WEBVTT
00:00:00.000 --> 00:00:18.684
35C3 preroll music
00:00:18.684 --> 00:00:26.150
Herald: So our next speaker is Mark
Lechtik and he is going to talk about
00:00:26.150 --> 00:00:33.280
SiliVaccine, North Korea's weapon of mass
detection. Mark is the malware research
00:00:33.280 --> 00:00:38.470
team leader at checkpoint and he deals
with reverse engineering and malware
00:00:38.470 --> 00:00:46.010
analysis both as occupation and as a
hobby. So a huge round of applause to Mark
00:00:46.010 --> 00:00:54.780
applause and we are starting the talk.
00:00:54.780 --> 00:00:58.873
Mark Lechtik: Let's begin with a short video
00:00:58.873 --> 00:01:00.094
Video
00:02:07.560 --> 00:02:12.880
Laughter
Ladies and gentleman, for those of you who
00:02:12.880 --> 00:02:19.700
don't know this lady in pink, her name is
리춘히, a good friend of mine, North Korea's
00:02:19.700 --> 00:02:27.040
main news presenter. And she just turned
75 years old this July. Let's give her a
00:02:27.040 --> 00:02:36.330
warm round of applause for her passionate
introduction to SiliVaccine. Of course I'm
00:02:36.330 --> 00:02:41.080
lying, she's not my friend, nor did she
even speak about SiliVaccine in this
00:02:41.080 --> 00:02:48.140
video. But still, kudos to her for
grabbing your attention. And again, hello,
00:02:48.140 --> 00:02:53.370
thank you for joining me for this talk
titled "SiliVaccine - North Korea's weapon
00:02:53.370 --> 00:03:01.590
of mass detection". Before I actually tell
you about the research story here, I would
00:03:01.590 --> 00:03:08.590
like to introduce you to the two notorious
dissidents who are behind this infamous
00:03:08.590 --> 00:03:13.900
research. You see them right here on the
screen. One of them actually happens to be
00:03:13.900 --> 00:03:20.430
me. My name is Mark Lechtik. As previously
mentioned, I'm the Maleware-research team
00:03:20.430 --> 00:03:27.880
leader at checkpoint and my partner in
crime for this research is named Michael
00:03:27.880 --> 00:03:33.540
Kajiloti. Unfortunately, he couldn't be
here today because he's in a vacation in
00:03:33.540 --> 00:03:39.540
Hawaii probably drinking some smoothie
from a coconut. So I thought this would be
00:03:39.540 --> 00:03:47.330
a better picture. To Michael, have a lot
of fun in your travel. Come home safely
00:03:47.330 --> 00:03:56.040
and beware of Koreans who stare at you
suspiciously. Now, we both work at
00:03:56.040 --> 00:04:01.120
checkpoint as mentioned and without
further ado let me give you a little bit
00:04:01.120 --> 00:04:09.920
of a background for this research. So this
whole research actually began at one point
00:04:09.920 --> 00:04:15.470
this year around March when I was looking
for something to read in Twitter and then
00:04:15.470 --> 00:04:21.079
I stumbled upon this article you see right
here titled "Inside North Korea's Hacker
00:04:21.079 --> 00:04:27.260
Army" by Bloomberg and it's actually a
pretty interesting piece, I recommend you
00:04:27.260 --> 00:04:37.210
to read it. It discusses particular a
North Korean defector who was drafted to
00:04:37.210 --> 00:04:42.900
work for a government agency in North
Korea and ended up raising money for the
00:04:42.900 --> 00:04:51.780
regime through hacking. And an interesting
thing I noted throughout this publication
00:04:51.780 --> 00:04:58.570
is that the author tried to portray some
kind of a narrative of North Korean state
00:04:58.570 --> 00:05:05.590
sponsored cyber operations and in
particular in one paragraph he gives a
00:05:05.590 --> 00:05:10.750
representation of what seems to be the
North Korean government's official comment
00:05:10.750 --> 00:05:16.540
to various hacking allegations made
against North Korea by the West. And
00:05:16.540 --> 00:05:21.840
here's a quote: "So formally, North Korea
denies engaging in hacking and describes
00:05:21.840 --> 00:05:27.710
accusations to that effect as 'enemy
propaganda'. It says its overseas computer
00:05:27.710 --> 00:05:33.090
efforts are directed at promoting its
antivirus software in the global market.
00:05:33.090 --> 00:05:36.870
The country has for more than a decade
been working on such programs including
00:05:36.870 --> 00:05:43.270
one called SiliVaccine. Now looking at
this, you're probably asking yourselves:
00:05:43.270 --> 00:05:48.760
What the hell is SiliVaccine? Well, as you
may understand by now, SiliVaccine is an
00:05:48.760 --> 00:05:54.210
antivirus that is developed and used
exclusively in North Korea. So this is
00:05:54.210 --> 00:06:01.160
basically a North Korean antivirus. Or how
I like to call it: The Kim Jong Un-tivirus.
00:06:01.160 --> 00:06:08.190
laughter Now obviously this is
a very rare product. You can't find it on
00:06:08.190 --> 00:06:12.770
the Internet, you cannot download it
anywhere. It basically resides only inside
00:06:12.770 --> 00:06:18.850
the DPRK. As far as we could tell in this
research it's actively developed since
00:06:18.850 --> 00:06:25.320
2003 and the version that I'm going to
focus on here today is version 4.0, which
00:06:25.320 --> 00:06:33.920
was released in 2013. Just as a caveat: We
are also in possession of another version
00:06:33.920 --> 00:06:39.870
from 2005, which was one of the early
versions of SiliVaccine and I will mention
00:06:39.870 --> 00:06:44.900
it a little bit later throughout this
talk. Now if you know anything about North
00:06:44.900 --> 00:06:51.340
Korea, then one thing you should note is
that there is actually no internet inside
00:06:51.340 --> 00:06:57.590
North Korea, right. Instead, what they
have is what's called an Intranet, which
00:06:57.590 --> 00:07:06.729
is this highly restricted but glorified
local area network; and, having that in
00:07:06.729 --> 00:07:12.110
mind, you must be thinking "Why the hell
would North Korea use an antivirus in the
00:07:12.110 --> 00:07:17.340
first place?". Well, there are a few
interesting explanations for that: One,
00:07:17.340 --> 00:07:23.050
the more exotic one, is to actually
protect against threats that might reside
00:07:23.050 --> 00:07:28.201
within media that is smuggled to the
country. And for this matter as an
00:07:28.201 --> 00:07:32.979
example, it turns out that there is
actually a phenomenon of USB sticks with
00:07:32.979 --> 00:07:40.229
Western media that somehow magically find
their way inside North Korea. And then
00:07:40.229 --> 00:07:46.409
they get sold in the country's black
market to citizens. And I know it sounds
00:07:46.409 --> 00:07:50.860
totally fucked up, but remember, it's
North Korea and to convince you a little
00:07:50.860 --> 00:07:56.460
bit better, you're invited to go to this
website called "flash drives for freedom",
