1
00:00:00,000 --> 00:00:18,684
35C3 preroll music
2
00:00:18,684 --> 00:00:26,150
Herald: So our next speaker is Mark
Lechtik and he is going to talk about
3
00:00:26,150 --> 00:00:33,280
SiliVaccine, North Korea's weapon of mass
detection. Mark is the malware research
4
00:00:33,280 --> 00:00:38,470
team leader at checkpoint and he deals
with reverse engineering and malware
5
00:00:38,470 --> 00:00:46,010
analysis both as occupation and as a
hobby. So a huge round of applause to Mark
6
00:00:46,010 --> 00:00:54,780
applause and we are starting the talk.
7
00:00:54,780 --> 00:00:58,873
Mark Lechtik: Let's begin with a short video
8
00:00:58,873 --> 00:01:00,094
Video
9
00:02:07,560 --> 00:02:12,880
Laughter
Ladies and gentleman, for those of you who
10
00:02:12,880 --> 00:02:19,700
don't know this lady in pink, her name is
리춘히, a good friend of mine, North Korea's
11
00:02:19,700 --> 00:02:27,040
main news presenter. And she just turned
75 years old this July. Let's give her a
12
00:02:27,040 --> 00:02:36,330
warm round of applause for her passionate
introduction to SiliVaccine. Of course I'm
13
00:02:36,330 --> 00:02:41,080
lying, she's not my friend, nor did she
even speak about SiliVaccine in this
14
00:02:41,080 --> 00:02:48,140
video. But still, kudos to her for
grabbing your attention. And again, hello,
15
00:02:48,140 --> 00:02:53,370
thank you for joining me for this talk
titled "SiliVaccine - North Korea's weapon
16
00:02:53,370 --> 00:03:01,590
of mass detection". Before I actually tell
you about the research story here, I would
17
00:03:01,590 --> 00:03:08,590
like to introduce you to the two notorious
dissidents who are behind this infamous
18
00:03:08,590 --> 00:03:13,900
research. You see them right here on the
screen. One of them actually happens to be
19
00:03:13,900 --> 00:03:20,430
me. My name is Mark Lechtik. As previously
mentioned, I'm the Maleware-research team
20
00:03:20,430 --> 00:03:27,880
leader at checkpoint and my partner in
crime for this research is named Michael
21
00:03:27,880 --> 00:03:33,540
Kajiloti. Unfortunately, he couldn't be
here today because he's in a vacation in
22
00:03:33,540 --> 00:03:39,540
Hawaii probably drinking some smoothie
from a coconut. So I thought this would be
23
00:03:39,540 --> 00:03:47,330
a better picture. To Michael, have a lot
of fun in your travel. Come home safely
24
00:03:47,330 --> 00:03:56,040
and beware of Koreans who stare at you
suspiciously. Now, we both work at
25
00:03:56,040 --> 00:04:01,120
checkpoint as mentioned and without
further ado let me give you a little bit
26
00:04:01,120 --> 00:04:09,920
of a background for this research. So this
whole research actually began at one point
27
00:04:09,920 --> 00:04:15,470
this year around March when I was looking
for something to read in Twitter and then
28
00:04:15,470 --> 00:04:21,079
I stumbled upon this article you see right
here titled "Inside North Korea's Hacker
29
00:04:21,079 --> 00:04:27,260
Army" by Bloomberg and it's actually a
pretty interesting piece, I recommend you
30
00:04:27,260 --> 00:04:37,210
to read it. It discusses particular a
North Korean defector who was drafted to
31
00:04:37,210 --> 00:04:42,900
work for a government agency in North
Korea and ended up raising money for the
32
00:04:42,900 --> 00:04:51,780
regime through hacking. And an interesting
thing I noted throughout this publication
33
00:04:51,780 --> 00:04:58,570
is that the author tried to portray some
kind of a narrative of North Korean state
34
00:04:58,570 --> 00:05:05,590
sponsored cyber operations and in
particular in one paragraph he gives a
35
00:05:05,590 --> 00:05:10,750
representation of what seems to be the
North Korean government's official comment
36
00:05:10,750 --> 00:05:16,540
to various hacking allegations made
against North Korea by the West. And
37
00:05:16,540 --> 00:05:21,840
here's a quote: "So formally, North Korea
denies engaging in hacking and describes
38
00:05:21,840 --> 00:05:27,710
accusations to that effect as 'enemy
propaganda'. It says its overseas computer
39
00:05:27,710 --> 00:05:33,090
efforts are directed at promoting its
antivirus software in the global market.
