Return to Video

35C3 - SiliVaccine: North Korea's Weapon of Mass Detection

  • 0:00 - 0:19
    35C3 preroll music
  • 0:19 - 0:26
    Herald: So our next speaker is Mark
    Lechtik and he is going to talk about
  • 0:26 - 0:33
    SiliVaccine, North Korea's weapon of mass
    detection. Mark is the malware research
  • 0:33 - 0:38
    team leader at checkpoint and he deals
    with reverse engineering and malware
  • 0:38 - 0:46
    analysis both as occupation and as a
    hobby. So a huge round of applause to Mark
  • 0:46 - 0:55
    applause and we are starting the talk.
  • 0:55 - 0:59
    Mark Lechtik: Let's begin with a short video
  • 0:59 - 1:00
    Video
  • 2:08 - 2:13
    Laughter
    Ladies and gentleman, for those of you who
  • 2:13 - 2:20
    don't know this lady in pink, her name is
    리춘히, a good friend of mine, North Korea's
  • 2:20 - 2:27
    main news presenter. And she just turned
    75 years old this July. Let's give her a
  • 2:27 - 2:36
    warm round of applause for her passionate
    introduction to SiliVaccine. Of course I'm
  • 2:36 - 2:41
    lying, she's not my friend, nor did she
    even speak about SiliVaccine in this
  • 2:41 - 2:48
    video. But still, kudos to her for
    grabbing your attention. And again, hello,
  • 2:48 - 2:53
    thank you for joining me for this talk
    titled "SiliVaccine - North Korea's weapon
  • 2:53 - 3:02
    of mass detection". Before I actually tell
    you about the research story here, I would
  • 3:02 - 3:09
    like to introduce you to the two notorious
    dissidents who are behind this infamous
  • 3:09 - 3:14
    research. You see them right here on the
    screen. One of them actually happens to be
  • 3:14 - 3:20
    me. My name is Mark Lechtik. As previously
    mentioned, I'm the Maleware-research team
  • 3:20 - 3:28
    leader at checkpoint and my partner in
    crime for this research is named Michael
  • 3:28 - 3:34
    Kajiloti. Unfortunately, he couldn't be
    here today because he's in a vacation in
  • 3:34 - 3:40
    Hawaii probably drinking some smoothie
    from a coconut. So I thought this would be
  • 3:40 - 3:47
    a better picture. To Michael, have a lot
    of fun in your travel. Come home safely
  • 3:47 - 3:56
    and beware of Koreans who stare at you
    suspiciously. Now, we both work at
  • 3:56 - 4:01
    checkpoint as mentioned and without
    further ado let me give you a little bit
  • 4:01 - 4:10
    of a background for this research. So this
    whole research actually began at one point
  • 4:10 - 4:15
    this year around March when I was looking
    for something to read in Twitter and then
  • 4:15 - 4:21
    I stumbled upon this article you see right
    here titled "Inside North Korea's Hacker
  • 4:21 - 4:27
    Army" by Bloomberg and it's actually a
    pretty interesting piece, I recommend you
  • 4:27 - 4:37
    to read it. It discusses particular a
    North Korean defector who was drafted to
  • 4:37 - 4:43
    work for a government agency in North
    Korea and ended up raising money for the
  • 4:43 - 4:52
    regime through hacking. And an interesting
    thing I noted throughout this publication
  • 4:52 - 4:59
    is that the author tried to portray some
    kind of a narrative of North Korean state
  • 4:59 - 5:06
    sponsored cyber operations and in
    particular in one paragraph he gives a
  • 5:06 - 5:11
    representation of what seems to be the
    North Korean government's official comment
  • 5:11 - 5:17
    to various hacking allegations made
    against North Korea by the West. And
  • 5:17 - 5:22
    here's a quote: "So formally, North Korea
    denies engaging in hacking and describes
  • 5:22 - 5:28
    accusations to that effect as 'enemy
    propaganda'. It says its overseas computer
  • 5:28 - 5:33
    efforts are directed at promoting its
    antivirus software in the global market.
  • 5:33 - 5:37
    The country has for more than a decade
    been working on such programs including
  • 5:37 - 5:43
    one called SiliVaccine. Now looking at
    this, you're probably asking yourselves:
  • 5:43 - 5:49
    What the hell is SiliVaccine? Well, as you
    may understand by now, SiliVaccine is an
  • 5:49 - 5:54
    antivirus that is developed and used
    exclusively in North Korea. So this is
  • 5:54 - 6:01
    basically a North Korean antivirus. Or how
    I like to call it: The Kim Jong Un-tivirus.
  • 6:01 - 6:08
    laughter Now obviously this is
    a very rare product. You can't find it on
  • 6:08 - 6:13
    the Internet, you cannot download it
    anywhere. It basically resides only inside
  • 6:13 - 6:19
    the DPRK. As far as we could tell in this
    research it's actively developed since
  • 6:19 - 6:25
    2003 and the version that I'm going to
    focus on here today is version 4.0, which
  • 6:25 - 6:34
    was released in 2013. Just as a caveat: We
    are also in possession of another version
  • 6:34 - 6:40
    from 2005, which was one of the early
    versions of SiliVaccine and I will mention
  • 6:40 - 6:45
    it a little bit later throughout this
    talk. Now if you know anything about North
  • 6:45 - 6:51
    Korea, then one thing you should note is
    that there is actually no internet inside
  • 6:51 - 6:58
    North Korea, right. Instead, what they
    have is what's called an Intranet, which
  • 6:58 - 7:07
    is this highly restricted but glorified
    local area network; and, having that in
  • 7:07 - 7:12
    mind, you must be thinking "Why the hell
    would North Korea use an antivirus in the
  • 7:12 - 7:17
    first place?". Well, there are a few
    interesting explanations for that: One,
  • 7:17 - 7:23
    the more exotic one, is to actually
    protect against threats that might reside
  • 7:23 - 7:28
    within media that is smuggled to the
    country. And for this matter as an
  • 7:28 - 7:33
    example, it turns out that there is
    actually a phenomenon of USB sticks with
  • 7:33 - 7:40
    Western media that somehow magically find
    their way inside North Korea. And then
  • 7:40 - 7:46
    they get sold in the country's black
    market to citizens. And I know it sounds
  • 7:46 - 7:51
    totally fucked up, but remember, it's
    North Korea and to convince you a little
  • 7:51 - 7:56
    bit better, you're invited to go to this
    website called "flash drives for freedom",
  • 7:56 - 8:04