00:07:56.460 --> 00:08:03.699
which is actually a crowd-source funding
project for USB sticks that get written
00:08:03.699 --> 00:08:14.620
with content from the West and smuggled
into North Korea. So just a fun fact, if
00:08:14.620 --> 00:08:20.930
you have any kind of problems with your
local IRS, don't worry. The smuggled USB
00:08:20.930 --> 00:08:28.800
stick is 100 percent tax refundable. As
for the content inside of it, well, it
00:08:28.800 --> 00:08:35.650
contains just all kinds of information,
entertainment content from the West like
00:08:35.650 --> 00:08:42.830
Wikipedia articles and South Korean soap
operas, which somehow managed to threaten
00:08:42.830 --> 00:08:48.500
the North Korean regime. But anyways,
there's also another explanation for the
00:08:48.500 --> 00:08:53.890
existence of this antivirus, and this is
the fact that is actually stated by North
00:08:53.890 --> 00:08:59.650
Korea itself, is to raise money for the
regime by selling this product in the
00:08:59.650 --> 00:09:05.920
worldwide market. As a matter of fact to
corroborate this, we can refer to the 2005
00:09:05.920 --> 00:09:10.060
version of SiliVaccine that I mentioned
previously, which you can see here on the
00:09:10.060 --> 00:09:15.700
screen, was written both in Korean and
English, which might hint at the fact that
00:09:15.700 --> 00:09:20.700
whoever wrote this version tried to make
it more appealing for English-speaking
00:09:20.700 --> 00:09:27.540
users as well as Korean ones. Now you also
must be asking yourselves: "How the hell
00:09:27.540 --> 00:09:32.840
did we get our hands on the software in
the first place?" Well, the answer to this
00:09:32.840 --> 00:09:37.590
lies in the Bloomberg article I mentioned
earlier. It linked to a blogpost by this
00:09:37.590 --> 00:09:44.720
guy named Martin Williams. Martin Williams
is a journalist who covers various kinds
00:09:44.720 --> 00:09:51.970
of news items related to North Korea. And
he actually got this particular software
00:09:51.970 --> 00:09:57.080
through, I would say, a slightly
suspicious email from a guy calling
00:09:57.080 --> 00:10:02.910
himself Kang Yong Hak, a security engineer
from Japan, who wanted to give it to him
00:10:02.910 --> 00:10:08.050
as a journalistic lead. And remember this
email, we will talk about it a little bit
00:10:08.050 --> 00:10:14.940
later. Now of course Martin was kind
enough to share the software with us and
00:10:14.940 --> 00:10:20.420
it's the place to thank him for making
this whole research possible. Now what did
00:10:20.420 --> 00:10:25.390
we want to find out in this research? So
first of all, we wanted to understand the
00:10:25.390 --> 00:10:31.100
technical structure of the software. How
is it built? Through which we hope to get
00:10:31.100 --> 00:10:36.779
somewhat of an anthropological view on
some of the practices employed by the
00:10:36.779 --> 00:10:44.300
North Korean engineers meaning how
engineers with restricted resources tackle
00:10:44.300 --> 00:10:50.840
a big project like building an antivirus
from scratch. Also we wanted to see if we
00:10:50.840 --> 00:10:57.110
can find any kind of abnormal behavior
inside this antivirus. Some things that
00:10:57.110 --> 00:11:02.720
could have been left in place and expose
some hidden agenda of the developers and
00:11:02.720 --> 00:11:07.630
in particular we try to locate any
potential backdoor that could have been
00:11:07.630 --> 00:11:13.200
deliberately put in place as a means of
surveillance against the citizens. So with
00:11:13.200 --> 00:11:22.790
that in mind let's take a short overview
of the antivirus architecture and for this
00:11:22.790 --> 00:11:27.000
matter let's start with the software
libraries that comprise it, the first of
00:11:27.000 --> 00:11:33.680
which is called SV shell. This is just a
basic shell extension that introduces this
00:11:33.680 --> 00:11:41.020
entry in the context menu which you can
see if you click the right mouse button.
00:11:41.020 --> 00:11:48.480
And this is basically meant to just do a
manual scan on a file using SiliVaccine.
00:11:48.480 --> 00:11:52.590
And you know what - let's just test this
feature and see if it works. So here we
00:11:52.590 --> 00:12:01.480
have malware, we right-click, we press on
this feature and nothing happens which is
00:12:01.480 --> 00:12:06.589
really just some kind of a bug that we see
right from the very beginning of testing
00:12:06.589 --> 00:12:12.990
this antivirus spoiler. There are more,
but never mind. Let's move on. The next
00:12:12.990 --> 00:12:19.230
component we see here is one called
SVKernel.dll. Now this is in fact the file
00:12:19.230 --> 00:12:24.240
scanning the engine of this antivirus. And
this is really the core component that
00:12:24.240 --> 00:12:31.269
contains the logic that implements virus
scanner files. This .dll exposes roughly
00:12:31.269 --> 00:12:37.410
20 export functions with the names
SVfunc001 through SVfunc020 - very
00:12:37.410 --> 00:12:42.630
ambiguous naming convention - and they are
of course used in conjunction with
00:12:42.630 --> 00:12:48.370
patterns or signatures which is the
content that allows the software to decide
00:12:48.370 --> 00:12:54.910
if a given file is malicious or not. Then
we have another group of components which
00:12:54.910 --> 00:13:01.170
is pretty self-explanatory. These are the
GUI components the first of which is this
00:13:01.170 --> 00:13:07.920
tray menu you can see on the right corner
of the screen. And this little menu allows
00:13:07.920 --> 00:13:15.360
you to execute any other GUI menus in this
antivirus. For instance you can see the
00:13:15.360 --> 00:13:23.260
following menu where you can do a full
scan on the file system. You can play
00:13:23.260 --> 00:13:29.670
around with some of the configurations of
this antivirus. It's also possible to do
00:13:29.670 --> 00:13:35.260
some whitelisting and blacklisting
actions. And basically this is a GUI one-
00:13:35.260 --> 00:13:43.550
stop shop for all of this antivirus'
features and other... oh, before talking
00:13:43.550 --> 00:13:48.250
about the other components, SVmain
actually communicates with a driver called
00:13:48.250 --> 00:13:54.980
SVHook.sys. This is a driver that is meant
to convey some information as the main
00:13:54.980 --> 00:14:01.390
from the Kernel space. We will discuss
this driver a little bit later. Then we
00:14:01.390 --> 00:14:07.790
have the update mechanism of the antivirus
which will basically download any kind of
00:14:07.790 --> 00:14:13.029
update binaries and components or update
signatures and we'll verify them with an
00:14:13.029 --> 00:14:20.070
external component called SVDiffUpd.exe.
