10:50.840
a big project like building an antivirus[br]from scratch. Also we wanted to see if we
0:10:50.840,0:10:57.110
can find any kind of abnormal behavior[br]inside this antivirus. Some things that
0:10:57.110,0:11:02.720
could have been left in place and expose[br]some hidden agenda of the developers and
0:11:02.720,0:11:07.630
in particular we try to locate any[br]potential backdoor that could have been
0:11:07.630,0:11:13.200
deliberately put in place as a means of[br]surveillance against the citizens. So with
0:11:13.200,0:11:22.790
that in mind let's take a short overview[br]of the antivirus architecture and for this
0:11:22.790,0:11:27.000
matter let's start with the software[br]libraries that comprise it, the first of
0:11:27.000,0:11:33.680
which is called SV shell. This is just a[br]basic shell extension that introduces this
0:11:33.680,0:11:41.020
entry in the context menu which you can[br]see if you click the right mouse button.
0:11:41.020,0:11:48.480
And this is basically meant to just do a[br]manual scan on a file using SiliVaccine.
0:11:48.480,0:11:52.590
And you know what - let's just test this[br]feature and see if it works. So here we
0:11:52.590,0:12:01.480
have malware, we right-click, we press on[br]this feature and nothing happens which is
0:12:01.480,0:12:06.589
really just some kind of a bug that we see[br]right from the very beginning of testing
0:12:06.589,0:12:12.990
this antivirus spoiler. There are more,[br]but never mind. Let's move on. The next
0:12:12.990,0:12:19.230
component we see here is one called[br]SVKernel.dll. Now this is in fact the file
0:12:19.230,0:12:24.240
scanning the engine of this antivirus. And[br]this is really the core component that
0:12:24.240,0:12:31.269
contains the logic that implements virus[br]scanner files. This .dll exposes roughly
0:12:31.269,0:12:37.410
20 export functions with the names[br]SVfunc001 through SVfunc020 - very
0:12:37.410,0:12:42.630
ambiguous naming convention - and they are[br]of course used in conjunction with
0:12:42.630,0:12:48.370
patterns or signatures which is the[br]content that allows the software to decide
0:12:48.370,0:12:54.910
if a given file is malicious or not. Then[br]we have another group of components which
0:12:54.910,0:13:01.170
is pretty self-explanatory. These are the[br]GUI components the first of which is this
0:13:01.170,0:13:07.920
tray menu you can see on the right corner[br]of the screen. And this little menu allows
0:13:07.920,0:13:15.360
you to execute any other GUI menus in this[br]antivirus. For instance you can see the
0:13:15.360,0:13:23.260
following menu where you can do a full[br]scan on the file system. You can play
0:13:23.260,0:13:29.670
around with some of the configurations of[br]this antivirus. It's also possible to do
0:13:29.670,0:13:35.260
some whitelisting and blacklisting[br]actions. And basically this is a GUI one-
0:13:35.260,0:13:43.550
stop shop for all of this antivirus'[br]features and other... oh, before talking
0:13:43.550,0:13:48.250
about the other components, SVmain[br]actually communicates with a driver called
0:13:48.250,0:13:54.980
SVHook.sys. This is a driver that is meant[br]to convey some information as the main
0:13:54.980,0:14:01.390
from the Kernel space. We will discuss[br]this driver a little bit later. Then we
0:14:01.390,0:14:07.790
have the update mechanism of the antivirus[br]which will basically download any kind of
0:14:07.790,0:14:13.029
update binaries and components or update[br]signatures and we'll verify them with an
0:14:13.029,0:14:20.070
external component called SVDiffUpd.exe.[br]And of course, as I mentioned, everything
0:14:20.070,0:14:27.430
here resides inside North Korea's[br]Intranet. So this update client will
0:14:27.430,0:14:33.060
communicate with a server inside North[br]Korea and it will do so using a custom
0:14:33.060,0:14:38.720
update protocol which works on top of the[br]HTTP protocol. And here you can see some
0:14:38.720,0:14:43.670
of the messages exchanged between this[br]update client and server. And one thing I
0:14:43.670,0:14:49.050
would like you to notice is the vast[br]amount of information conveyed through
0:14:49.050,0:14:54.149
this update protocol. You can see fields[br]like a serial number, some kind of an
0:14:54.149,0:15:00.700
interface ID and IP which is for the most[br]part kind of suspicious. I mean, why the
0:15:00.700,0:15:06.720
hell do they need all of this information[br]just for an update mechanism? But since we
0:15:06.720,0:15:12.709
don't have any access to the server or any[br]kind of way to understand how the user
0:15:12.709,0:15:18.050
communicates with it we can't really tell[br]why this information is collected so we'll
0:15:18.050,0:15:24.610
just leave this fact as is. Another[br]interesting thing is that the whole HTTP
0:15:24.610,0:15:31.779
protocol was manually implemented by the[br]developers and along the way they did some
0:15:31.779,0:15:37.040
interesting mistakes for instance the[br]content length field of the HTTP header is
0:15:37.040,0:15:43.220
written with an underscore here which is[br]kind of a mistake. It's not the way it is
0:15:43.220,0:15:50.399
intended to be used. Also the authors[br]wanted to convey the update client's
0:15:50.399,0:15:56.610
identity to the server and they did so[br]with the user agent which is a pretty
0:15:56.610,0:16:02.360
typical way of doing this but instead of[br]only using the user agent they added
0:16:02.360,0:16:08.400
another field called "User-Dealer". I have[br]no idea what kind of dealer they had in
0:16:08.400,0:16:14.990
mind laughter but obviously this has[br]nothing to do with the HTTP protocol. And
0:16:14.990,0:16:20.089
speaking of dealers there is yet another[br]component here called SVDealer.exe which
0:16:20.089,0:16:25.330
is actually the real-time scanning[br]component of this antivirus which you can
0:16:25.330,0:16:31.160
enable through the tray menu as well. And[br]this particular component will use another
0:16:31.160,0:16:38.170
driver called SVFilter.sys which is a file[br]system filter driver meant to intercept
0:16:38.170,0:16:47.910
all kinds of access to the file system and[br]issue the underlying file to a scan prior
0:16:47.910,0:16:52.800
to actually doing any kind of action on[br]it. And, again, we'll discuss this
0:16:52.800,0:16:57.890
particular driver later on. At this point[br]I should mention that the two components
0:16:57.890,0:17:02.959
here that actually do any kind of scanning[br]tests are SVDealer and SVMain that you see
0:17:02.959,0:17:07.839
here on the screen. Obviously they would[br]have to use the file scanning engine for
0:17:07.839,0:17:12.270
this purpose and also a bunch of[br]signatures which are represented through a
0:17:12.270,0:17:20.429
series of files called the pattern files.[br]Another thing here that we have as a
0:17:20.429,0:17:27.609
driver that I'm not going to talk about at[br]all. This is a driver called ststdi2.sys.