40
00:05:33,090 --> 00:05:36,870
The country has for more than a decade
been working on such programs including
41
00:05:36,870 --> 00:05:43,270
one called SiliVaccine. Now looking at
this, you're probably asking yourselves:
42
00:05:43,270 --> 00:05:48,760
What the hell is SiliVaccine? Well, as you
may understand by now, SiliVaccine is an
43
00:05:48,760 --> 00:05:54,210
antivirus that is developed and used
exclusively in North Korea. So this is
44
00:05:54,210 --> 00:06:01,160
basically a North Korean antivirus. Or how
I like to call it: The Kim Jong Un-tivirus.
45
00:06:01,160 --> 00:06:08,190
laughter Now obviously this is
a very rare product. You can't find it on
46
00:06:08,190 --> 00:06:12,770
the Internet, you cannot download it
anywhere. It basically resides only inside
47
00:06:12,770 --> 00:06:18,850
the DPRK. As far as we could tell in this
research it's actively developed since
48
00:06:18,850 --> 00:06:25,320
2003 and the version that I'm going to
focus on here today is version 4.0, which
49
00:06:25,320 --> 00:06:33,920
was released in 2013. Just as a caveat: We
are also in possession of another version
50
00:06:33,920 --> 00:06:39,870
from 2005, which was one of the early
versions of SiliVaccine and I will mention
51
00:06:39,870 --> 00:06:44,900
it a little bit later throughout this
talk. Now if you know anything about North
52
00:06:44,900 --> 00:06:51,340
Korea, then one thing you should note is
that there is actually no internet inside
53
00:06:51,340 --> 00:06:57,590
North Korea, right. Instead, what they
have is what's called an Intranet, which
54
00:06:57,590 --> 00:07:06,729
is this highly restricted but glorified
local area network; and, having that in
55
00:07:06,729 --> 00:07:12,110
mind, you must be thinking "Why the hell
would North Korea use an antivirus in the
56
00:07:12,110 --> 00:07:17,340
first place?". Well, there are a few
interesting explanations for that: One,
57
00:07:17,340 --> 00:07:23,050
the more exotic one, is to actually
protect against threats that might reside
58
00:07:23,050 --> 00:07:28,201
within media that is smuggled to the
country. And for this matter as an
59
00:07:28,201 --> 00:07:32,979
example, it turns out that there is
actually a phenomenon of USB sticks with
60
00:07:32,979 --> 00:07:40,229
Western media that somehow magically find
their way inside North Korea. And then
61
00:07:40,229 --> 00:07:46,409
they get sold in the country's black
market to citizens. And I know it sounds
62
00:07:46,409 --> 00:07:50,860
totally fucked up, but remember, it's
North Korea and to convince you a little
63
00:07:50,860 --> 00:07:56,460
bit better, you're invited to go to this
website called "flash drives for freedom",
64
00:07:56,460 --> 00:08:03,699
which is actually a crowd-source funding
project for USB sticks that get written
65
00:08:03,699 --> 00:08:14,620
with content from the West and smuggled
into North Korea. So just a fun fact, if
66
00:08:14,620 --> 00:08:20,930
you have any kind of problems with your
local IRS, don't worry. The smuggled USB
67
00:08:20,930 --> 00:08:28,800
stick is 100 percent tax refundable. As
for the content inside of it, well, it
68
00:08:28,800 --> 00:08:35,650
contains just all kinds of information,
entertainment content from the West like
69
00:08:35,650 --> 00:08:42,830
Wikipedia articles and South Korean soap
operas, which somehow managed to threaten
70
00:08:42,830 --> 00:08:48,500
the North Korean regime. But anyways,
there's also another explanation for the
71
00:08:48,500 --> 00:08:53,890
existence of this antivirus, and this is
the fact that is actually stated by North
72
00:08:53,890 --> 00:08:59,650
Korea itself, is to raise money for the
regime by selling this product in the
73
00:08:59,650 --> 00:09:05,920
worldwide market. As a matter of fact to
corroborate this, we can refer to the 2005
74
00:09:05,920 --> 00:09:10,060
version of SiliVaccine that I mentioned
previously, which you can see here on the
75
00:09:10,060 --> 00:09:15,700
screen, was written both in Korean and
English, which might hint at the fact that
76
00:09:15,700 --> 00:09:20,700
whoever wrote this version tried to make
it more appealing for English-speaking
77
00:09:20,700 --> 00:09:27,540
users as well as Korean ones. Now you also
must be asking yourselves: "How the hell
78
00:09:27,540 --> 00:09:32,840
did we get our hands on the software in
the first place?" Well, the answer to this
79
00:09:32,840 --> 00:09:37,590
lies in the Bloomberg article I mentioned
earlier. It linked to a blogpost by this
80
00:09:37,590 --> 00:09:44,720
guy named Martin Williams. Martin Williams
is a journalist who covers various kinds
81
00:09:44,720 --> 00:09:51,970
of news items related to North Korea. And
he actually got this particular software
82
00:09:51,970 --> 00:09:57,080