And of course, as I mentioned, everything
00:14:20.070 --> 00:14:27.430
here resides inside North Korea's
Intranet. So this update client will
00:14:27.430 --> 00:14:33.060
communicate with a server inside North
Korea and it will do so using a custom
00:14:33.060 --> 00:14:38.720
update protocol which works on top of the
HTTP protocol. And here you can see some
00:14:38.720 --> 00:14:43.670
of the messages exchanged between this
update client and server. And one thing I
00:14:43.670 --> 00:14:49.050
would like you to notice is the vast
amount of information conveyed through
00:14:49.050 --> 00:14:54.149
this update protocol. You can see fields
like a serial number, some kind of an
00:14:54.149 --> 00:15:00.700
interface ID and IP which is for the most
part kind of suspicious. I mean, why the
00:15:00.700 --> 00:15:06.720
hell do they need all of this information
just for an update mechanism? But since we
00:15:06.720 --> 00:15:12.709
don't have any access to the server or any
kind of way to understand how the user
00:15:12.709 --> 00:15:18.050
communicates with it we can't really tell
why this information is collected so we'll
00:15:18.050 --> 00:15:24.610
just leave this fact as is. Another
interesting thing is that the whole HTTP
00:15:24.610 --> 00:15:31.779
protocol was manually implemented by the
developers and along the way they did some
00:15:31.779 --> 00:15:37.040
interesting mistakes for instance the
content length field of the HTTP header is
00:15:37.040 --> 00:15:43.220
written with an underscore here which is
kind of a mistake. It's not the way it is
00:15:43.220 --> 00:15:50.399
intended to be used. Also the authors
wanted to convey the update client's
00:15:50.399 --> 00:15:56.610
identity to the server and they did so
with the user agent which is a pretty
00:15:56.610 --> 00:16:02.360
typical way of doing this but instead of
only using the user agent they added
00:16:02.360 --> 00:16:08.400
another field called "User-Dealer". I have
no idea what kind of dealer they had in
00:16:08.400 --> 00:16:14.990
mind laughter but obviously this has
nothing to do with the HTTP protocol. And
00:16:14.990 --> 00:16:20.089
speaking of dealers there is yet another
component here called SVDealer.exe which
00:16:20.089 --> 00:16:25.330
is actually the real-time scanning
component of this antivirus which you can
00:16:25.330 --> 00:16:31.160
enable through the tray menu as well. And
this particular component will use another
00:16:31.160 --> 00:16:38.170
driver called SVFilter.sys which is a file
system filter driver meant to intercept
00:16:38.170 --> 00:16:47.910
all kinds of access to the file system and
issue the underlying file to a scan prior
00:16:47.910 --> 00:16:52.800
to actually doing any kind of action on
it. And, again, we'll discuss this
00:16:52.800 --> 00:16:57.890
particular driver later on. At this point
I should mention that the two components
00:16:57.890 --> 00:17:02.959
here that actually do any kind of scanning
tests are SVDealer and SVMain that you see
00:17:02.959 --> 00:17:07.839
here on the screen. Obviously they would
have to use the file scanning engine for
00:17:07.839 --> 00:17:12.270
this purpose and also a bunch of
signatures which are represented through a
00:17:12.270 --> 00:17:20.429
series of files called the pattern files.
Another thing here that we have as a
00:17:20.429 --> 00:17:27.609
driver that I'm not going to talk about at
all. This is a driver called ststdi2.sys.
00:17:27.609 --> 00:17:32.010
This is basically a TDI network filter
driver. If you don't have any idea what I
00:17:32.010 --> 00:17:35.890
just said, this is perfectly fine because
this driver does absolutely nothing
00:17:35.890 --> 00:17:40.919
laughter. It just resides inside this
antivirus and collects all kinds of
00:17:40.919 --> 00:17:45.510
information about TCP connections and it
should be queried theoretically by other
00:17:45.510 --> 00:17:50.420
components. But no one ever queries it so
it seems like it's just some kind of a
00:17:50.420 --> 00:17:56.350
residue from previous versions of
SiliVaccine. So we'll just leave it be, I
00:17:56.350 --> 00:18:01.430
guess. And another interesting point here
is that a lot of these components you see
00:18:01.430 --> 00:18:08.580
here were protected with a legitimate
protector, a commercial protector called
00:18:08.580 --> 00:18:13.140
Themeda which - if you heard of it, you
probably know - it's a pain in the ass to
00:18:13.140 --> 00:18:19.380
reverse engineer. Luckily for us, whoever
used this protector did not enable a lot
00:18:19.380 --> 00:18:26.870
of its features and we could unpack it
with moderate efforts. This is the full
00:18:26.870 --> 00:18:31.380
architecture of this antivirus. I'm not
going to go any further in it. You can
00:18:31.380 --> 00:18:38.020
read about it in our publication, full
publication about this software. Actually
00:18:38.020 --> 00:18:43.530
I want to focus in all of this complicated
scheme on one particular component which I
00:18:43.530 --> 00:18:48.520
already discussed. This is SVKernel.dll. I
remind you: this is the file scanning
00:18:48.520 --> 00:18:54.919
engine of the antivirus. This is really
the heart and soul of this whole software
00:18:54.919 --> 00:18:59.000
and this is why we're going to talk about
it next. And I would like to begin this
00:18:59.000 --> 00:19:05.560
discussion about this component with what
every good reverse engineer looks at. And
00:19:05.560 --> 00:19:10.500
these are strings, of course. And the
first thing we did was to open this file
00:19:10.500 --> 00:19:17.090
and look at its strings and, like every
professional reverse engineer, we looked
00:19:17.090 --> 00:19:22.620
them up on Google laughter and here is,
ladies and gentlemen, where it actually
00:19:22.620 --> 00:19:29.280
gets interesting because it turns out that
if we look it up Google we come to another
00:19:29.280 --> 00:19:39.870
file called vsapi32.dll. Now what is
vsapi32.dll? As it turns out, this is yet
00:19:39.870 --> 00:19:45.090
another file scanning engine. Actually
it's a file scanning engine belonging to a
00:19:45.090 --> 00:19:52.940
big corporate in the security field and
that is Trend Micro laughter which we
00:19:52.940 --> 00:19:59.240
thought was kind of surprising. And
looking at this, we thought: does it mean
00:19:59.240 --> 00:20:06.220
that this .dll is in some way incorporated
inside SiliVaccine? Did they use any kind
00:20:06.220 --> 00:20:12.250
of interesting way of incorporating its
functionality inside their engine? Well,
00:20:12.250 --> 00:20:19.340
let's find out laughter. So here on the
screen you can see what's called the
00:20:19.340 --> 00:20:26.710
binary diff. This is a binary comparison
between those two engines. On the left
00:20:26.710 --> 00:20:29.640
side you can see the Trend Micro engine
and on the right side you can see the
00:20:29.640 --> 00:20:35.160
SiliVaccine engine and actually you can
notice a few things here. For one, there's
00:20:35.160 --> 00:20:42.220
a 100 percent match between more than a
thousand functions of those two engines. A
00:20:42.220 --> 00:20:48.550
thousand functions is like a quarter of
SiliVaccine's engine code. And then you
00:20:48.550 --> 00:20:53.950
can see also that there's a 100 percent
match on some of the export functions. In
00:20:53.950 --> 00:20:59.290
fact, if you look at all of the first 18
export functions in SiliVaccine, you
00:20:59.290 --> 00:21:05.830
realize they somehow map to functions of
Trend Micro. And as an example, just take
00:21:05.830 --> 00:21:11.250
three of these functions and look at their
call for graphs in IDA and we can see that
00:21:11.250 --> 00:21:16.400
they're pretty similar for the most part,
but I would say it's more interesting to
00:21:16.400 --> 00:21:21.810
note the small nuances or the small
differences between those particular
00:21:21.810 --> 00:21:26.070
functions. And as an example let's take
this pair of functions, VSinit and
00:21:26.070 --> 00:21:31.640