0:17:27.609,0:17:32.010
This is basically a TDI network filter[br]driver. If you don't have any idea what I
0:17:32.010,0:17:35.890
just said, this is perfectly fine because[br]this driver does absolutely nothing
0:17:35.890,0:17:40.919
laughter. It just resides inside this[br]antivirus and collects all kinds of
0:17:40.919,0:17:45.510
information about TCP connections and it[br]should be queried theoretically by other
0:17:45.510,0:17:50.420
components. But no one ever queries it so[br]it seems like it's just some kind of a
0:17:50.420,0:17:56.350
residue from previous versions of[br]SiliVaccine. So we'll just leave it be, I
0:17:56.350,0:18:01.430
guess. And another interesting point here[br]is that a lot of these components you see
0:18:01.430,0:18:08.580
here were protected with a legitimate[br]protector, a commercial protector called
0:18:08.580,0:18:13.140
Themeda which - if you heard of it, you[br]probably know - it's a pain in the ass to
0:18:13.140,0:18:19.380
reverse engineer. Luckily for us, whoever[br]used this protector did not enable a lot
0:18:19.380,0:18:26.870
of its features and we could unpack it[br]with moderate efforts. This is the full
0:18:26.870,0:18:31.380
architecture of this antivirus. I'm not[br]going to go any further in it. You can
0:18:31.380,0:18:38.020
read about it in our publication, full[br]publication about this software. Actually
0:18:38.020,0:18:43.530
I want to focus in all of this complicated[br]scheme on one particular component which I
0:18:43.530,0:18:48.520
already discussed. This is SVKernel.dll. I[br]remind you: this is the file scanning
0:18:48.520,0:18:54.919
engine of the antivirus. This is really[br]the heart and soul of this whole software
0:18:54.919,0:18:59.000
and this is why we're going to talk about[br]it next. And I would like to begin this
0:18:59.000,0:19:05.560
discussion about this component with what[br]every good reverse engineer looks at. And
0:19:05.560,0:19:10.500
these are strings, of course. And the[br]first thing we did was to open this file
0:19:10.500,0:19:17.090
and look at its strings and, like every[br]professional reverse engineer, we looked
0:19:17.090,0:19:22.620
them up on Google laughter and here is,[br]ladies and gentlemen, where it actually
0:19:22.620,0:19:29.280
gets interesting because it turns out that[br]if we look it up Google we come to another
0:19:29.280,0:19:39.870
file called vsapi32.dll. Now what is[br]vsapi32.dll? As it turns out, this is yet
0:19:39.870,0:19:45.090
another file scanning engine. Actually[br]it's a file scanning engine belonging to a
0:19:45.090,0:19:52.940
big corporate in the security field and[br]that is Trend Micro laughter which we
0:19:52.940,0:19:59.240
thought was kind of surprising. And[br]looking at this, we thought: does it mean
0:19:59.240,0:20:06.220
that this .dll is in some way incorporated[br]inside SiliVaccine? Did they use any kind
0:20:06.220,0:20:12.250
of interesting way of incorporating its[br]functionality inside their engine? Well,
0:20:12.250,0:20:19.340
let's find out laughter. So here on the[br]screen you can see what's called the
0:20:19.340,0:20:26.710
binary diff. This is a binary comparison[br]between those two engines. On the left
0:20:26.710,0:20:29.640
side you can see the Trend Micro engine[br]and on the right side you can see the
0:20:29.640,0:20:35.160
SiliVaccine engine and actually you can[br]notice a few things here. For one, there's
0:20:35.160,0:20:42.220
a 100 percent match between more than a[br]thousand functions of those two engines. A
0:20:42.220,0:20:48.550
thousand functions is like a quarter of[br]SiliVaccine's engine code. And then you
0:20:48.550,0:20:53.950
can see also that there's a 100 percent[br]match on some of the export functions. In
0:20:53.950,0:20:59.290
fact, if you look at all of the first 18[br]export functions in SiliVaccine, you
0:20:59.290,0:21:05.830
realize they somehow map to functions of[br]Trend Micro. And as an example, just take
0:21:05.830,0:21:11.250
three of these functions and look at their[br]call for graphs in IDA and we can see that
0:21:11.250,0:21:16.400
they're pretty similar for the most part,[br]but I would say it's more interesting to
0:21:16.400,0:21:21.810
note the small nuances or the small[br]differences between those particular
0:21:21.810,0:21:26.070
functions. And as an example let's take[br]this pair of functions, VSinit and
0:21:26.070,0:21:31.640
SVfunc005. Well, one interesting thing we[br]noticed at the very beginning is that
0:21:31.640,0:21:37.550
while Trend Micro's engine uses mostly[br]Lipsey functions like "memset", for
0:21:37.550,0:21:44.819
instance, the equivalent in SiliVaccine[br]would at some points in-line those
0:21:44.819,0:21:50.010
functions, it would use function inlining[br]to convey the same function and that
0:21:50.010,0:21:55.580
essentially hints at the fact that the[br]developer of SiliVaccine could have
0:21:55.580,0:22:01.169
recompiled this particular Trend Micro[br]code with some kind of a compiler
0:22:01.169,0:22:06.169