through, I would say, a slightly
suspicious email from a guy calling
83
00:09:57,080 --> 00:10:02,910
himself Kang Yong Hak, a security engineer
from Japan, who wanted to give it to him
84
00:10:02,910 --> 00:10:08,050
as a journalistic lead. And remember this
email, we will talk about it a little bit
85
00:10:08,050 --> 00:10:14,940
later. Now of course Martin was kind
enough to share the software with us and
86
00:10:14,940 --> 00:10:20,420
it's the place to thank him for making
this whole research possible. Now what did
87
00:10:20,420 --> 00:10:25,390
we want to find out in this research? So
first of all, we wanted to understand the
88
00:10:25,390 --> 00:10:31,100
technical structure of the software. How
is it built? Through which we hope to get
89
00:10:31,100 --> 00:10:36,779
somewhat of an anthropological view on
some of the practices employed by the
90
00:10:36,779 --> 00:10:44,300
North Korean engineers meaning how
engineers with restricted resources tackle
91
00:10:44,300 --> 00:10:50,840
a big project like building an antivirus
from scratch. Also we wanted to see if we
92
00:10:50,840 --> 00:10:57,110
can find any kind of abnormal behavior
inside this antivirus. Some things that
93
00:10:57,110 --> 00:11:02,720
could have been left in place and expose
some hidden agenda of the developers and
94
00:11:02,720 --> 00:11:07,630
in particular we try to locate any
potential backdoor that could have been
95
00:11:07,630 --> 00:11:13,200
deliberately put in place as a means of
surveillance against the citizens. So with
96
00:11:13,200 --> 00:11:22,790
that in mind let's take a short overview
of the antivirus architecture and for this
97
00:11:22,790 --> 00:11:27,000
matter let's start with the software
libraries that comprise it, the first of
98
00:11:27,000 --> 00:11:33,680
which is called SV shell. This is just a
basic shell extension that introduces this
99
00:11:33,680 --> 00:11:41,020
entry in the context menu which you can
see if you click the right mouse button.
100
00:11:41,020 --> 00:11:48,480
And this is basically meant to just do a
manual scan on a file using SiliVaccine.
101
00:11:48,480 --> 00:11:52,590
And you know what - let's just test this
feature and see if it works. So here we
102
00:11:52,590 --> 00:12:01,480
have malware, we right-click, we press on
this feature and nothing happens which is
103
00:12:01,480 --> 00:12:06,589
really just some kind of a bug that we see
right from the very beginning of testing
104
00:12:06,589 --> 00:12:12,990
this antivirus spoiler. There are more,
but never mind. Let's move on. The next
105
00:12:12,990 --> 00:12:19,230
component we see here is one called
SVKernel.dll. Now this is in fact the file
106
00:12:19,230 --> 00:12:24,240
scanning the engine of this antivirus. And
this is really the core component that
107
00:12:24,240 --> 00:12:31,269
contains the logic that implements virus
scanner files. This .dll exposes roughly
108
00:12:31,269 --> 00:12:37,410
20 export functions with the names
SVfunc001 through SVfunc020 - very
109
00:12:37,410 --> 00:12:42,630
ambiguous naming convention - and they are
of course used in conjunction with
110
00:12:42,630 --> 00:12:48,370
patterns or signatures which is the
content that allows the software to decide
111
00:12:48,370 --> 00:12:54,910
if a given file is malicious or not. Then
we have another group of components which
112
00:12:54,910 --> 00:13:01,170
is pretty self-explanatory. These are the
GUI components the first of which is this
113
00:13:01,170 --> 00:13:07,920
tray menu you can see on the right corner
of the screen. And this little menu allows
114
00:13:07,920 --> 00:13:15,360
you to execute any other GUI menus in this
antivirus. For instance you can see the
115
00:13:15,360 --> 00:13:23,260
following menu where you can do a full
scan on the file system. You can play
116
00:13:23,260 --> 00:13:29,670
around with some of the configurations of
this antivirus. It's also possible to do
117
00:13:29,670 --> 00:13:35,260
some whitelisting and blacklisting
actions. And basically this is a GUI one-
118
00:13:35,260 --> 00:13:43,550
stop shop for all of this antivirus'
features and other... oh, before talking
119
00:13:43,550 --> 00:13:48,250
about the other components, SVmain
actually communicates with a driver called
120
00:13:48,250 --> 00:13:54,980
SVHook.sys. This is a driver that is meant
to convey some information as the main
121
00:13:54,980 --> 00:14:01,390
from the Kernel space. We will discuss
this driver a little bit later. Then we
122
00:14:01,390 --> 00:14:07,790
have the update mechanism of the antivirus
which will basically download any kind of
123
00:14:07,790 --> 00:14:13,029
update binaries and components or update
signatures and we'll verify them with an
124
00:14:13,029 --> 00:14:20,070
external component called SVDiffUpd.exe.