SVfunc005. Well, one interesting thing we
noticed at the very beginning is that
00:21:31.640 --> 00:21:37.550
while Trend Micro's engine uses mostly
Lipsey functions like "memset", for
00:21:37.550 --> 00:21:44.819
instance, the equivalent in SiliVaccine
would at some points in-line those
00:21:44.819 --> 00:21:50.010
functions, it would use function inlining
to convey the same function and that
00:21:50.010 --> 00:21:55.580
essentially hints at the fact that the
developer of SiliVaccine could have
00:21:55.580 --> 00:22:01.169
recompiled this particular Trend Micro
code with some kind of a compiler
00:22:01.169 --> 00:22:06.169
optimization that was not applied on the
original engine. You can see another
00:22:06.169 --> 00:22:10.540
example for this right here, with the
"memcpy" and "qmemcpy", its in-line
00:22:10.540 --> 00:22:17.840
equivalent. And let's look at another pair
for this matter. So we have VSgetVSCinfo
00:22:17.840 --> 00:22:24.299
and SVfunc004. Once again, function
inlining. But another artifact that was
00:22:24.299 --> 00:22:32.100
left here are these numbers you see right
here. So it turns out that this particular
00:22:32.100 --> 00:22:37.090
field that is populated in this structure
you see here is actually the engine
00:22:37.090 --> 00:22:44.680
version of this antivirus and it turns out
that the engine version used inside
00:22:44.680 --> 00:22:53.260
SiliVaccine is a 8.910 which is an engine
released by Trend Micro back in 2008. Now
00:22:53.260 --> 00:23:00.799
recall that this software is from 2013. So
basically whoever wrote this was using a
00:23:00.799 --> 00:23:07.590
five year old engine inside his code. And
finally, let's look at another pair:
00:23:07.590 --> 00:23:14.910
VSquit and SVfunc006. Once again, you can
see a call to a proprietary SiliVaccine
00:23:14.910 --> 00:23:19.549
function inside what used to be a Trend
Micro function. This is just some kind of
00:23:19.549 --> 00:23:24.619
a clean up function for a driver called
"svio" which has nothing to do with Trend
00:23:24.619 --> 00:23:34.420
Micro. And this again strengthens this
kind of speculation that, when compiling a
00:23:34.420 --> 00:23:39.800
SiliVaccine, there was some kind of use of
a proprietary resource that belongs to
00:23:39.800 --> 00:23:47.770
Trend Micro. Well, I would like to mention
at this point that this was not the only
00:23:47.770 --> 00:23:53.630
instance of a Trend Micro engine we found
in SiliVaccine. In the 2005 version which
00:23:53.630 --> 00:24:01.630
I mentioned earlier we actually found a
trace of another component by Trend Micro
00:24:01.630 --> 00:24:07.610
which is called tmfilter.sys. This is
actually a kernel mode equivalent of this
00:24:07.610 --> 00:24:14.940
engine called vsapi32. And this really
shows that this whole sort of copyright
00:24:14.940 --> 00:24:20.240
infringement was not a one-time thing. It
has been possibly going on for quite a few
00:24:20.240 --> 00:24:26.410
years. Now, we reached out to Trend Micro
to get the response and basically, just to
00:24:26.410 --> 00:24:35.750
sum this up, Trend Micro says that, yes,
SiliVaccine used a 10+ year old version of
00:24:35.750 --> 00:24:41.000
their engine in their code. They
said,like, "WTF? We did not do any
00:24:41.000 --> 00:24:47.070
business with North Korea" laughter.
Also they're saying, "We have no idea how
00:24:47.070 --> 00:24:53.570
they got our engine." But they do hint at
the fact that they worked with some
00:24:53.570 --> 00:25:00.150
vendors as OEM back at that time and maybe
it's possible that one of these OEMs
00:25:00.150 --> 00:25:07.590
leaked their code or what not. So who
knows. So other than, you know, looking at
00:25:07.590 --> 00:25:12.990
this; other than saying that this is a
very kind of secretive antivirus that's
00:25:12.990 --> 00:25:18.830
developed inside North Korea, we couldn't
help but notice that there are quite a lot
00:25:18.830 --> 00:25:23.530
of mechanisms used by the authors to
conceal the fact that they're using a
00:25:23.530 --> 00:25:28.620
third party product. And again, I remind
you: we just realized that SiliVaccine is
00:25:28.620 --> 00:25:32.860
essentially using a Trend Micro engine and
we thought - if they're using the same
00:25:32.860 --> 00:25:36.169
engine this doesn't mean that they're
actually using the same signatures as
00:25:36.169 --> 00:25:42.600
well. So if we compare this on the surface
then it seems that no because SiliVaccine
00:25:42.600 --> 00:25:49.400
has multiple patterned files while Trend
Micro has one single large file. And also
00:25:49.400 --> 00:25:56.870
there seems to be no kind of similarity
between them on the binary level, but if
00:25:56.870 --> 00:26:02.120
we look a little bit deeper then we can
find the place in the code where those
00:26:02.120 --> 00:26:07.880
particular pattern files are being loaded.
This happens in SVKernel.dll in a
00:26:07.880 --> 00:26:13.970
particular function called SVfunc19. And
what happens there is that the name of the
00:26:13.970 --> 00:26:21.419
particular pattern file of one of the
parent files is being calculated or
00:26:21.419 --> 00:26:26.520
generated, then a handle to this file is
obtained, the contents of the file are
00:26:26.520 --> 00:26:32.059
being read, then this particular file is
being decrypted, the decrypted chunk is
00:26:32.059 --> 00:26:36.830
appended to some buffer in memory, the ID
of this chunk is incremented and this
00:26:36.830 --> 00:26:42.150
whole process repeats. So essentially what
this function does is to load the part of
00:26:42.150 --> 00:26:47.460
files one by one, decrypt them and append
them all together. Now before I talk a
00:26:47.460 --> 00:26:51.480
little more about the encryption here,
let's talk a little bit about the
00:26:51.480 --> 00:26:56.770
encryption key because there's something
interesting here. So this is the
00:26:56.770 --> 00:27:04.440
encryption key used there. A seemingly
random English string. We thought: "does
00:27:04.440 --> 00:27:10.049
it mean anything in Korean?". It doesn't
mean anything in any language, actually,
00:27:10.049 --> 00:27:14.990
but an interesting thing happens when we
take this particular string to a Korean-
00:27:14.990 --> 00:27:22.899
English keyboard and we try to type it
while accidentally forgetting to switch to
00:27:22.899 --> 00:27:29.029
English. So we get this Korean string. And
if we translate this Korean string to
00:27:29.029 --> 00:27:35.970
English, turns out that it literally means
"pattern encryption" laughter and
00:27:35.970 --> 00:27:53.530
applause. Thank you. laughter* OK, so we
decided to look a bit deeper now regarding
00:27:53.530 --> 00:27:58.370
the encryption itself. We saw a lot of
encryption mechanics inside. Some have
00:27:58.370 --> 00:28:04.270
some cryptographic artifacts that resemble
the Shahwan algorithm, for instance, and
00:28:04.270 --> 00:28:08.980
all kinds of other stuff. We basically
didn't really bother understanding this
00:28:08.980 --> 00:28:12.900
whole mechanism very deeply because we
were interested in the decrypted pattern
00:28:12.900 --> 00:28:19.080
files which we could simply dump from
memory and that's what we did. And after
00:28:19.080 --> 00:28:26.060
dumping this from memory and comparing the
two signature files one to another we can
00:28:26.060 --> 00:28:30.841
actually see a similarity in the header
and if we scroll a little bit down we can
00:28:30.841 --> 00:28:35.130
also see that there is quite much of a
similarity in strings. Actually there is
00:28:35.130 --> 00:28:41.049
more than 90 percent match on the strings
in those two files. And the difference is
00:28:41.049 --> 00:28:48.069
probably due to the version of those
pattern files. Now that's not the end. We
00:28:48.069 --> 00:28:54.550
decided to test this thing. So we scanned
a bunch of files with SiliVaccine. They
00:28:54.550 --> 00:28:59.479
were all detected. We scanned them also
with Trend Micro. They were also detected.