optimization that was not applied on the[br]original engine. You can see another
0:22:06.169,0:22:10.540
example for this right here, with the[br]"memcpy" and "qmemcpy", its in-line
0:22:10.540,0:22:17.840
equivalent. And let's look at another pair[br]for this matter. So we have VSgetVSCinfo
0:22:17.840,0:22:24.299
and SVfunc004. Once again, function[br]inlining. But another artifact that was
0:22:24.299,0:22:32.100
left here are these numbers you see right[br]here. So it turns out that this particular
0:22:32.100,0:22:37.090
field that is populated in this structure[br]you see here is actually the engine
0:22:37.090,0:22:44.680
version of this antivirus and it turns out[br]that the engine version used inside
0:22:44.680,0:22:53.260
SiliVaccine is a 8.910 which is an engine[br]released by Trend Micro back in 2008. Now
0:22:53.260,0:23:00.799
recall that this software is from 2013. So[br]basically whoever wrote this was using a
0:23:00.799,0:23:07.590
five year old engine inside his code. And[br]finally, let's look at another pair:
0:23:07.590,0:23:14.910
VSquit and SVfunc006. Once again, you can[br]see a call to a proprietary SiliVaccine
0:23:14.910,0:23:19.549
function inside what used to be a Trend[br]Micro function. This is just some kind of
0:23:19.549,0:23:24.619
a clean up function for a driver called[br]"svio" which has nothing to do with Trend
0:23:24.619,0:23:34.420
Micro. And this again strengthens this[br]kind of speculation that, when compiling a
0:23:34.420,0:23:39.800
SiliVaccine, there was some kind of use of[br]a proprietary resource that belongs to
0:23:39.800,0:23:47.770
Trend Micro. Well, I would like to mention[br]at this point that this was not the only
0:23:47.770,0:23:53.630
instance of a Trend Micro engine we found[br]in SiliVaccine. In the 2005 version which
0:23:53.630,0:24:01.630
I mentioned earlier we actually found a[br]trace of another component by Trend Micro
0:24:01.630,0:24:07.610
which is called tmfilter.sys. This is[br]actually a kernel mode equivalent of this
0:24:07.610,0:24:14.940
engine called vsapi32. And this really[br]shows that this whole sort of copyright
0:24:14.940,0:24:20.240
infringement was not a one-time thing. It[br]has been possibly going on for quite a few
0:24:20.240,0:24:26.410
years. Now, we reached out to Trend Micro[br]to get the response and basically, just to
0:24:26.410,0:24:35.750
sum this up, Trend Micro says that, yes,[br]SiliVaccine used a 10+ year old version of
0:24:35.750,0:24:41.000
their engine in their code. They[br]said,like, "WTF? We did not do any
0:24:41.000,0:24:47.070
business with North Korea" laughter.[br]Also they're saying, "We have no idea how
0:24:47.070,0:24:53.570
they got our engine." But they do hint at[br]the fact that they worked with some
0:24:53.570,0:25:00.150
vendors as OEM back at that time and maybe[br]it's possible that one of these OEMs
0:25:00.150,0:25:07.590
leaked their code or what not. So who[br]knows. So other than, you know, looking at
0:25:07.590,0:25:12.990
this; other than saying that this is a[br]very kind of secretive antivirus that's
0:25:12.990,0:25:18.830
developed inside North Korea, we couldn't[br]help but notice that there are quite a lot
0:25:18.830,0:25:23.530
of mechanisms used by the authors to[br]conceal the fact that they're using a
0:25:23.530,0:25:28.620
third party product. And again, I remind[br]you: we just realized that SiliVaccine is
0:25:28.620,0:25:32.860
essentially using a Trend Micro engine and[br]we thought - if they're using the same
0:25:32.860,0:25:36.169
engine this doesn't mean that they're[br]actually using the same signatures as
0:25:36.169,0:25:42.600
well. So if we compare this on the surface[br]then it seems that no because SiliVaccine
0:25:42.600,0:25:49.400
has multiple patterned files while Trend[br]Micro has one single large file. And also
0:25:49.400,0:25:56.870
there seems to be no kind of similarity[br]between them on the binary level, but if
0:25:56.870,0:26:02.120
we look a little bit deeper then we can[br]find the place in the code where those
0:26:02.120,0:26:07.880
particular pattern files are being loaded.[br]This happens in SVKernel.dll in a
0:26:07.880,0:26:13.970
particular function called SVfunc19. And[br]what happens there is that the name of the
0:26:13.970,0:26:21.419
particular pattern file of one of the[br]parent files is being calculated or
0:26:21.419,0:26:26.520
generated, then a handle to this file is[br]obtained, the contents of the file are
0:26:26.520,0:26:32.059
being read, then this particular file is[br]being decrypted, the decrypted chunk is
0:26:32.059,0:26:36.830
appended to some buffer in memory, the ID[br]of this chunk is incremented and this
0:26:36.830,0:26:42.150
whole process repeats. So essentially what[br]this function does is to load the part of
0:26:42.150,0:26:47.460
files one by one, decrypt them and append[br]them all together. Now before I talk a
0:26:47.460,0:26:51.480
little more about the encryption here,[br]let's talk a little bit about the