    which is actually a crowd-source funding
    project for USB sticks that get written
  • 8:04 - 8:15
    with content from the West and smuggled
    into North Korea. So just a fun fact, if
  • 8:15 - 8:21
    you have any kind of problems with your
    local IRS, don't worry. The smuggled USB
  • 8:21 - 8:29
    stick is 100 percent tax refundable. As
    for the content inside of it, well, it
  • 8:29 - 8:36
    contains just all kinds of information,
    entertainment content from the West like
  • 8:36 - 8:43
    Wikipedia articles and South Korean soap
    operas, which somehow managed to threaten
  • 8:43 - 8:48
    the North Korean regime. But anyways,
    there's also another explanation for the
  • 8:48 - 8:54
    existence of this antivirus, and this is
    the fact that is actually stated by North
  • 8:54 - 9:00
    Korea itself, is to raise money for the
    regime by selling this product in the
  • 9:00 - 9:06
    worldwide market. As a matter of fact to
    corroborate this, we can refer to the 2005
  • 9:06 - 9:10
    version of SiliVaccine that I mentioned
    previously, which you can see here on the
  • 9:10 - 9:16
    screen, was written both in Korean and
    English, which might hint at the fact that
  • 9:16 - 9:21
    whoever wrote this version tried to make
    it more appealing for English-speaking
  • 9:21 - 9:28
    users as well as Korean ones. Now you also
    must be asking yourselves: "How the hell
  • 9:28 - 9:33
    did we get our hands on the software in
    the first place?" Well, the answer to this
  • 9:33 - 9:38
    lies in the Bloomberg article I mentioned
    earlier. It linked to a blogpost by this
  • 9:38 - 9:45
    guy named Martin Williams. Martin Williams
    is a journalist who covers various kinds
  • 9:45 - 9:52
    of news items related to North Korea. And
    he actually got this particular software
  • 9:52 - 9:57
    through, I would say, a slightly
    suspicious email from a guy calling
  • 9:57 - 10:03
    himself Kang Yong Hak, a security engineer
    from Japan, who wanted to give it to him
  • 10:03 - 10:08
    as a journalistic lead. And remember this
    email, we will talk about it a little bit
  • 10:08 - 10:15
    later. Now of course Martin was kind
    enough to share the software with us and
  • 10:15 - 10:20
    it's the place to thank him for making
    this whole research possible. Now what did
  • 10:20 - 10:25
    we want to find out in this research? So
    first of all, we wanted to understand the
  • 10:25 - 10:31
    technical structure of the software. How
    is it built? Through which we hope to get
  • 10:31 - 10:37
    somewhat of an anthropological view on
    some of the practices employed by the
  • 10:37 - 10:44
    North Korean engineers meaning how
    engineers with restricted resources tackle
  • 10:44 - 10:51
    a big project like building an antivirus
    from scratch. Also we wanted to see if we
  • 10:51 - 10:57
    can find any kind of abnormal behavior
    inside this antivirus. Some things that
  • 10:57 - 11:03
    could have been left in place and expose
    some hidden agenda of the developers and
  • 11:03 - 11:08
    in particular we try to locate any
    potential backdoor that could have been
  • 11:08 - 11:13
    deliberately put in place as a means of
    surveillance against the citizens. So with
  • 11:13 - 11:23
    that in mind let's take a short overview
    of the antivirus architecture and for this
  • 11:23 - 11:27
    matter let's start with the software
    libraries that comprise it, the first of
  • 11:27 - 11:34
    which is called SV shell. This is just a
    basic shell extension that introduces this
  • 11:34 - 11:41
    entry in the context menu which you can
    see if you click the right mouse button.
  • 11:41 - 11:48
    And this is basically meant to just do a
    manual scan on a file using SiliVaccine.
  • 11:48 - 11:53
    And you know what - let's just test this
    feature and see if it works. So here we
  • 11:53 - 12:01
    have malware, we right-click, we press on
    this feature and nothing happens which is
  • 12:01 - 12:07
    really just some kind of a bug that we see
    right from the very beginning of testing
  • 12:07 - 12:13
    this antivirus spoiler. There are more,
    but never mind. Let's move on. The next
  • 12:13 - 12:19
    component we see here is one called
    SVKernel.dll. Now this is in fact the file
  • 12:19 - 12:24
    scanning the engine of this antivirus. And
    this is really the core component that
  • 12:24 - 12:31
    contains the logic that implements virus
    scanner files. This .dll exposes roughly
  • 12:31 - 12:37
    20 export functions with the names
    SVfunc001 through SVfunc020 - very
  • 12:37 - 12:43
    ambiguous naming convention - and they are
    of course used in conjunction with
  • 12:43 - 12:48
    patterns or signatures which is the
    content that allows the software to decide
  • 12:48 - 12:55
    if a given file is malicious or not. Then
    we have another group of components which
  • 12:55 - 13:01
    is pretty self-explanatory. These are the
    GUI components the first of which is this
  • 13:01 - 13:08
    tray menu you can see on the right corner
    of the screen. And this little menu allows
  • 13:08 - 13:15
    you to execute any other GUI menus in this
    antivirus. For instance you can see the
  • 13:15 - 13:23
    following menu where you can do a full
    scan on the file system. You can play
  • 13:23 - 13:30
    around with some of the configurations of
    this antivirus. It's also possible to do
  • 13:30 - 13:35
    some whitelisting and blacklisting
    actions. And basically this is a GUI one-
  • 13:35 - 13:44
    stop shop for all of this antivirus'
    features and other... oh, before talking
  • 13:44 - 13:48
    about the other components, SVmain
    actually communicates with a driver called
  • 13:48 - 13:55
    SVHook.sys. This is a driver that is meant
    to convey some information as the main
  • 13:55 - 14:01
    from the Kernel space. We will discuss
    this driver a little bit later. Then we
  • 14:01 - 14:08
    have the update mechanism of the antivirus
    which will basically download any kind of
  • 14:08 - 14:13
    update binaries and components or update
    signatures and we'll verify them with an
  • 14:13 - 14:20
    external component called SVDiffUpd.exe.