00:28:59.479 --> 00:29:04.250
But there is something interesting here.
Although they're using the same signatures
00:29:04.250 --> 00:29:09.180
and same strings the detection names are
totally different. And that is, ladies and
00:29:09.180 --> 00:29:15.120
gentlemen, suspicious. So it turns out
there's a reason for this and the reason
00:29:15.120 --> 00:29:20.610
is that SiliVaccine actually renames the
signature names before displaying them to
00:29:20.610 --> 00:29:26.780
the user. And here is how this works. So
basically SiliVaccine will take a Trend
00:29:26.780 --> 00:29:34.830
Micro signature name, for this purpose
"TROJ_STEAL-1". It would then replace it,
00:29:34.830 --> 00:29:42.730
strip it of the underscores and dashes and
then replace the prefix with some kind of
00:29:42.730 --> 00:29:47.980
word based on a string based on a
predefined dictionary. It will also
00:29:47.980 --> 00:29:55.050
replace the suffix from a number to a
letter. It will modify the casing, append
00:29:55.050 --> 00:29:59.970
everything together with dots and this is
how you get a SiliVaccine signature
00:29:59.970 --> 00:30:06.580
laughter. So looking at all of this it's
interesting to note that the authors are
00:30:06.580 --> 00:30:11.610
probably trying to hide something. So just
to summarize all of these hiding
00:30:11.610 --> 00:30:17.559
mechanisms, let's just briefly take a look
at what we've already seen. So basically
00:30:17.559 --> 00:30:22.620
all of the files or most of the files in
this software are protected with Themida,
00:30:22.620 --> 00:30:28.450
a commercial protector, which means that
the binary files do not have any kind of
00:30:28.450 --> 00:30:34.300
string artifacts that allow a researcher
to understand what he's looking at. Also
00:30:34.300 --> 00:30:39.340
the pattern files are encrypted so we
don't have any string artifacts there. You
00:30:39.340 --> 00:30:45.590
can't understand from those signature
files what you're looking at. And finally,
00:30:45.590 --> 00:30:49.800
the malware signatures are renamed in real
time, so it means that even in real time
00:30:49.800 --> 00:30:55.970
you cannot tell what was the original
signature or where it came from. So
00:30:55.970 --> 00:31:00.220
essentially the user and a researcher
won't have any way of knowing that this
00:31:00.220 --> 00:31:05.721
product is using the engine of Trend
Micro, which is puzzling. So, moving on -
00:31:05.721 --> 00:31:11.890
let's talk about more of the fishy things
that go inside of this product. Namely,
00:31:11.890 --> 00:31:18.219
while analyzing it, we've seen a lot of
the following instances of this string,
00:31:18.219 --> 00:31:27.260
"Mal.Nucrp.F", and we realized that, based
on its format, it's probably some kind of
00:31:27.260 --> 00:31:33.279
a signature name. So we decided to
understand what it was. We ran our
00:31:33.279 --> 00:31:41.039
algorithm in reverse and we get the
following detection name - "Mal_NUCRP-5".
00:31:41.039 --> 00:31:44.390
But what's the deal with the signature,
why does it even stand out from the other
00:31:44.390 --> 00:31:51.270
ones? Well, here are two instances where
this particular signature name is used. So
00:31:51.270 --> 00:31:55.370
here you can see actually that what
happens with this signature is that a file
00:31:55.370 --> 00:32:01.409
is being scanned to detect if it's
malicious or not. Then, if it was found to
00:32:01.409 --> 00:32:05.820
be malicious, its detection name is
compared against the string and if that's
00:32:05.820 --> 00:32:12.630
the case, then SiliVaccine will simply
ignore this file laughter, which is
00:32:12.630 --> 00:32:20.120
suspicious laughter. Now, of course, we
wanted to test this thing so we ran 6
00:32:20.120 --> 00:32:25.799
files that were supposed to be detected
with this particular detection name. In
00:32:25.799 --> 00:32:31.299
Trend Micro they were all detected. Then
we decided to run them in SiliVaccine and
00:32:31.299 --> 00:32:36.470
nothing was detected laughter. And
actually, this is quite surprising because
00:32:36.470 --> 00:32:40.870
we did a little bit of QA on this and it
turns out that for the most part it's
00:32:40.870 --> 00:32:45.820
okay. But then in one instance they made a
typo and in the white list it's something
00:32:45.820 --> 00:32:52.510
called "Mal.Nurcrp.F" laughter which has
no equivalent in Trend Micro's engine,
00:32:52.510 --> 00:32:59.090
which begs the question: WTF is "nucrp"?.
And according to Trend Micro's
00:32:59.090 --> 00:33:06.059
Encyclopedia, which is a thing apparently,
"MAL_NUCRP-5" is described as some kind of
00:33:06.059 --> 00:33:12.100
a signature related to some old malware
named "NUWAR", "TUBS", "ZHELAT". We
00:33:12.100 --> 00:33:16.980
checked all of them. They have no relation
whatsoever to North Korea. But deeper
00:33:16.980 --> 00:33:22.429
inspection of this signature name reveals
that actually this "mal" prefix you see
00:33:22.429 --> 00:33:28.309
right here means that this is a generic
detection that flags files based on some
00:33:28.309 --> 00:33:34.160
heuristic which, in essence, might detect
a whole spectrum of files. So
00:33:34.160 --> 00:33:38.020
unfortunately, based only on this
information, we cannot know what malware
00:33:38.020 --> 00:33:43.909
was exactly detected here or really if it
was malware at all. But we can still
00:33:43.909 --> 00:33:49.029
speculate on why this whitelist thing was
done. And for one, the most obvious
00:33:49.029 --> 00:33:53.200
speculation would be that there is some
kind of an existing North Korean tool
00:33:53.200 --> 00:33:57.740
installed on citizens' computers and the
authors didn't want to trigger an alert
00:33:57.740 --> 00:34:02.720
about it being malicious. It's also
possible that the authors wanted some
00:34:02.720 --> 00:34:08.929
option to develop such a tool in the
future and they inserted this signature in
00:34:08.929 --> 00:34:13.418
order to conceal this future component
with this particular whitelisting
00:34:13.418 --> 00:34:20.309
mechanism. It's also possible that since
the authors used a third party engine, the
00:34:20.309 --> 00:34:26.569
Trend Micro engine, that this signature
mistakenly detected one of SiliVaccine's
00:34:26.569 --> 00:34:31.969
original components as malware, which they
clearly wanted to avoid. And of course
00:34:31.969 --> 00:34:37.809
it's also possible that this whole thing
is some kind of an idiotic false positive
00:34:37.809 --> 00:34:45.119
management fix. But I would say this is
unlikely. All right - let's move on and
00:34:45.119 --> 00:34:50.708
talk about the kernel side of SiliVaccine.