0:26:51.480,0:26:56.770
encryption key because there's something[br]interesting here. So this is the
0:26:56.770,0:27:04.440
encryption key used there. A seemingly[br]random English string. We thought: "does
0:27:04.440,0:27:10.049
it mean anything in Korean?". It doesn't[br]mean anything in any language, actually,
0:27:10.049,0:27:14.990
but an interesting thing happens when we[br]take this particular string to a Korean-
0:27:14.990,0:27:22.899
English keyboard and we try to type it[br]while accidentally forgetting to switch to
0:27:22.899,0:27:29.029
English. So we get this Korean string. And[br]if we translate this Korean string to
0:27:29.029,0:27:35.970
English, turns out that it literally means[br]"pattern encryption" laughter and
0:27:35.970,0:27:53.530
applause. Thank you. laughter* OK, so we[br]decided to look a bit deeper now regarding
0:27:53.530,0:27:58.370
the encryption itself. We saw a lot of[br]encryption mechanics inside. Some have
0:27:58.370,0:28:04.270
some cryptographic artifacts that resemble[br]the Shahwan algorithm, for instance, and
0:28:04.270,0:28:08.980
all kinds of other stuff. We basically[br]didn't really bother understanding this
0:28:08.980,0:28:12.900
whole mechanism very deeply because we[br]were interested in the decrypted pattern
0:28:12.900,0:28:19.080
files which we could simply dump from[br]memory and that's what we did. And after
0:28:19.080,0:28:26.060
dumping this from memory and comparing the[br]two signature files one to another we can
0:28:26.060,0:28:30.841
actually see a similarity in the header[br]and if we scroll a little bit down we can
0:28:30.841,0:28:35.130
also see that there is quite much of a[br]similarity in strings. Actually there is
0:28:35.130,0:28:41.049
more than 90 percent match on the strings[br]in those two files. And the difference is
0:28:41.049,0:28:48.069
probably due to the version of those[br]pattern files. Now that's not the end. We
0:28:48.069,0:28:54.550
decided to test this thing. So we scanned[br]a bunch of files with SiliVaccine. They
0:28:54.550,0:28:59.479
were all detected. We scanned them also[br]with Trend Micro. They were also detected.
0:28:59.479,0:29:04.250
But there is something interesting here.[br]Although they're using the same signatures
0:29:04.250,0:29:09.180
and same strings the detection names are[br]totally different. And that is, ladies and
0:29:09.180,0:29:15.120
gentlemen, suspicious. So it turns out[br]there's a reason for this and the reason
0:29:15.120,0:29:20.610
is that SiliVaccine actually renames the[br]signature names before displaying them to
0:29:20.610,0:29:26.780
the user. And here is how this works. So[br]basically SiliVaccine will take a Trend
0:29:26.780,0:29:34.830
Micro signature name, for this purpose[br]"TROJ_STEAL-1". It would then replace it,
0:29:34.830,0:29:42.730
strip it of the underscores and dashes and[br]then replace the prefix with some kind of
0:29:42.730,0:29:47.980
word based on a string based on a[br]predefined dictionary. It will also
0:29:47.980,0:29:55.050
replace the suffix from a number to a[br]letter. It will modify the casing, append
0:29:55.050,0:29:59.970
everything together with dots and this is[br]how you get a SiliVaccine signature
0:29:59.970,0:30:06.580
laughter. So looking at all of this it's[br]interesting to note that the authors are
0:30:06.580,0:30:11.610
probably trying to hide something. So just[br]to summarize all of these hiding
0:30:11.610,0:30:17.559
mechanisms, let's just briefly take a look[br]at what we've already seen. So basically
0:30:17.559,0:30:22.620
all of the files or most of the files in[br]this software are protected with Themida,
0:30:22.620,0:30:28.450
a commercial protector, which means that[br]the binary files do not have any kind of
0:30:28.450,0:30:34.300
string artifacts that allow a researcher[br]to understand what he's looking at. Also
0:30:34.300,0:30:39.340
the pattern files are encrypted so we[br]don't have any string artifacts there. You
0:30:39.340,0:30:45.590
can't understand from those signature[br]files what you're looking at. And finally,
0:30:45.590,0:30:49.800
the malware signatures are renamed in real[br]time, so it means that even in real time
0:30:49.800,0:30:55.970
you cannot tell what was the original[br]signature or where it came from. So
0:30:55.970,0:31:00.220
essentially the user and a researcher[br]won't have any way of knowing that this
0:31:00.220,0:31:05.721
product is using the engine of Trend[br]Micro, which is puzzling. So, moving on -
0:31:05.721,0:31:11.890
let's talk about more of the fishy things[br]that go inside of this product. Namely,
0:31:11.890,0:31:18.219
while analyzing it, we've seen a lot of[br]the following instances of this string,
0:31:18.219,0:31:27.260
"Mal.Nucrp.F", and we realized that, based[br]on its format, it's probably some kind of
0:31:27.260,0:31:33.279
a signature name. So we decided to[br]understand what it was. We ran our
0:31:33.279,0:31:41.039
algorithm in reverse and we get the[br]following detection name - "Mal_NUCRP-5".