    And of course, as I mentioned, everything
  • 14:20 - 14:27
    here resides inside North Korea's
    Intranet. So this update client will
  • 14:27 - 14:33
    communicate with a server inside North
    Korea and it will do so using a custom
  • 14:33 - 14:39
    update protocol which works on top of the
    HTTP protocol. And here you can see some
  • 14:39 - 14:44
    of the messages exchanged between this
    update client and server. And one thing I
  • 14:44 - 14:49
    would like you to notice is the vast
    amount of information conveyed through
  • 14:49 - 14:54
    this update protocol. You can see fields
    like a serial number, some kind of an
  • 14:54 - 15:01
    interface ID and IP which is for the most
    part kind of suspicious. I mean, why the
  • 15:01 - 15:07
    hell do they need all of this information
    just for an update mechanism? But since we
  • 15:07 - 15:13
    don't have any access to the server or any
    kind of way to understand how the user
  • 15:13 - 15:18
    communicates with it we can't really tell
    why this information is collected so we'll
  • 15:18 - 15:25
    just leave this fact as is. Another
    interesting thing is that the whole HTTP
  • 15:25 - 15:32
    protocol was manually implemented by the
    developers and along the way they did some
  • 15:32 - 15:37
    interesting mistakes for instance the
    content length field of the HTTP header is
  • 15:37 - 15:43
    written with an underscore here which is
    kind of a mistake. It's not the way it is
  • 15:43 - 15:50
    intended to be used. Also the authors
    wanted to convey the update client's
  • 15:50 - 15:57
    identity to the server and they did so
    with the user agent which is a pretty
  • 15:57 - 16:02
    typical way of doing this but instead of
    only using the user agent they added
  • 16:02 - 16:08
    another field called "User-Dealer". I have
    no idea what kind of dealer they had in
  • 16:08 - 16:15
    mind laughter but obviously this has
    nothing to do with the HTTP protocol. And
  • 16:15 - 16:20
    speaking of dealers there is yet another
    component here called SVDealer.exe which
  • 16:20 - 16:25
    is actually the real-time scanning
    component of this antivirus which you can
  • 16:25 - 16:31
    enable through the tray menu as well. And
    this particular component will use another
  • 16:31 - 16:38
    driver called SVFilter.sys which is a file
    system filter driver meant to intercept
  • 16:38 - 16:48
    all kinds of access to the file system and
    issue the underlying file to a scan prior
  • 16:48 - 16:53
    to actually doing any kind of action on
    it. And, again, we'll discuss this
  • 16:53 - 16:58
    particular driver later on. At this point
    I should mention that the two components
  • 16:58 - 17:03
    here that actually do any kind of scanning
    tests are SVDealer and SVMain that you see
  • 17:03 - 17:08
    here on the screen. Obviously they would
    have to use the file scanning engine for
  • 17:08 - 17:12
    this purpose and also a bunch of
    signatures which are represented through a
  • 17:12 - 17:20
    series of files called the pattern files.
    Another thing here that we have as a
  • 17:20 - 17:28
    driver that I'm not going to talk about at
    all. This is a driver called ststdi2.sys.
  • 17:28 - 17:32
    This is basically a TDI network filter
    driver. If you don't have any idea what I
  • 17:32 - 17:36
    just said, this is perfectly fine because
    this driver does absolutely nothing
  • 17:36 - 17:41
    laughter. It just resides inside this
    antivirus and collects all kinds of
  • 17:41 - 17:46
    information about TCP connections and it
    should be queried theoretically by other
  • 17:46 - 17:50
    components. But no one ever queries it so
    it seems like it's just some kind of a
  • 17:50 - 17:56
    residue from previous versions of
    SiliVaccine. So we'll just leave it be, I
  • 17:56 - 18:01
    guess. And another interesting point here
    is that a lot of these components you see
  • 18:01 - 18:09
    here were protected with a legitimate
    protector, a commercial protector called
  • 18:09 - 18:13
    Themeda which - if you heard of it, you
    probably know - it's a pain in the ass to
  • 18:13 - 18:19
    reverse engineer. Luckily for us, whoever
    used this protector did not enable a lot
  • 18:19 - 18:27
    of its features and we could unpack it
    with moderate efforts. This is the full
  • 18:27 - 18:31
    architecture of this antivirus. I'm not
    going to go any further in it. You can
  • 18:31 - 18:38
    read about it in our publication, full
    publication about this software. Actually
  • 18:38 - 18:44
    I want to focus in all of this complicated
    scheme on one particular component which I
  • 18:44 - 18:49
    already discussed. This is SVKernel.dll. I
    remind you: this is the file scanning
  • 18:49 - 18:55
    engine of the antivirus. This is really
    the heart and soul of this whole software
  • 18:55 - 18:59
    and this is why we're going to talk about
    it next. And I would like to begin this
  • 18:59 - 19:06
    discussion about this component with what
    every good reverse engineer looks at. And
  • 19:06 - 19:10
    these are strings, of course. And the
    first thing we did was to open this file
  • 19:10 - 19:17
    and look at its strings and, like every
    professional reverse engineer, we looked
  • 19:17 - 19:23
    them up on Google laughter and here is,
    ladies and gentlemen, where it actually
  • 19:23 - 19:29
    gets interesting because it turns out that
    if we look it up Google we come to another
  • 19:29 - 19:40
    file called vsapi32.dll. Now what is
    vsapi32.dll? As it turns out, this is yet
  • 19:40 - 19:45
    another file scanning engine. Actually
    it's a file scanning engine belonging to a
  • 19:45 - 19:53
    big corporate in the security field and
    that is Trend Micro laughter which we
  • 19:53 - 19:59
    thought was kind of surprising. And
    looking at this, we thought: does it mean
  • 19:59 - 20:06
    that this .dll is in some way incorporated
    inside SiliVaccine? Did they use any kind
  • 20:06 - 20:12
    of interesting way of incorporating its
    functionality inside their engine? Well,
  • 20:12 - 20:19
    let's find out laughter. So here on the
    screen you can see what's called the
  • 20:19 - 20:27
    binary diff. This is a binary comparison
    between those two engines. On the left
  • 20:27 - 20:30
    side you can see the Trend Micro engine
    and on the right side you can see the
  • 20:30 - 20:35
    SiliVaccine engine and actually you can
    notice a few things here. For one, there's
  • 20:35 - 20:42
    a 100 percent match between more than a
    thousand functions of those two engines. A
  • 20:42 - 20:49
    thousand functions is like a quarter of
    SiliVaccine's engine code. And then you
  • 20:49 - 20:54
    can see also that there's a 100 percent
    match on some of the export functions. In
  • 20:54 - 20:59
    fact, if you look at all of the first 18
    export functions in SiliVaccine, you
  • 20:59 - 21:06
    realize they somehow map to functions of
    Trend Micro. And as an example, just take
  • 21:06 - 21:11
    three of these functions and look at their
    call for graphs in IDA and we can see that
  • 21:11 - 21:16
    they're pretty similar for the most part,
    but I would say it's more interesting to
  • 21:16 - 21:22
    note the small nuances or the small
    differences between those particular
  • 21:22 - 21:26
    functions. And as an example let's take
    this pair of functions, VSinit and
  • 21:26 - 21:32