And remember: SiliVaccine has three kernel
00:34:50.708 --> 00:34:55.749
mode drivers, but actually only two of
them are utilized, SVfilter and
00:34:55.749 --> 00:35:02.539
SVHook.sys. So let's focus on them. And we
started snooping around and looking at
00:35:02.539 --> 00:35:07.630
these drivers. And the first thing we
noticed is some fishy stuff like the fact
00:35:07.630 --> 00:35:13.849
that its entry point resides in the relog
section and that it's supposedly packed
00:35:13.849 --> 00:35:20.330
with some kind of a packer called
"BopCrypt" which we never heard of. And we
00:35:20.330 --> 00:35:25.420
looked around "BopCrypt"; turned out this
is an old Russian PE packer that
00:35:25.420 --> 00:35:30.569
supposedly contains some common protection
features such as anti-debug measures and
00:35:30.569 --> 00:35:35.380
polymorphic code. Now this is not really
good news when dealing with the kernel
00:35:35.380 --> 00:35:40.939
driver because who wants to debug
polymorphic code into kernel. So we
00:35:40.939 --> 00:35:46.309
thought: wait a second, before we dive in
and do all of this stuff maybe we can
00:35:46.309 --> 00:35:50.390
actually find some kind of an answer by
looking at this file again from the
00:35:50.390 --> 00:35:56.839
outside. And turns out that our answer was
right there and our answer is 42
00:35:56.839 --> 00:36:03.299
laughter. Actually it's hex42. So
evidently, this whole crazy protection
00:36:03.299 --> 00:36:09.559
scheme here is that the text section that
contains the actual driver is sort with a
00:36:09.559 --> 00:36:16.710
single byte of the value 42 hex. So with
this insane protection mechanism which we
00:36:16.710 --> 00:36:23.160
were able to bypass we were able to look
at the drivers themselves and the first
00:36:23.160 --> 00:36:27.499
one of them, SVfilter.sys - I remind you
that this is a file system filter driver -
00:36:27.499 --> 00:36:31.959
this is loaded and utilized by SVDealer.
This is the real time scanning component
00:36:31.959 --> 00:36:36.839
and it has two main functionalities. One
is to actually scan files upon access so
00:36:36.839 --> 00:36:42.500
it would intercept any kind of activity
with the file system and it would take the
00:36:42.500 --> 00:36:50.319
underlying file and would issue it to
SVDealer to conduct a scan on it and also
00:36:50.319 --> 00:36:55.490
it's actually used to protect the
antivirus as binaries themselves to avoid
00:36:55.490 --> 00:37:04.450
any kind of malfunction against them by
the user. And it really took us quite some
00:37:04.450 --> 00:37:09.210
time to realize that these are the only
two things that this driver does because
00:37:09.210 --> 00:37:14.940
the code for them is really a mess. And
I'm going to save you some time and
00:37:14.940 --> 00:37:20.300
explain the flaw of this driver by
simplifying it a little bit. So this is
00:37:20.300 --> 00:37:26.779
how SVfilter.sys works in a nutshell. The
first action it does is waste time
00:37:26.779 --> 00:37:34.279
laughter. So it does a lot of redundant
checks that seem to have no effect on this
00:37:34.279 --> 00:37:39.450
code whatsoever. Then it moves on to see
if the file scanned here is actually
00:37:39.450 --> 00:37:44.690
binary related to the antivirus itself. Of
course if it is done it will deny access
00:37:44.690 --> 00:37:51.160
to it. Then it moves to the very important
action of wasting a lot more time
00:37:51.160 --> 00:37:58.430
laughter by doing what seems to be
pretty much garbage code. And finally at
00:37:58.430 --> 00:38:04.040
some point it will take the file, it will
scan it and if the file seems to be
00:38:04.040 --> 00:38:09.269
malicious then it will deny the access to
it. Otherwise it will allow the access. So
00:38:09.269 --> 00:38:14.950
this is pretty much everything to say
about SVfilter. There was another driver
00:38:14.950 --> 00:38:23.859
called SVHook.sys which is utilized by the
main GUI component, SVMain.exe. You look
00:38:23.859 --> 00:38:28.289
at this name, you think, yes, it probably
hooks stuff. No - it doesn't actually hook
00:38:28.289 --> 00:38:35.730
anything. It's actually used to query some
kind of process object data from the
00:38:35.730 --> 00:38:43.660
kernel and really it's quite of a
confusing driver because it seems to have
00:38:43.660 --> 00:38:50.960
like 13 ioctls. Only 3 are ever used and
it's highly, highly buggy. There's a lot
00:38:50.960 --> 00:39:01.420
of bugs there. So for instance, we've seen
the following function where there's an
00:39:01.420 --> 00:39:10.270
ioctl issued to this driver and it really
seems that those two components, SVMain
00:39:10.270 --> 00:39:15.910
and SVHook, were really developed by two
different developers. So here we can see
00:39:15.910 --> 00:39:24.680
that this programmer who wrote this
particular ioctl call actually used a
00:39:24.680 --> 00:39:31.209
buffer of size 12. Now you would assume
that those two developers have agreed that
00:39:31.209 --> 00:39:36.869
this should be the buffer size, right?