0:31:41.039,0:31:44.390
But what's the deal with the signature,[br]why does it even stand out from the other
0:31:44.390,0:31:51.270
ones? Well, here are two instances where[br]this particular signature name is used. So
0:31:51.270,0:31:55.370
here you can see actually that what[br]happens with this signature is that a file
0:31:55.370,0:32:01.409
is being scanned to detect if it's[br]malicious or not. Then, if it was found to
0:32:01.409,0:32:05.820
be malicious, its detection name is[br]compared against the string and if that's
0:32:05.820,0:32:12.630
the case, then SiliVaccine will simply[br]ignore this file laughter, which is
0:32:12.630,0:32:20.120
suspicious laughter. Now, of course, we[br]wanted to test this thing so we ran 6
0:32:20.120,0:32:25.799
files that were supposed to be detected[br]with this particular detection name. In
0:32:25.799,0:32:31.299
Trend Micro they were all detected. Then[br]we decided to run them in SiliVaccine and
0:32:31.299,0:32:36.470
nothing was detected laughter. And[br]actually, this is quite surprising because
0:32:36.470,0:32:40.870
we did a little bit of QA on this and it[br]turns out that for the most part it's
0:32:40.870,0:32:45.820
okay. But then in one instance they made a[br]typo and in the white list it's something
0:32:45.820,0:32:52.510
called "Mal.Nurcrp.F" laughter which has[br]no equivalent in Trend Micro's engine,
0:32:52.510,0:32:59.090
which begs the question: WTF is "nucrp"?.[br]And according to Trend Micro's
0:32:59.090,0:33:06.059
Encyclopedia, which is a thing apparently,[br]"MAL_NUCRP-5" is described as some kind of
0:33:06.059,0:33:12.100
a signature related to some old malware[br]named "NUWAR", "TUBS", "ZHELAT". We
0:33:12.100,0:33:16.980
checked all of them. They have no relation[br]whatsoever to North Korea. But deeper
0:33:16.980,0:33:22.429
inspection of this signature name reveals[br]that actually this "mal" prefix you see
0:33:22.429,0:33:28.309
right here means that this is a generic[br]detection that flags files based on some
0:33:28.309,0:33:34.160
heuristic which, in essence, might detect[br]a whole spectrum of files. So
0:33:34.160,0:33:38.020
unfortunately, based only on this[br]information, we cannot know what malware
0:33:38.020,0:33:43.909
was exactly detected here or really if it[br]was malware at all. But we can still
0:33:43.909,0:33:49.029
speculate on why this whitelist thing was[br]done. And for one, the most obvious
0:33:49.029,0:33:53.200
speculation would be that there is some[br]kind of an existing North Korean tool
0:33:53.200,0:33:57.740
installed on citizens' computers and the[br]authors didn't want to trigger an alert
0:33:57.740,0:34:02.720
about it being malicious. It's also[br]possible that the authors wanted some
0:34:02.720,0:34:08.929
option to develop such a tool in the[br]future and they inserted this signature in
0:34:08.929,0:34:13.418
order to conceal this future component[br]with this particular whitelisting
0:34:13.418,0:34:20.309
mechanism. It's also possible that since[br]the authors used a third party engine, the
0:34:20.309,0:34:26.569
Trend Micro engine, that this signature[br]mistakenly detected one of SiliVaccine's
0:34:26.569,0:34:31.969
original components as malware, which they[br]clearly wanted to avoid. And of course
0:34:31.969,0:34:37.809
it's also possible that this whole thing[br]is some kind of an idiotic false positive
0:34:37.809,0:34:45.119
management fix. But I would say this is[br]unlikely. All right - let's move on and
0:34:45.119,0:34:50.708
talk about the kernel side of SiliVaccine.[br]And remember: SiliVaccine has three kernel
0:34:50.708,0:34:55.749
mode drivers, but actually only two of[br]them are utilized, SVfilter and
0:34:55.749,0:35:02.539
SVHook.sys. So let's focus on them. And we[br]started snooping around and looking at
0:35:02.539,0:35:07.630
these drivers. And the first thing we[br]noticed is some fishy stuff like the fact
0:35:07.630,0:35:13.849
that its entry point resides in the relog[br]section and that it's supposedly packed
0:35:13.849,0:35:20.330
with some kind of a packer called[br]"BopCrypt" which we never heard of. And we
0:35:20.330,0:35:25.420
looked around "BopCrypt"; turned out this[br]is an old Russian PE packer that
0:35:25.420,0:35:30.569
supposedly contains some common protection[br]features such as anti-debug measures and
0:35:30.569,0:35:35.380
polymorphic code. Now this is not really[br]good news when dealing with the kernel
0:35:35.380,0:35:40.939
driver because who wants to debug[br]polymorphic code into kernel. So we
0:35:40.939,0:35:46.309
thought: wait a second, before we dive in[br]and do all of this stuff maybe we can
0:35:46.309,0:35:50.390
actually find some kind of an answer by[br]looking at this file again from the
0:35:50.390,0:35:56.839
outside. And turns out that our answer was[br]right there and our answer is 42
0:35:56.839,0:36:03.299
laughter. Actually it's hex42. So[br]evidently, this whole crazy protection
0:36:03.299,0:36:09.559
scheme here is that the text section that[br]contains the actual driver is sort with a
0:36:09.559,0:36:16.710
single byte of the value 42 hex. So with[br]this insane protection mechanism which we
0:36:16.710,0:36:23.160
were able to bypass we were able to look[br]at the drivers themselves and the first
0:36:23.160,0:36:27.499
one of them, SVfilter.sys - I remind you[br]that this is a file system filter driver -
0:36:27.499,0:36:31.959
this is loaded and utilized by SVDealer.[br]This is the real time scanning component
0:36:31.959,0:36:36.839
and it has two main functionalities. One[br]is to actually scan files upon access so
0:36:36.839,0:36:42.500
it would intercept any kind of activity[br]with the file system and it would take the
0:36:42.500,0:36:50.319
underlying file and would issue it to[br]SVDealer to conduct a scan on it and also
0:36:50.319,0:36:55.490