    SVfunc005. Well, one interesting thing we
    noticed at the very beginning is that
  • 21:32 - 21:38
    while Trend Micro's engine uses mostly
    Lipsey functions like "memset", for
  • 21:38 - 21:45
    instance, the equivalent in SiliVaccine
    would at some points in-line those
  • 21:45 - 21:50
    functions, it would use function inlining
    to convey the same function and that
  • 21:50 - 21:56
    essentially hints at the fact that the
    developer of SiliVaccine could have
  • 21:56 - 22:01
    recompiled this particular Trend Micro
    code with some kind of a compiler
  • 22:01 - 22:06
    optimization that was not applied on the
    original engine. You can see another
  • 22:06 - 22:11
    example for this right here, with the
    "memcpy" and "qmemcpy", its in-line
  • 22:11 - 22:18
    equivalent. And let's look at another pair
    for this matter. So we have VSgetVSCinfo
  • 22:18 - 22:24
    and SVfunc004. Once again, function
    inlining. But another artifact that was
  • 22:24 - 22:32
    left here are these numbers you see right
    here. So it turns out that this particular
  • 22:32 - 22:37
    field that is populated in this structure
    you see here is actually the engine
  • 22:37 - 22:45
    version of this antivirus and it turns out
    that the engine version used inside
  • 22:45 - 22:53
    SiliVaccine is a 8.910 which is an engine
    released by Trend Micro back in 2008. Now
  • 22:53 - 23:01
    recall that this software is from 2013. So
    basically whoever wrote this was using a
  • 23:01 - 23:08
    five year old engine inside his code. And
    finally, let's look at another pair:
  • 23:08 - 23:15
    VSquit and SVfunc006. Once again, you can
    see a call to a proprietary SiliVaccine
  • 23:15 - 23:20
    function inside what used to be a Trend
    Micro function. This is just some kind of
  • 23:20 - 23:25
    a clean up function for a driver called
    "svio" which has nothing to do with Trend
  • 23:25 - 23:34
    Micro. And this again strengthens this
    kind of speculation that, when compiling a
  • 23:34 - 23:40
    SiliVaccine, there was some kind of use of
    a proprietary resource that belongs to
  • 23:40 - 23:48
    Trend Micro. Well, I would like to mention
    at this point that this was not the only
  • 23:48 - 23:54
    instance of a Trend Micro engine we found
    in SiliVaccine. In the 2005 version which
  • 23:54 - 24:02
    I mentioned earlier we actually found a
    trace of another component by Trend Micro
  • 24:02 - 24:08
    which is called tmfilter.sys. This is
    actually a kernel mode equivalent of this
  • 24:08 - 24:15
    engine called vsapi32. And this really
    shows that this whole sort of copyright
  • 24:15 - 24:20
    infringement was not a one-time thing. It
    has been possibly going on for quite a few
  • 24:20 - 24:26
    years. Now, we reached out to Trend Micro
    to get the response and basically, just to
  • 24:26 - 24:36
    sum this up, Trend Micro says that, yes,
    SiliVaccine used a 10+ year old version of
  • 24:36 - 24:41
    their engine in their code. They
    said,like, "WTF? We did not do any
  • 24:41 - 24:47
    business with North Korea" laughter.
    Also they're saying, "We have no idea how
  • 24:47 - 24:54
    they got our engine." But they do hint at
    the fact that they worked with some
  • 24:54 - 25:00
    vendors as OEM back at that time and maybe
    it's possible that one of these OEMs
  • 25:00 - 25:08
    leaked their code or what not. So who
    knows. So other than, you know, looking at
  • 25:08 - 25:13
    this; other than saying that this is a
    very kind of secretive antivirus that's
  • 25:13 - 25:19
    developed inside North Korea, we couldn't
    help but notice that there are quite a lot
  • 25:19 - 25:24
    of mechanisms used by the authors to
    conceal the fact that they're using a
  • 25:24 - 25:29
    third party product. And again, I remind
    you: we just realized that SiliVaccine is
  • 25:29 - 25:33
    essentially using a Trend Micro engine and
    we thought - if they're using the same
  • 25:33 - 25:36
    engine this doesn't mean that they're
    actually using the same signatures as
  • 25:36 - 25:43
    well. So if we compare this on the surface
    then it seems that no because SiliVaccine
  • 25:43 - 25:49
    has multiple patterned files while Trend
    Micro has one single large file. And also
  • 25:49 - 25:57
    there seems to be no kind of similarity
    between them on the binary level, but if
  • 25:57 - 26:02
    we look a little bit deeper then we can
    find the place in the code where those
  • 26:02 - 26:08
    particular pattern files are being loaded.
    This happens in SVKernel.dll in a
  • 26:08 - 26:14
    particular function called SVfunc19. And
    what happens there is that the name of the
  • 26:14 - 26:21
    particular pattern file of one of the
    parent files is being calculated or
  • 26:21 - 26:27
    generated, then a handle to this file is
    obtained, the contents of the file are
  • 26:27 - 26:32
    being read, then this particular file is
    being decrypted, the decrypted chunk is
  • 26:32 - 26:37
    appended to some buffer in memory, the ID
    of this chunk is incremented and this
  • 26:37 - 26:42
    whole process repeats. So essentially what
    this function does is to load the part of
  • 26:42 - 26:47
    files one by one, decrypt them and append
    them all together. Now before I talk a
  • 26:47 - 26:51
    little more about the encryption here,
    let's talk a little bit about the
  • 26:51 - 26:57
    encryption key because there's something
    interesting here. So this is the
  • 26:57 - 27:04
    encryption key used there. A seemingly
    random English string. We thought: "does
  • 27:04 - 27:10
    it mean anything in Korean?". It doesn't
    mean anything in any language, actually,
  • 27:10 - 27:15
    but an interesting thing happens when we
    take this particular string to a Korean-
  • 27:15 - 27:23
    English keyboard and we try to type it
    while accidentally forgetting to switch to
  • 27:23 - 27:29
    English. So we get this Korean string. And
    if we translate this Korean string to
  • 27:29 - 27:36
    English, turns out that it literally means
    "pattern encryption" laughter and
  • 27:36 - 27:54
    applause. Thank you. laughter* OK, so we
    decided to look a bit deeper now regarding
  • 27:54 - 27:58
    the encryption itself. We saw a lot of
    encryption mechanics inside. Some have
  • 27:58 - 28:04
    some cryptographic artifacts that resemble
    the Shahwan algorithm, for instance, and
  • 28:04 - 28:09
    all kinds of other stuff. We basically
    didn't really bother understanding this
  • 28:09 - 28:13
    whole mechanism very deeply because we
    were interested in the decrypted pattern
  • 28:13 - 28:19
    files which we could simply dump from
    memory and that's what we did. And after
  • 28:19 - 28:26
    dumping this from memory and comparing the
    two signature files one to another we can
  • 28:26 - 28:31
    actually see a similarity in the header
    and if we scroll a little bit down we can
  • 28:31 - 28:35
    also see that there is quite much of a
    similarity in strings. Actually there is
  • 28:35 - 28:41
    more than 90 percent match on the strings
    in those two files. And the difference is
  • 28:41 - 28:48
    probably due to the version of those
    pattern files. Now that's not the end. We
  • 28:48 - 28:55
    decided to test this thing. So we scanned
    a bunch of files with SiliVaccine. They
  • 28:55 - 28:59
    were all detected. We scanned them also
    with Trend Micro. They were also detected.