Well, evidently the second developer was
00:39:36.869 --> 00:39:42.520
not really notified about this and in fact
checks explicitly that the buffer size is
00:39:42.520 --> 00:39:50.819
12 and if that's the case nothing happens
laughter. Which really is a piece of
00:39:50.819 --> 00:39:58.549
shit code that does nothing laughter. So
while looking into this, we tried to dig a
00:39:58.549 --> 00:40:03.130
little bit deeper and understand why those
bugs happen and we think we have an
00:40:03.130 --> 00:40:10.009
answer. So just strolling around we see a
lot of this. If you look at this you
00:40:10.009 --> 00:40:14.609
realize that you're looking at a lot of
debug prints used by the author and you
00:40:14.609 --> 00:40:22.549
see that one of the parts of the strings
referenced here is "sub_00something" which
00:40:22.549 --> 00:40:27.809
is an IDA-auto-generated name. Which to
me, ladies and gentlemen, seems like
00:40:27.809 --> 00:40:33.390
instead of looking at authentic code, we
were in fact reverse engineering a
00:40:33.390 --> 00:40:38.319
reverse.engineered driver. So essentially
what happened here is that the developer
00:40:38.319 --> 00:40:46.069
of SVHook took some driver, decompile it,
copied the code and added a bunch of debug
00:40:46.069 --> 00:40:51.599
prints in order to try to understand what
he was copying and it seems he didn't only
00:40:51.599 --> 00:40:57.599
fail to understand it but he also forgot
to remove this trail of debug prints. That
00:40:57.599 --> 00:41:05.339
demonstrates his elite coding skills. So
we are nearly at the end and we talked
00:41:05.339 --> 00:41:10.089
quite a bit about the technical parts here
but to get the full picture I think it's a
00:41:10.089 --> 00:41:15.980
good idea to look at the development story
behind the software. So in essence, who is
00:41:15.980 --> 00:41:22.099
behind SiliVaccine? Well, to tackle this
question we resorted to some version info
00:41:22.099 --> 00:41:26.660
that can be found inside the antivirus as
binaries. And there we found some version
00:41:26.660 --> 00:41:30.710
manifest that pointed at several
companies, the first one of which is
00:41:30.710 --> 00:41:35.790
called PGI (Pyongyang Guangdong
Information Technology). It seems to be
00:41:35.790 --> 00:41:40.190
some kind of a North Korean establishment,
a known one, that specializes in network
00:41:40.190 --> 00:41:46.559
security software. But really the more
interesting company that we found there
00:41:46.559 --> 00:41:53.660
was called "STS Tech-Service" which is
really this kind of shady company that has
00:41:53.660 --> 00:41:58.369
no trace of its activity online. We
couldn't find any kind of artifact that
00:41:58.369 --> 00:42:08.190
shows what this company does or what is
its main field of occupation. So we still
00:42:08.190 --> 00:42:14.940
can answer some questions about STS tech
service. For instance we can say that STS
00:42:14.940 --> 00:42:20.910
tech service is highly likely based in the
DPRK North Korea and that is due to this
00:42:20.910 --> 00:42:25.549
brochure you see here on the screen which
is taken from a trade fair that took place
00:42:25.549 --> 00:42:32.649
in Pyongyang back in 2006. And in this
particular trade fair this company, STS
00:42:32.649 --> 00:42:38.099
Tech-Service, they participated. We
contacted the organizers and they actually
00:42:38.099 --> 00:42:42.809
confirmed that STS Tech- Service did come
from North Korean side. Still, some
00:42:42.809 --> 00:42:47.329
questions remain. Is that a private
company in North Korea or is that even a
00:42:47.329 --> 00:42:51.569
thing? Is that a government entity? Is
that the same thing in North Korea? We
00:42:51.569 --> 00:42:59.310
don't know. Actually, another source told
us that this company might be a
00:42:59.310 --> 00:43:04.089
subdivision of the KPA (where KPA stands
for Korean People's Army), but we have no
00:43:04.089 --> 00:43:09.589
way of corroborating this. And you
remember that Trend Micro stated that
00:43:09.589 --> 00:43:16.719
their engine could have been leaked from
third party. Could that third party be
00:43:16.719 --> 00:43:21.809
this company? Well we don't know actually,
but what we did see and which was really
00:43:21.809 --> 00:43:28.299
interesting is a particular connection
between North Korea and Japan that repeats
00:43:28.299 --> 00:43:33.400
throughout this whole research so for one
we've already seen that SVKernel is
00:43:33.400 --> 00:43:40.599
basically some kind of modified version of
Trend Micro's engine. But then we've also
00:43:40.599 --> 00:43:45.450
seen that STS Tech-Service at some point
cooperated with a company called Silver
00:43:45.450 --> 00:43:51.910
Star Japan on a particular application. As
a matter of fact it not only cooperated
00:43:51.910 --> 00:43:55.630
with them but also with another company
called Magnolia which also resides in
00:43:55.630 --> 00:44:00.680
Japan. Actually Silver Star and Magnolia
reside in the same address in Japan, which
00:44:00.680 --> 00:44:05.890
is quite interesting. And then in a
particular instance all of these three
00:44:05.890 --> 00:44:12.400
companies - Magnolia, Silver Star and STS
Tech-Service cooperated with the KCC, a
00:44:12.400 --> 00:44:17.989
very famous North Korean research
establishment, the Korean Computer Center,
00:44:17.989 --> 00:44:24.249
on another application. And it's important
to say that while we can be very easily
00:44:24.249 --> 00:44:29.010
drawn to some conclusions here and
speculate on some very wild scenarios,
00:44:29.010 --> 00:44:33.440
especially given the fact that North Korea
and Japan are not friends, we need to
00:44:33.440 --> 00:44:37.720
remember that this is just a crazy web of
connections that we unraveled here. And
00:44:37.720 --> 00:44:41.400
actually we cannot say much about this
other than pointing out the connections
00:44:41.400 --> 00:44:49.440
themselves. Still I can say that we did
find some traces of maliciousness in this
00:44:49.440 --> 00:44:56.809
whole package and at this point we
thought: all right, we are done with the
00:44:56.809 --> 00:45:04.599
research; could it be that there is no
malware or backdoor here? Well, it turns
00:45:04.599 --> 00:45:11.419
out that if we look back on this e-mail
sent by this supposedly Japanese engineer,
00:45:11.419 --> 00:45:18.340
Kang yong hak and reinspect the installer
provided in this particular email, then
00:45:18.340 --> 00:45:23.039
actually it has no metadata. And that's
not surprising because this installer is
00:45:23.039 --> 00:45:26.880
in fact this file is in fact a self-
extracting archive which contains the real
00:45:26.880 --> 00:45:33.660
installer of SiliVaccine. But then it also
contains another file called "SVpatch4.0"
00:45:33.660 --> 00:45:39.759
which - well, OK. But when you look at the
metadata you see it's supposedly related
00:45:39.759 --> 00:45:47.220
to Microsoft automatic updates which is,
again, highly suspicious laughter. Now,
00:45:47.220 --> 00:45:52.209
we decided to look deeper in this file and
it turns out that actually this file is a
00:45:52.209 --> 00:45:57.349
signed binary. And if you look the issue
up on Google we come to a Kaspersky report
00:45:57.349 --> 00:46:03.079
about the Darkhotel APT. Very alarming.