And of course, as I mentioned, everything
125
00:14:20,070 --> 00:14:27,430
here resides inside North Korea's
Intranet. So this update client will
126
00:14:27,430 --> 00:14:33,060
communicate with a server inside North
Korea and it will do so using a custom
127
00:14:33,060 --> 00:14:38,720
update protocol which works on top of the
HTTP protocol. And here you can see some
128
00:14:38,720 --> 00:14:43,670
of the messages exchanged between this
update client and server. And one thing I
129
00:14:43,670 --> 00:14:49,050
would like you to notice is the vast
amount of information conveyed through
130
00:14:49,050 --> 00:14:54,149
this update protocol. You can see fields
like a serial number, some kind of an
131
00:14:54,149 --> 00:15:00,700
interface ID and IP which is for the most
part kind of suspicious. I mean, why the
132
00:15:00,700 --> 00:15:06,720
hell do they need all of this information
just for an update mechanism? But since we
133
00:15:06,720 --> 00:15:12,709
don't have any access to the server or any
kind of way to understand how the user
134
00:15:12,709 --> 00:15:18,050
communicates with it we can't really tell
why this information is collected so we'll
135
00:15:18,050 --> 00:15:24,610
just leave this fact as is. Another
interesting thing is that the whole HTTP
136
00:15:24,610 --> 00:15:31,779
protocol was manually implemented by the
developers and along the way they did some
137
00:15:31,779 --> 00:15:37,040
interesting mistakes for instance the
content length field of the HTTP header is
138
00:15:37,040 --> 00:15:43,220
written with an underscore here which is
kind of a mistake. It's not the way it is
139
00:15:43,220 --> 00:15:50,399
intended to be used. Also the authors
wanted to convey the update client's
140
00:15:50,399 --> 00:15:56,610
identity to the server and they did so
with the user agent which is a pretty
141
00:15:56,610 --> 00:16:02,360
typical way of doing this but instead of
only using the user agent they added
142
00:16:02,360 --> 00:16:08,400
another field called "User-Dealer". I have
no idea what kind of dealer they had in
143
00:16:08,400 --> 00:16:14,990
mind laughter but obviously this has
nothing to do with the HTTP protocol. And
144
00:16:14,990 --> 00:16:20,089
speaking of dealers there is yet another
component here called SVDealer.exe which
145
00:16:20,089 --> 00:16:25,330
is actually the real-time scanning
component of this antivirus which you can
146
00:16:25,330 --> 00:16:31,160
enable through the tray menu as well. And
this particular component will use another
147
00:16:31,160 --> 00:16:38,170
driver called SVFilter.sys which is a file
system filter driver meant to intercept
148
00:16:38,170 --> 00:16:47,910
all kinds of access to the file system and
issue the underlying file to a scan prior
149
00:16:47,910 --> 00:16:52,800
to actually doing any kind of action on
it. And, again, we'll discuss this
150
00:16:52,800 --> 00:16:57,890
particular driver later on. At this point
I should mention that the two components
151
00:16:57,890 --> 00:17:02,959
here that actually do any kind of scanning
tests are SVDealer and SVMain that you see
152
00:17:02,959 --> 00:17:07,839
here on the screen. Obviously they would
have to use the file scanning engine for
153
00:17:07,839 --> 00:17:12,270
this purpose and also a bunch of
signatures which are represented through a
154
00:17:12,270 --> 00:17:20,429
series of files called the pattern files.