  • 28:59 - 29:04
    But there is something interesting here.
    Although they're using the same signatures
  • 29:04 - 29:09
    and same strings the detection names are
    totally different. And that is, ladies and
  • 29:09 - 29:15
    gentlemen, suspicious. So it turns out
    there's a reason for this and the reason
  • 29:15 - 29:21
    is that SiliVaccine actually renames the
    signature names before displaying them to
  • 29:21 - 29:27
    the user. And here is how this works. So
    basically SiliVaccine will take a Trend
  • 29:27 - 29:35
    Micro signature name, for this purpose
    "TROJ_STEAL-1". It would then replace it,
  • 29:35 - 29:43
    strip it of the underscores and dashes and
    then replace the prefix with some kind of
  • 29:43 - 29:48
    word based on a string based on a
    predefined dictionary. It will also
  • 29:48 - 29:55
    replace the suffix from a number to a
    letter. It will modify the casing, append
  • 29:55 - 30:00
    everything together with dots and this is
    how you get a SiliVaccine signature
  • 30:00 - 30:07
    laughter. So looking at all of this it's
    interesting to note that the authors are
  • 30:07 - 30:12
    probably trying to hide something. So just
    to summarize all of these hiding
  • 30:12 - 30:18
    mechanisms, let's just briefly take a look
    at what we've already seen. So basically
  • 30:18 - 30:23
    all of the files or most of the files in
    this software are protected with Themida,
  • 30:23 - 30:28
    a commercial protector, which means that
    the binary files do not have any kind of
  • 30:28 - 30:34
    string artifacts that allow a researcher
    to understand what he's looking at. Also
  • 30:34 - 30:39
    the pattern files are encrypted so we
    don't have any string artifacts there. You
  • 30:39 - 30:46
    can't understand from those signature
    files what you're looking at. And finally,
  • 30:46 - 30:50
    the malware signatures are renamed in real
    time, so it means that even in real time
  • 30:50 - 30:56
    you cannot tell what was the original
    signature or where it came from. So
  • 30:56 - 31:00
    essentially the user and a researcher
    won't have any way of knowing that this
  • 31:00 - 31:06
    product is using the engine of Trend
    Micro, which is puzzling. So, moving on -
  • 31:06 - 31:12
    let's talk about more of the fishy things
    that go inside of this product. Namely,
  • 31:12 - 31:18
    while analyzing it, we've seen a lot of
    the following instances of this string,
  • 31:18 - 31:27
    "Mal.Nucrp.F", and we realized that, based
    on its format, it's probably some kind of
  • 31:27 - 31:33
    a signature name. So we decided to
    understand what it was. We ran our
  • 31:33 - 31:41
    algorithm in reverse and we get the
    following detection name - "Mal_NUCRP-5".
  • 31:41 - 31:44
    But what's the deal with the signature,
    why does it even stand out from the other
  • 31:44 - 31:51
    ones? Well, here are two instances where
    this particular signature name is used. So
  • 31:51 - 31:55
    here you can see actually that what
    happens with this signature is that a file
  • 31:55 - 32:01
    is being scanned to detect if it's
    malicious or not. Then, if it was found to
  • 32:01 - 32:06
    be malicious, its detection name is
    compared against the string and if that's
  • 32:06 - 32:13
    the case, then SiliVaccine will simply
    ignore this file laughter, which is
  • 32:13 - 32:20
    suspicious laughter. Now, of course, we
    wanted to test this thing so we ran 6
  • 32:20 - 32:26
    files that were supposed to be detected
    with this particular detection name. In
  • 32:26 - 32:31
    Trend Micro they were all detected. Then
    we decided to run them in SiliVaccine and
  • 32:31 - 32:36
    nothing was detected laughter. And
    actually, this is quite surprising because
  • 32:36 - 32:41
    we did a little bit of QA on this and it
    turns out that for the most part it's
  • 32:41 - 32:46
    okay. But then in one instance they made a
    typo and in the white list it's something
  • 32:46 - 32:53
    called "Mal.Nurcrp.F" laughter which has
    no equivalent in Trend Micro's engine,
  • 32:53 - 32:59
    which begs the question: WTF is "nucrp"?.
    And according to Trend Micro's
  • 32:59 - 33:06
    Encyclopedia, which is a thing apparently,
    "MAL_NUCRP-5" is described as some kind of
  • 33:06 - 33:12
    a signature related to some old malware
    named "NUWAR", "TUBS", "ZHELAT". We
  • 33:12 - 33:17
    checked all of them. They have no relation
    whatsoever to North Korea. But deeper
  • 33:17 - 33:22
    inspection of this signature name reveals
    that actually this "mal" prefix you see
  • 33:22 - 33:28
    right here means that this is a generic
    detection that flags files based on some
  • 33:28 - 33:34
    heuristic which, in essence, might detect
    a whole spectrum of files. So
  • 33:34 - 33:38
    unfortunately, based only on this
    information, we cannot know what malware
  • 33:38 - 33:44
    was exactly detected here or really if it
    was malware at all. But we can still
  • 33:44 - 33:49
    speculate on why this whitelist thing was
    done. And for one, the most obvious
  • 33:49 - 33:53
    speculation would be that there is some
    kind of an existing North Korean tool
  • 33:53 - 33:58
    installed on citizens' computers and the
    authors didn't want to trigger an alert
  • 33:58 - 34:03
    about it being malicious. It's also
    possible that the authors wanted some
  • 34:03 - 34:09
    option to develop such a tool in the
    future and they inserted this signature in
  • 34:09 - 34:13
    order to conceal this future component
    with this particular whitelisting
  • 34:13 - 34:20
    mechanism. It's also possible that since
    the authors used a third party engine, the
  • 34:20 - 34:27
    Trend Micro engine, that this signature
    mistakenly detected one of SiliVaccine's
  • 34:27 - 34:32
    original components as malware, which they
    clearly wanted to avoid. And of course
  • 34:32 - 34:38
    it's also possible that this whole thing
    is some kind of an idiotic false positive
  • 34:38 - 34:45
    management fix. But I would say this is
    unlikely. All right - let's move on and
  • 34:45 - 34:51
    talk about the kernel side of SiliVaccine.