And then we decided to dig deeper and
00:46:03.079 --> 00:46:07.999
analyze this file. So we did some
analysis. We realized that this is
00:46:07.999 --> 00:46:15.529
actually the stage one malware from a
known campaign called Jaku uncovered by
00:46:15.529 --> 00:46:23.500
Forcepoint in 2016. Now what is Jaku? Jaku
was an ongoing botnet campaign, it
00:46:23.500 --> 00:46:28.790
targeted mainly North Korea and Japan. And
while it infected a lot of victims the
00:46:28.790 --> 00:46:34.089
later stages of the malware - stages 2 and
3 - were only used against a select group
00:46:34.089 --> 00:46:39.140
of individuals with North Korea and
Pyongyang being the common theme between
00:46:39.140 --> 00:46:44.089
them. Now another interesting connection
that was outlined by Forcepoint is between
00:46:44.089 --> 00:46:49.140
Jaku and Darkhotel which is really further
evidence to this kind of an interesting
00:46:49.140 --> 00:46:55.919
connection on top of what we saw with the
certificate used previously. Now who could
00:46:55.919 --> 00:47:00.220
be the target here? It could be the case
that every SiliVaccine installation is
00:47:00.220 --> 00:47:04.140
bundled with this malware, but we don't
think so. We actually think that the
00:47:04.140 --> 00:47:09.610
target was Martin Williams who deals
vastly with North Korea. And it is
00:47:09.610 --> 00:47:17.219
possible that this particular malware was
used against him. So this is pretty much
00:47:17.219 --> 00:47:21.759
the end and I would like to, before I let
you go, summarize everything that we've
00:47:21.759 --> 00:47:29.749
seen in this talk. Let's look back and see
those things. So for one we have seen that
00:47:29.749 --> 00:47:35.719
SiliVaccine has been illegally using Trend
Micro's engine and it was not a one-time
00:47:35.719 --> 00:47:43.029
thing. It has been done at least two times
and probably over multiple versions and
00:47:43.029 --> 00:47:50.279
for several years. Then we've also seen
that the authors of SiliVaccine tried to
00:47:50.279 --> 00:47:56.799
conceal the fact that they used this
engine with some interesting mechanism.
00:47:56.799 --> 00:48:02.979
Then we've seen that there is an explicit
whitelisting of a particular signature and
00:48:02.979 --> 00:48:08.989
that the installation of SiliVaccine comes
bundled with the malware called Jaku. Now,
00:48:08.989 --> 00:48:13.870
while having these understandings we still
have some unanswered questions. For
00:48:13.870 --> 00:48:19.809
instance, we've seen that there are some
artifacts that point at the fact that the
00:48:19.809 --> 00:48:24.509
code of SiliVaccine might have been
recompiled with some other optimizations
00:48:24.509 --> 00:48:29.661
that were not in Trend Micro' engine in
the first place. So, having said that, how
00:48:29.661 --> 00:48:34.669
did the SiliVaccine authors obtain such an
access to a proprietary resource? We have
00:48:34.669 --> 00:48:42.949
no idea. Also this white-listed signature
- we cannot say what it represents. It's a
00:48:42.949 --> 00:48:48.259
heuristic signature so we cannot really
tell if it was trying to whitelist a
00:48:48.259 --> 00:48:54.569
malicious tool or a benign software. It's
not very clear. And then also the Jaku
00:48:54.569 --> 00:48:59.829
malware. Since we only have one instance
of this particular software from 2013 it's
00:48:59.829 --> 00:49:06.039
hard to say if it's bundled with all
versions or only with this one. And while
00:49:06.039 --> 00:49:10.719
I can't answer all of these questions
concisely I do want to point out that
00:49:10.719 --> 00:49:16.299
throughout this research we've seen a lot
of effort done to develop this particular
00:49:16.299 --> 00:49:21.359
product and through this effort we've
stumbled upon quite many illegal and shady
00:49:21.359 --> 00:49:27.999
practices employed by the DPRK to develop
their own homebrew software. A software
00:49:27.999 --> 00:49:33.079
that, remember, maybe sometime in another
time and in a perfect world could have
00:49:33.079 --> 00:49:37.839
been totally legitimate. And with that in
mind I would like to thank you for your
00:49:37.839 --> 00:49:41.884
attention and hope you enjoy your time at
CCC.
00:49:41.884 --> 00:49:53.004
applause
00:49:53.004 --> 00:50:02.339
Herald: Thank you, Mark, that was
wonderful. We have plenty of time for
00:50:02.339 --> 00:50:08.029
questions and we have two microphones. One
is in the middle of the room and one is
00:50:08.029 --> 00:50:14.430
sort of outside of the stage. So please
queue up if you want to ask questions. And
00:50:14.430 --> 00:50:17.229
we already have a question on the
microphone 1.
00:50:17.229 --> 00:50:20.800
Audience member 1: Do you have any idea
why they chose Trend Micro over any other
00:50:20.800 --> 00:50:22.990
engine?
Mark: Excuse me, could you repeat the
00:50:22.990 --> 00:50:25.659
question and raise your hand, because I
didn't see you?
00:50:25.659 --> 00:50:29.009
Audience member 1: Do you have any idea
why they chose Trend Micro and not any
00:50:29.009 --> 00:50:35.039
other engine, like an open source engine?
Mark: Do I have any idea of Trend Micro
00:50:35.039 --> 00:50:38.039
tools is what? I'm sorry.
Audience member 1: Do you have any idea
00:50:38.039 --> 00:50:41.749
why Trend Micro was chosen by them?
Mark: Ah, why Trend Micro.
00:50:41.749 --> 00:50:43.989
Audience member 1: In comparison to
anything else?
00:50:43.989 --> 00:50:46.069
Mark: Actually I have no idea. I really
don't.
00:50:46.069 --> 00:50:48.579
Audience member 1: Thank you.
Mark: If you know, then tell me, please.
00:50:48.579 --> 00:50:51.430
laughter
Herald: microphone 2.
00:50:51.430 --> 00:50:57.229
Audience member 2: So have you looked at
the fact that this antipiracy is a .exe.
00:50:57.229 --> 00:51:02.039
So it runs on Windows but all of North
Korea runs with Red Star OS which is a
00:51:02.039 --> 00:51:05.709
Unix.
Mark: Well, as far as I could tell from
00:51:05.709 --> 00:51:10.959
people I discussed with who do know a few
things about North Korea actually Red Star
00:51:10.959 --> 00:51:15.769
OS is not the most common operating system
there. In fact it's barely used because,
00:51:15.769 --> 00:51:23.359
well, to say it shortly, it's shit but
they do use what seems to be some kind of
00:51:23.359 --> 00:51:29.359
Chinese versions of Windows XP and Windows
7. So this is intended to run on these
00:51:29.359 --> 00:51:33.519
operating systems.
Herald: Thank you. Another question from
00:51:33.519 --> 00:51:36.039
mic 1.
Audience member 3: How did you get the
00:51:36.039 --> 00:51:42.139
2005 version of the antivirus?
Mark: Come to me later and I'll tell you.
00:51:42.139 --> 00:51:46.669
laughter
Herald: Mic 1, please.
00:51:46.669 --> 00:51:51.499
Audience member 4: Yeah I just wanted to
know if you checked that the Jaku malware
00:51:51.499 --> 00:51:57.400
was not part of this whitelist program.
Mark: Oh yes, we checked it. Actually this
00:51:57.400 --> 00:52:05.349
was not the white-listed signature. It was
actually not detected by SiliVaccine, but
00:52:05.349 --> 00:52:09.400
it was also not detectable by Trend
Micro. It was not detected by anyone
00:52:09.400 --> 00:52:15.809
actually so it was not the white-listed
signature.
00:52:15.809 --> 00:52:20.506
Herald: Thank you. That's all. Thank you,
Mark. Thank you for the amazing talk.
00:52:20.506 --> 00:52:22.726
applause
00:52:22.726 --> 00:52:27.912
35C3 postroll music
00:52:27.912 --> 00:52:45.000
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!