it's actually used to protect the[br]antivirus as binaries themselves to avoid
0:36:55.490,0:37:04.450
any kind of malfunction against them by[br]the user. And it really took us quite some
0:37:04.450,0:37:09.210
time to realize that these are the only[br]two things that this driver does because
0:37:09.210,0:37:14.940
the code for them is really a mess. And[br]I'm going to save you some time and
0:37:14.940,0:37:20.300
explain the flaw of this driver by[br]simplifying it a little bit. So this is
0:37:20.300,0:37:26.779
how SVfilter.sys works in a nutshell. The[br]first action it does is waste time
0:37:26.779,0:37:34.279
laughter. So it does a lot of redundant[br]checks that seem to have no effect on this
0:37:34.279,0:37:39.450
code whatsoever. Then it moves on to see[br]if the file scanned here is actually
0:37:39.450,0:37:44.690
binary related to the antivirus itself. Of[br]course if it is done it will deny access
0:37:44.690,0:37:51.160
to it. Then it moves to the very important[br]action of wasting a lot more time
0:37:51.160,0:37:58.430
laughter by doing what seems to be[br]pretty much garbage code. And finally at
0:37:58.430,0:38:04.040
some point it will take the file, it will[br]scan it and if the file seems to be
0:38:04.040,0:38:09.269
malicious then it will deny the access to[br]it. Otherwise it will allow the access. So
0:38:09.269,0:38:14.950
this is pretty much everything to say[br]about SVfilter. There was another driver
0:38:14.950,0:38:23.859
called SVHook.sys which is utilized by the[br]main GUI component, SVMain.exe. You look
0:38:23.859,0:38:28.289
at this name, you think, yes, it probably[br]hooks stuff. No - it doesn't actually hook
0:38:28.289,0:38:35.730
anything. It's actually used to query some[br]kind of process object data from the
0:38:35.730,0:38:43.660
kernel and really it's quite of a[br]confusing driver because it seems to have
0:38:43.660,0:38:50.960
like 13 ioctls. Only 3 are ever used and[br]it's highly, highly buggy. There's a lot
0:38:50.960,0:39:01.420
of bugs there. So for instance, we've seen[br]the following function where there's an
0:39:01.420,0:39:10.270
ioctl issued to this driver and it really[br]seems that those two components, SVMain
0:39:10.270,0:39:15.910
and SVHook, were really developed by two[br]different developers. So here we can see
0:39:15.910,0:39:24.680
that this programmer who wrote this[br]particular ioctl call actually used a
0:39:24.680,0:39:31.209
buffer of size 12. Now you would assume[br]that those two developers have agreed that
0:39:31.209,0:39:36.869
this should be the buffer size, right?[br]Well, evidently the second developer was
0:39:36.869,0:39:42.520
not really notified about this and in fact[br]checks explicitly that the buffer size is
0:39:42.520,0:39:50.819
12 and if that's the case nothing happens[br]laughter. Which really is a piece of
0:39:50.819,0:39:58.549
shit code that does nothing laughter. So[br]while looking into this, we tried to dig a
0:39:58.549,0:40:03.130
little bit deeper and understand why those[br]bugs happen and we think we have an
0:40:03.130,0:40:10.009
answer. So just strolling around we see a[br]lot of this. If you look at this you
0:40:10.009,0:40:14.609
realize that you're looking at a lot of[br]debug prints used by the author and you
0:40:14.609,0:40:22.549
see that one of the parts of the strings[br]referenced here is "sub_00something" which
0:40:22.549,0:40:27.809
is an IDA-auto-generated name. Which to[br]me, ladies and gentlemen, seems like
0:40:27.809,0:40:33.390
instead of looking at authentic code, we[br]were in fact reverse engineering a
0:40:33.390,0:40:38.319
reverse.engineered driver. So essentially[br]what happened here is that the developer
0:40:38.319,0:40:46.069
of SVHook took some driver, decompile it,[br]copied the code and added a bunch of debug
0:40:46.069,0:40:51.599
prints in order to try to understand what[br]he was copying and it seems he didn't only
0:40:51.599,0:40:57.599
fail to understand it but he also forgot[br]to remove this trail of debug prints. That
0:40:57.599,0:41:05.339
demonstrates his elite coding skills. So[br]we are nearly at the end and we talked
0:41:05.339,0:41:10.089
quite a bit about the technical parts here[br]but to get the full picture I think it's a
0:41:10.089,0:41:15.980
good idea to look at the development story[br]behind the software. So in essence, who is
0:41:15.980,0:41:22.099
behind SiliVaccine? Well, to tackle this[br]question we resorted to some version info
0:41:22.099,0:41:26.660
that can be found inside the antivirus as[br]binaries. And there we found some version
0:41:26.660,0:41:30.710
manifest that pointed at several[br]companies, the first one of which is
0:41:30.710,0:41:35.790
called PGI (Pyongyang Guangdong[br]Information Technology). It seems to be
0:41:35.790,0:41:40.190
some kind of a North Korean establishment,[br]a known one, that specializes in network
0:41:40.190,0:41:46.559
security software. But really the more[br]interesting company that we found there
0:41:46.559,0:41:53.660
was called "STS Tech-Service" which is[br]really this kind of shady company that has
0:41:53.660,0:41:58.369
no trace of its activity online. We[br]couldn't find any kind of artifact that
0:41:58.369,0:42:08.190
shows what this company does or what is[br]its main field of occupation. So we still
0:42:08.190,0:42:14.940
can answer some questions about STS tech[br]service. For instance we can say that STS
0:42:14.940,0:42:20.910
tech service is highly likely based in the[br]DPRK North Korea and that is due to this
0:42:20.910,0:42:25.549
brochure you see here on the screen which[br]is taken from a trade fair that took place
0:42:25.549,0:42:32.649
in Pyongyang back in 2006. And in this[br]particular trade fair this company, STS
0:42:32.649,0:42:38.099
Tech-Service, they participated. We[br]contacted the organizers and they actually