    And remember: SiliVaccine has three kernel
  • 34:51 - 34:56
    mode drivers, but actually only two of
    them are utilized, SVfilter and
  • 34:56 - 35:03
    SVHook.sys. So let's focus on them. And we
    started snooping around and looking at
  • 35:03 - 35:08
    these drivers. And the first thing we
    noticed is some fishy stuff like the fact
  • 35:08 - 35:14
    that its entry point resides in the relog
    section and that it's supposedly packed
  • 35:14 - 35:20
    with some kind of a packer called
    "BopCrypt" which we never heard of. And we
  • 35:20 - 35:25
    looked around "BopCrypt"; turned out this
    is an old Russian PE packer that
  • 35:25 - 35:31
    supposedly contains some common protection
    features such as anti-debug measures and
  • 35:31 - 35:35
    polymorphic code. Now this is not really
    good news when dealing with the kernel
  • 35:35 - 35:41
    driver because who wants to debug
    polymorphic code into kernel. So we
  • 35:41 - 35:46
    thought: wait a second, before we dive in
    and do all of this stuff maybe we can
  • 35:46 - 35:50
    actually find some kind of an answer by
    looking at this file again from the
  • 35:50 - 35:57
    outside. And turns out that our answer was
    right there and our answer is 42
  • 35:57 - 36:03
    laughter. Actually it's hex42. So
    evidently, this whole crazy protection
  • 36:03 - 36:10
    scheme here is that the text section that
    contains the actual driver is sort with a
  • 36:10 - 36:17
    single byte of the value 42 hex. So with
    this insane protection mechanism which we
  • 36:17 - 36:23
    were able to bypass we were able to look
    at the drivers themselves and the first
  • 36:23 - 36:27
    one of them, SVfilter.sys - I remind you
    that this is a file system filter driver -
  • 36:27 - 36:32
    this is loaded and utilized by SVDealer.
    This is the real time scanning component
  • 36:32 - 36:37
    and it has two main functionalities. One
    is to actually scan files upon access so
  • 36:37 - 36:42
    it would intercept any kind of activity
    with the file system and it would take the
  • 36:42 - 36:50
    underlying file and would issue it to
    SVDealer to conduct a scan on it and also
  • 36:50 - 36:55
    it's actually used to protect the
    antivirus as binaries themselves to avoid
  • 36:55 - 37:04
    any kind of malfunction against them by
    the user. And it really took us quite some
  • 37:04 - 37:09
    time to realize that these are the only
    two things that this driver does because
  • 37:09 - 37:15
    the code for them is really a mess. And
    I'm going to save you some time and
  • 37:15 - 37:20
    explain the flaw of this driver by
    simplifying it a little bit. So this is
  • 37:20 - 37:27
    how SVfilter.sys works in a nutshell. The
    first action it does is waste time
  • 37:27 - 37:34
    laughter. So it does a lot of redundant
    checks that seem to have no effect on this
  • 37:34 - 37:39
    code whatsoever. Then it moves on to see
    if the file scanned here is actually
  • 37:39 - 37:45
    binary related to the antivirus itself. Of
    course if it is done it will deny access
  • 37:45 - 37:51
    to it. Then it moves to the very important
    action of wasting a lot more time
  • 37:51 - 37:58
    laughter by doing what seems to be
    pretty much garbage code. And finally at
  • 37:58 - 38:04
    some point it will take the file, it will
    scan it and if the file seems to be
  • 38:04 - 38:09
    malicious then it will deny the access to
    it. Otherwise it will allow the access. So
  • 38:09 - 38:15
    this is pretty much everything to say
    about SVfilter. There was another driver
  • 38:15 - 38:24
    called SVHook.sys which is utilized by the
    main GUI component, SVMain.exe. You look
  • 38:24 - 38:28
    at this name, you think, yes, it probably
    hooks stuff. No - it doesn't actually hook
  • 38:28 - 38:36
    anything. It's actually used to query some
    kind of process object data from the
  • 38:36 - 38:44
    kernel and really it's quite of a
    confusing driver because it seems to have
  • 38:44 - 38:51
    like 13 ioctls. Only 3 are ever used and
    it's highly, highly buggy. There's a lot
  • 38:51 - 39:01
    of bugs there. So for instance, we've seen
    the following function where there's an
  • 39:01 - 39:10
    ioctl issued to this driver and it really
    seems that those two components, SVMain
  • 39:10 - 39:16
    and SVHook, were really developed by two
    different developers. So here we can see
  • 39:16 - 39:25
    that this programmer who wrote this
    particular ioctl call actually used a
  • 39:25 - 39:31
    buffer of size 12. Now you would assume
    that those two developers have agreed that
  • 39:31 - 39:37
    this should be the buffer size, right?
    Well, evidently the second developer was
  • 39:37 - 39:43
    not really notified about this and in fact
    checks explicitly that the buffer size is
  • 39:43 - 39:51
    12 and if that's the case nothing happens
    laughter. Which really is a piece of
  • 39:51 - 39:59
    shit code that does nothing laughter. So
    while looking into this, we tried to dig a
  • 39:59 - 40:03
    little bit deeper and understand why those
    bugs happen and we think we have an
  • 40:03 - 40:10
    answer. So just strolling around we see a
    lot of this. If you look at this you
  • 40:10 - 40:15
    realize that you're looking at a lot of
    debug prints used by the author and you
  • 40:15 - 40:23
    see that one of the parts of the strings
    referenced here is "sub_00something" which
  • 40:23 - 40:28
    is an IDA-auto-generated name. Which to
    me, ladies and gentlemen, seems like
  • 40:28 - 40:33
    instead of looking at authentic code, we
    were in fact reverse engineering a
  • 40:33 - 40:38
    reverse.engineered driver. So essentially
    what happened here is that the developer
  • 40:38 - 40:46
    of SVHook took some driver, decompile it,
    copied the code and added a bunch of debug
  • 40:46 - 40:52
    prints in order to try to understand what
    he was copying and it seems he didn't only
  • 40:52 - 40:58
    fail to understand it but he also forgot
    to remove this trail of debug prints. That
  • 40:58 - 41:05
    demonstrates his elite coding skills. So
    we are nearly at the end and we talked
  • 41:05 - 41:10
    quite a bit about the technical parts here
    but to get the full picture I think it's a
  • 41:10 - 41:16
    good idea to look at the development story
    behind the software. So in essence, who is
  • 41:16 - 41:22
    behind SiliVaccine? Well, to tackle this
    question we resorted to some version info
  • 41:22 - 41:27
    that can be found inside the antivirus as
    binaries. And there we found some version
  • 41:27 - 41:31
    manifest that pointed at several
    companies, the first one of which is
  • 41:31 - 41:36
    called PGI (Pyongyang Guangdong
    Information Technology). It seems to be
  • 41:36 - 41:40
    some kind of a North Korean establishment,
    a known one, that specializes in network
  • 41:40 - 41:47
    security software. But really the more
    interesting company that we found there
  • 41:47 - 41:54
    was called "STS Tech-Service" which is
    really this kind of shady company that has
  • 41:54 - 41:58
    no trace of its activity online. We
    couldn't find any kind of artifact that
  • 41:58 - 42:08
    shows what this company does or what is
    its main field of occupation. So we still
  • 42:08 - 42:15
    can answer some questions about STS tech
    service. For instance we can say that STS
  • 42:15 - 42:21
    tech service is highly likely based in the
    DPRK North Korea and that is due to this
  • 42:21 - 42:26
    brochure you see here on the screen which
    is taken from a trade fair that took place
  • 42:26 - 42:33
    in Pyongyang back in 2006. And in this
    particular trade fair this company, STS
  • 42:33 - 42:38
    Tech-Service, they participated. We
    contacted the organizers and they actually
  • 42:38 - 42:43
    confirmed that STS Tech- Service did come
    from North Korean side. Still, some
  • 42:43 - 42:47
    questions remain. Is that a private
    company in North Korea or is that even a
  • 42:47 - 42:52
    thing? Is that a government entity? Is
    that the same thing in North Korea? We
  • 42:52 - 42:59
    don't know. Actually, another source told
    us that this company might be a
  • 42:59 - 43:04
    subdivision of the KPA (where KPA stands
    for Korean People's Army), but we have no
  • 43:04 - 43:10
    way of corroborating this. And you
    remember that Trend Micro stated that
  • 43:10 - 43:17
    their engine could have been leaked from
    third party. Could that third party be
  • 43:17 - 43:22
    this company? Well we don't know actually,
    but what we did see and which was really
  • 43:22 - 43:28
    interesting is a particular connection
    between North Korea and Japan that repeats
  • 43:28 - 43:33
    throughout this whole research so for one
    we've already seen that SVKernel is
  • 43:33 - 43:41
    basically some kind of modified version of
    Trend Micro's engine. But then we've also
  • 43:41 - 43:45
    seen that STS Tech-Service at some point
    cooperated with a company called Silver
  • 43:45 - 43:52
    Star Japan on a particular application. As
    a matter of fact it not only cooperated
  • 43:52 - 43:56
    with them but also with another company
    called Magnolia which also resides in
  • 43:56 - 44:01
    Japan. Actually Silver Star and Magnolia
    reside in the same address in Japan, which
  • 44:01 - 44:06
    is quite interesting. And then in a
    particular instance all of these three
  • 44:06 - 44:12
    companies - Magnolia, Silver Star and STS
    Tech-Service cooperated with the KCC, a
  • 44:12 - 44:18
    very famous North Korean research
    establishment, the Korean Computer Center,
  • 44:18 - 44:24
    on another application. And it's important
    to say that while we can be very easily
  • 44:24 - 44:29
    drawn to some conclusions here and
    speculate on some very wild scenarios,
  • 44:29 - 44:33
    especially given the fact that North Korea
    and Japan are not friends, we need to
  • 44:33 - 44:38
    remember that this is just a crazy web of
    connections that we unraveled here. And
  • 44:38 - 44:41
    actually we cannot say much about this
    other than pointing out the connections
  • 44:41 - 44:49
    themselves. Still I can say that we did
    find some traces of maliciousness in this
  • 44:49 - 44:57
    whole package and at this point we
    thought: all right, we are done with the
  • 44:57 - 45:05
    research; could it be that there is no
    malware or backdoor here? Well, it turns
  • 45:05 - 45:11
    out that if we look back on this e-mail
    sent by this supposedly Japanese engineer,
  • 45:11 - 45:18
    Kang yong hak and reinspect the installer
    provided in this particular email, then
  • 45:18 - 45:23
    actually it has no metadata. And that's
    not surprising because this installer is
  • 45:23 - 45:27
    in fact this file is in fact a self-
    extracting archive which contains the real
  • 45:27 - 45:34
    installer of SiliVaccine. But then it also
    contains another file called "SVpatch4.0"
  • 45:34 - 45:40
    which - well, OK. But when you look at the
    metadata you see it's supposedly related
  • 45:40 - 45:47
    to Microsoft automatic updates which is,
    again, highly suspicious laughter. Now,
  • 45:47 - 45:52
    we decided to look deeper in this file and
    it turns out that actually this file is a
  • 45:52 - 45:57
    signed binary. And if you look the issue
    up on Google we come to a Kaspersky report
  • 45:57 - 46:03
    about the Darkhotel APT. Very alarming.
    And then we decided to dig deeper and
  • 46:03 - 46:08
    analyze this file. So we did some
    analysis. We realized that this is
  • 46:08 - 46:16
    actually the stage one malware from a
    known campaign called Jaku uncovered by
  • 46:16 - 46:24
    Forcepoint in 2016. Now what is Jaku? Jaku
    was an ongoing botnet campaign, it
  • 46:24 - 46:29
    targeted mainly North Korea and Japan. And
    while it infected a lot of victims the
  • 46:29 - 46:34
    later stages of the malware - stages 2 and
    3 - were only used against a select group
  • 46:34 - 46:39
    of individuals with North Korea and
    Pyongyang being the common theme between
  • 46:39 - 46:44
    them. Now another interesting connection
    that was outlined by Forcepoint is between
  • 46:44 - 46:49
    Jaku and Darkhotel which is really further
    evidence to this kind of an interesting
  • 46:49 - 46:56
    connection on top of what we saw with the
    certificate used previously. Now who could
  • 46:56 - 47:00
    be the target here? It could be the case
    that every SiliVaccine installation is
  • 47:00 - 47:04
    bundled with this malware, but we don't
    think so. We actually think that the
  • 47:04 - 47:10
    target was Martin Williams who deals
    vastly with North Korea. And it is
  • 47:10 - 47:17
    possible that this particular malware was
    used against him. So this is pretty much
  • 47:17 - 47:22
    the end and I would like to, before I let
    you go, summarize everything that we've
  • 47:22 - 47:30
    seen in this talk. Let's look back and see
    those things. So for one we have seen that
  • 47:30 - 47:36
    SiliVaccine has been illegally using Trend
    Micro's engine and it was not a one-time
  • 47:36 - 47:43
    thing. It has been done at least two times
    and probably over multiple versions and
  • 47:43 - 47:50
    for several years. Then we've also seen
    that the authors of SiliVaccine tried to
  • 47:50 - 47:57
    conceal the fact that they used this
    engine with some interesting mechanism.