0:42:38.099,0:42:42.809
confirmed that STS Tech- Service did come[br]from North Korean side. Still, some
0:42:42.809,0:42:47.329
questions remain. Is that a private[br]company in North Korea or is that even a
0:42:47.329,0:42:51.569
thing? Is that a government entity? Is[br]that the same thing in North Korea? We
0:42:51.569,0:42:59.310
don't know. Actually, another source told[br]us that this company might be a
0:42:59.310,0:43:04.089
subdivision of the KPA (where KPA stands[br]for Korean People's Army), but we have no
0:43:04.089,0:43:09.589
way of corroborating this. And you[br]remember that Trend Micro stated that
0:43:09.589,0:43:16.719
their engine could have been leaked from[br]third party. Could that third party be
0:43:16.719,0:43:21.809
this company? Well we don't know actually,[br]but what we did see and which was really
0:43:21.809,0:43:28.299
interesting is a particular connection[br]between North Korea and Japan that repeats
0:43:28.299,0:43:33.400
throughout this whole research so for one[br]we've already seen that SVKernel is
0:43:33.400,0:43:40.599
basically some kind of modified version of[br]Trend Micro's engine. But then we've also
0:43:40.599,0:43:45.450
seen that STS Tech-Service at some point[br]cooperated with a company called Silver
0:43:45.450,0:43:51.910
Star Japan on a particular application. As[br]a matter of fact it not only cooperated
0:43:51.910,0:43:55.630
with them but also with another company[br]called Magnolia which also resides in
0:43:55.630,0:44:00.680
Japan. Actually Silver Star and Magnolia[br]reside in the same address in Japan, which
0:44:00.680,0:44:05.890
is quite interesting. And then in a[br]particular instance all of these three
0:44:05.890,0:44:12.400
companies - Magnolia, Silver Star and STS[br]Tech-Service cooperated with the KCC, a
0:44:12.400,0:44:17.989
very famous North Korean research[br]establishment, the Korean Computer Center,
0:44:17.989,0:44:24.249
on another application. And it's important[br]to say that while we can be very easily
0:44:24.249,0:44:29.010
drawn to some conclusions here and[br]speculate on some very wild scenarios,
0:44:29.010,0:44:33.440
especially given the fact that North Korea[br]and Japan are not friends, we need to
0:44:33.440,0:44:37.720
remember that this is just a crazy web of[br]connections that we unraveled here. And
0:44:37.720,0:44:41.400
actually we cannot say much about this[br]other than pointing out the connections
0:44:41.400,0:44:49.440
themselves. Still I can say that we did[br]find some traces of maliciousness in this
0:44:49.440,0:44:56.809
whole package and at this point we[br]thought: all right, we are done with the
0:44:56.809,0:45:04.599
research; could it be that there is no[br]malware or backdoor here? Well, it turns
0:45:04.599,0:45:11.419
out that if we look back on this e-mail[br]sent by this supposedly Japanese engineer,
0:45:11.419,0:45:18.340
Kang yong hak and reinspect the installer[br]provided in this particular email, then
0:45:18.340,0:45:23.039
actually it has no metadata. And that's[br]not surprising because this installer is
0:45:23.039,0:45:26.880
in fact this file is in fact a self-[br]extracting archive which contains the real
0:45:26.880,0:45:33.660
installer of SiliVaccine. But then it also[br]contains another file called "SVpatch4.0"
0:45:33.660,0:45:39.759
which - well, OK. But when you look at the[br]metadata you see it's supposedly related
0:45:39.759,0:45:47.220
to Microsoft automatic updates which is,[br]again, highly suspicious laughter. Now,
0:45:47.220,0:45:52.209
we decided to look deeper in this file and[br]it turns out that actually this file is a
0:45:52.209,0:45:57.349
signed binary. And if you look the issue[br]up on Google we come to a Kaspersky report
0:45:57.349,0:46:03.079
about the Darkhotel APT. Very alarming.[br]And then we decided to dig deeper and
0:46:03.079,0:46:07.999
analyze this file. So we did some[br]analysis. We realized that this is
0:46:07.999,0:46:15.529
actually the stage one malware from a[br]known campaign called Jaku uncovered by
0:46:15.529,0:46:23.500
Forcepoint in 2016. Now what is Jaku? Jaku[br]was an ongoing botnet campaign, it
0:46:23.500,0:46:28.790
targeted mainly North Korea and Japan. And[br]while it infected a lot of victims the
0:46:28.790,0:46:34.089
later stages of the malware - stages 2 and[br]3 - were only used against a select group
0:46:34.089,0:46:39.140
of individuals with North Korea and[br]Pyongyang being the common theme between
0:46:39.140,0:46:44.089
them. Now another interesting connection[br]that was outlined by Forcepoint is between
0:46:44.089,0:46:49.140
Jaku and Darkhotel which is really further[br]evidence to this kind of an interesting
0:46:49.140,0:46:55.919
connection on top of what we saw with the[br]certificate used previously. Now who could
0:46:55.919,0:47:00.220
be the target here? It could be the case[br]that every SiliVaccine installation is
0:47:00.220,0:47:04.140
bundled with this malware, but we don't[br]think so. We actually think that the
0:47:04.140,0:47:09.610
target was Martin Williams who deals[br]vastly with North Korea. And it is
0:47:09.610,0:47:17.219
possible that this particular malware was[br]used against him. So this is pretty much
0:47:17.219,0:47:21.759
the end and I would like to, before I let[br]you go, summarize everything that we've
0:47:21.759,0:47:29.749
seen in this talk. Let's look back and see[br]those things. So for one we have seen that
0:47:29.749,0:47:35.719
SiliVaccine has been illegally using Trend[br]Micro's engine and it was not a one-time
0:47:35.719,0:47:43.029
thing. It has been done at least two times[br]and probably over multiple versions and
0:47:43.029,0:47:50.279
for several years. Then we've also seen[br]that the authors of SiliVaccine tried to
0:47:50.279,0:47:56.799
conceal the fact that they used this[br]engine with some interesting mechanism.