  • 47:57 - 48:03
    Then we've seen that there is an explicit
    whitelisting of a particular signature and
  • 48:03 - 48:09
    that the installation of SiliVaccine comes
    bundled with the malware called Jaku. Now,
  • 48:09 - 48:14
    while having these understandings we still
    have some unanswered questions. For
  • 48:14 - 48:20
    instance, we've seen that there are some
    artifacts that point at the fact that the
  • 48:20 - 48:25
    code of SiliVaccine might have been
    recompiled with some other optimizations
  • 48:25 - 48:30
    that were not in Trend Micro' engine in
    the first place. So, having said that, how
  • 48:30 - 48:35
    did the SiliVaccine authors obtain such an
    access to a proprietary resource? We have
  • 48:35 - 48:43
    no idea. Also this white-listed signature
    - we cannot say what it represents. It's a
  • 48:43 - 48:48
    heuristic signature so we cannot really
    tell if it was trying to whitelist a
  • 48:48 - 48:55
    malicious tool or a benign software. It's
    not very clear. And then also the Jaku
  • 48:55 - 49:00
    malware. Since we only have one instance
    of this particular software from 2013 it's
  • 49:00 - 49:06
    hard to say if it's bundled with all
    versions or only with this one. And while
  • 49:06 - 49:11
    I can't answer all of these questions
    concisely I do want to point out that
  • 49:11 - 49:16
    throughout this research we've seen a lot
    of effort done to develop this particular
  • 49:16 - 49:21
    product and through this effort we've
    stumbled upon quite many illegal and shady
  • 49:21 - 49:28
    practices employed by the DPRK to develop
    their own homebrew software. A software
  • 49:28 - 49:33
    that, remember, maybe sometime in another
    time and in a perfect world could have
  • 49:33 - 49:38
    been totally legitimate. And with that in
    mind I would like to thank you for your
  • 49:38 - 49:42
    attention and hope you enjoy your time at
    CCC.
  • 49:42 - 49:53
    applause
  • 49:53 - 50:02
    Herald: Thank you, Mark, that was
    wonderful. We have plenty of time for
  • 50:02 - 50:08
    questions and we have two microphones. One
    is in the middle of the room and one is
  • 50:08 - 50:14
    sort of outside of the stage. So please
    queue up if you want to ask questions. And
  • 50:14 - 50:17
    we already have a question on the
    microphone 1.
  • 50:17 - 50:21
    Audience member 1: Do you have any idea
    why they chose Trend Micro over any other
  • 50:21 - 50:23
    engine?
    Mark: Excuse me, could you repeat the
  • 50:23 - 50:26
    question and raise your hand, because I
    didn't see you?
  • 50:26 - 50:29
    Audience member 1: Do you have any idea
    why they chose Trend Micro and not any
  • 50:29 - 50:35
    other engine, like an open source engine?
    Mark: Do I have any idea of Trend Micro
  • 50:35 - 50:38
    tools is what? I'm sorry.
    Audience member 1: Do you have any idea
  • 50:38 - 50:42
    why Trend Micro was chosen by them?
    Mark: Ah, why Trend Micro.
  • 50:42 - 50:44
    Audience member 1: In comparison to
    anything else?
  • 50:44 - 50:46
    Mark: Actually I have no idea. I really
    don't.
  • 50:46 - 50:49
    Audience member 1: Thank you.
    Mark: If you know, then tell me, please.
  • 50:49 - 50:51
    laughter
    Herald: microphone 2.
  • 50:51 - 50:57
    Audience member 2: So have you looked at
    the fact that this antipiracy is a .exe.
  • 50:57 - 51:02
    So it runs on Windows but all of North
    Korea runs with Red Star OS which is a
  • 51:02 - 51:06
    Unix.
    Mark: Well, as far as I could tell from
  • 51:06 - 51:11
    people I discussed with who do know a few
    things about North Korea actually Red Star
  • 51:11 - 51:16
    OS is not the most common operating system
    there. In fact it's barely used because,
  • 51:16 - 51:23
    well, to say it shortly, it's shit but
    they do use what seems to be some kind of
  • 51:23 - 51:29
    Chinese versions of Windows XP and Windows
    7. So this is intended to run on these
  • 51:29 - 51:34
    operating systems.
    Herald: Thank you. Another question from
  • 51:34 - 51:36
    mic 1.
    Audience member 3: How did you get the
  • 51:36 - 51:42
    2005 version of the antivirus?
    Mark: Come to me later and I'll tell you.
  • 51:42 - 51:47
    laughter
    Herald: Mic 1, please.
  • 51:47 - 51:51
    Audience member 4: Yeah I just wanted to
    know if you checked that the Jaku malware
  • 51:51 - 51:57
    was not part of this whitelist program.
    Mark: Oh yes, we checked it. Actually this
  • 51:57 - 52:05
    was not the white-listed signature. It was
    actually not detected by SiliVaccine, but
  • 52:05 - 52:09
    it was also not detectable by Trend
    Micro. It was not detected by anyone
  • 52:09 - 52:16
    actually so it was not the white-listed
    signature.
  • 52:16 - 52:21
    Herald: Thank you. That's all. Thank you,
    Mark. Thank you for the amazing talk.
  • 52:21 - 52:23
    applause
  • 52:23 - 52:28
    35C3 postroll music
  • 52:28 - 52:45
    subtitles created by c3subtitles.de
    in the year 2019. Join, and help us!
Title:
35C3 - SiliVaccine: North Korea's Weapon of Mass Detection
Description:

more » « less
Video Language:
English
Duration:
52:45

English subtitles

Revisions Compare revisions