0:47:56.799,0:48:02.979
Then we've seen that there is an explicit[br]whitelisting of a particular signature and
0:48:02.979,0:48:08.989
that the installation of SiliVaccine comes[br]bundled with the malware called Jaku. Now,
0:48:08.989,0:48:13.870
while having these understandings we still[br]have some unanswered questions. For
0:48:13.870,0:48:19.809
instance, we've seen that there are some[br]artifacts that point at the fact that the
0:48:19.809,0:48:24.509
code of SiliVaccine might have been[br]recompiled with some other optimizations
0:48:24.509,0:48:29.661
that were not in Trend Micro' engine in[br]the first place. So, having said that, how
0:48:29.661,0:48:34.669
did the SiliVaccine authors obtain such an[br]access to a proprietary resource? We have
0:48:34.669,0:48:42.949
no idea. Also this white-listed signature[br]- we cannot say what it represents. It's a
0:48:42.949,0:48:48.259
heuristic signature so we cannot really[br]tell if it was trying to whitelist a
0:48:48.259,0:48:54.569
malicious tool or a benign software. It's[br]not very clear. And then also the Jaku
0:48:54.569,0:48:59.829
malware. Since we only have one instance[br]of this particular software from 2013 it's
0:48:59.829,0:49:06.039
hard to say if it's bundled with all[br]versions or only with this one. And while
0:49:06.039,0:49:10.719
I can't answer all of these questions[br]concisely I do want to point out that
0:49:10.719,0:49:16.299
throughout this research we've seen a lot[br]of effort done to develop this particular
0:49:16.299,0:49:21.359
product and through this effort we've[br]stumbled upon quite many illegal and shady
0:49:21.359,0:49:27.999
practices employed by the DPRK to develop[br]their own homebrew software. A software
0:49:27.999,0:49:33.079
that, remember, maybe sometime in another[br]time and in a perfect world could have
0:49:33.079,0:49:37.839
been totally legitimate. And with that in[br]mind I would like to thank you for your
0:49:37.839,0:49:41.884
attention and hope you enjoy your time at[br]CCC.
0:49:41.884,0:49:53.004
applause
0:49:53.004,0:50:02.339
Herald: Thank you, Mark, that was[br]wonderful. We have plenty of time for
0:50:02.339,0:50:08.029
questions and we have two microphones. One[br]is in the middle of the room and one is
0:50:08.029,0:50:14.430
sort of outside of the stage. So please[br]queue up if you want to ask questions. And
0:50:14.430,0:50:17.229
we already have a question on the[br]microphone 1.
0:50:17.229,0:50:20.800
Audience member 1: Do you have any idea[br]why they chose Trend Micro over any other
0:50:20.800,0:50:22.990
engine?[br]Mark: Excuse me, could you repeat the
0:50:22.990,0:50:25.659
question and raise your hand, because I[br]didn't see you?
0:50:25.659,0:50:29.009
Audience member 1: Do you have any idea[br]why they chose Trend Micro and not any
0:50:29.009,0:50:35.039
other engine, like an open source engine?[br]Mark: Do I have any idea of Trend Micro
0:50:35.039,0:50:38.039
tools is what? I'm sorry.[br]Audience member 1: Do you have any idea
0:50:38.039,0:50:41.749
why Trend Micro was chosen by them?[br]Mark: Ah, why Trend Micro.
0:50:41.749,0:50:43.989
Audience member 1: In comparison to[br]anything else?
0:50:43.989,0:50:46.069
Mark: Actually I have no idea. I really[br]don't.
0:50:46.069,0:50:48.579
Audience member 1: Thank you.[br]Mark: If you know, then tell me, please.
0:50:48.579,0:50:51.430
laughter[br]Herald: microphone 2.
0:50:51.430,0:50:57.229
Audience member 2: So have you looked at[br]the fact that this antipiracy is a .exe.
0:50:57.229,0:51:02.039
So it runs on Windows but all of North[br]Korea runs with Red Star OS which is a
0:51:02.039,0:51:05.709
Unix.[br]Mark: Well, as far as I could tell from
0:51:05.709,0:51:10.959
people I discussed with who do know a few[br]things about North Korea actually Red Star
0:51:10.959,0:51:15.769
OS is not the most common operating system[br]there. In fact it's barely used because,
0:51:15.769,0:51:23.359
well, to say it shortly, it's shit but[br]they do use what seems to be some kind of
0:51:23.359,0:51:29.359
Chinese versions of Windows XP and Windows[br]7. So this is intended to run on these
0:51:29.359,0:51:33.519
operating systems.[br]Herald: Thank you. Another question from
0:51:33.519,0:51:36.039
mic 1.[br]Audience member 3: How did you get the
0:51:36.039,0:51:42.139
2005 version of the antivirus?[br]Mark: Come to me later and I'll tell you.
0:51:42.139,0:51:46.669
laughter[br]Herald: Mic 1, please.
0:51:46.669,0:51:51.499
Audience member 4: Yeah I just wanted to[br]know if you checked that the Jaku malware
0:51:51.499,0:51:57.400
was not part of this whitelist program.[br]Mark: Oh yes, we checked it. Actually this
0:51:57.400,0:52:05.349
was not the white-listed signature. It was[br]actually not detected by SiliVaccine, but
0:52:05.349,0:52:09.400
it was also not detectable by Trend[br]Micro. It was not detected by anyone
0:52:09.400,0:52:15.809
actually so it was not the white-listed[br]signature.
0:52:15.809,0:52:20.506
Herald: Thank you. That's all. Thank you,[br]Mark. Thank you for the amazing talk.
0:52:20.506,0:52:22.726
applause
0:52:22.726,0:52:27.912
35C3 postroll music
0:52:27.912,0:52:45.000
subtitles created by c3subtitles.de[br]in the year 2019. Join, and help us!