Another thing here that we have as a
155
00:17:20,429 --> 00:17:27,609
driver that I'm not going to talk about at
all. This is a driver called ststdi2.sys.
156
00:17:27,609 --> 00:17:32,010
This is basically a TDI network filter
driver. If you don't have any idea what I
157
00:17:32,010 --> 00:17:35,890
just said, this is perfectly fine because
this driver does absolutely nothing
158
00:17:35,890 --> 00:17:40,919
laughter. It just resides inside this
antivirus and collects all kinds of
159
00:17:40,919 --> 00:17:45,510
information about TCP connections and it
should be queried theoretically by other
160
00:17:45,510 --> 00:17:50,420
components. But no one ever queries it so
it seems like it's just some kind of a
161
00:17:50,420 --> 00:17:56,350
residue from previous versions of
SiliVaccine. So we'll just leave it be, I
162
00:17:56,350 --> 00:18:01,430
guess. And another interesting point here
is that a lot of these components you see
163
00:18:01,430 --> 00:18:08,580
here were protected with a legitimate
protector, a commercial protector called
164
00:18:08,580 --> 00:18:13,140
Themeda which - if you heard of it, you
probably know - it's a pain in the ass to
165
00:18:13,140 --> 00:18:19,380
reverse engineer. Luckily for us, whoever
used this protector did not enable a lot
166
00:18:19,380 --> 00:18:26,870
of its features and we could unpack it
with moderate efforts. This is the full
167
00:18:26,870 --> 00:18:31,380
architecture of this antivirus. I'm not
going to go any further in it. You can
168
00:18:31,380 --> 00:18:38,020
read about it in our publication, full
publication about this software. Actually
169
00:18:38,020 --> 00:18:43,530
I want to focus in all of this complicated
scheme on one particular component which I
170
00:18:43,530 --> 00:18:48,520
already discussed. This is SVKernel.dll. I
remind you: this is the file scanning
171
00:18:48,520 --> 00:18:54,919
engine of the antivirus. This is really
the heart and soul of this whole software
172
00:18:54,919 --> 00:18:59,000
and this is why we're going to talk about
it next. And I would like to begin this
173
00:18:59,000 --> 00:19:05,560
discussion about this component with what
every good reverse engineer looks at. And
174
00:19:05,560 --> 00:19:10,500
these are strings, of course. And the
first thing we did was to open this file
175
00:19:10,500 --> 00:19:17,090
and look at its strings and, like every
professional reverse engineer, we looked
176
00:19:17,090 --> 00:19:22,620
them up on Google laughter and here is,
ladies and gentlemen, where it actually
177
00:19:22,620 --> 00:19:29,280
gets interesting because it turns out that
if we look it up Google we come to another
178
00:19:29,280 --> 00:19:39,870
file called vsapi32.dll. Now what is
vsapi32.dll? As it turns out, this is yet
179
00:19:39,870 --> 00:19:45,090
another file scanning engine. Actually
it's a file scanning engine belonging to a
180
00:19:45,090 --> 00:19:52,940
big corporate in the security field and
that is Trend Micro laughter which we
181
00:19:52,940 --> 00:19:59,240
thought was kind of surprising. And
looking at this, we thought: does it mean
182
00:19:59,240 --> 00:20:06,220
that this .dll is in some way incorporated
inside SiliVaccine? Did they use any kind
183
00:20:06,220 --> 00:20:12,250
of interesting way of incorporating its
functionality inside their engine? Well,
184
00:20:12,250 --> 00:20:19,340
let's find out laughter. So here on the
screen you can see what's called the
185
00:20:19,340 --> 00:20:26,710
binary diff. This is a binary comparison
between those two engines. On the left
186
00:20:26,710 --> 00:20:29,640
side you can see the Trend Micro engine
and on the right side you can see the
187
00:20:29,640 --> 00:20:35,160
SiliVaccine engine and actually you can
notice a few things here. For one, there's
188
00:20:35,160 --> 00:20:42,220
a 100 percent match between more than a
thousand functions of those two engines. A
189
00:20:42,220 --> 00:20:48,550
thousand functions is like a quarter of
SiliVaccine's engine code. And then you
190
00:20:48,550 --> 00:20:53,950
can see also that there's a 100 percent
match on some of the export functions. In
191
00:20:53,950 --> 00:20:59,290
fact, if you look at all of the first 18
export functions in SiliVaccine, you
192
00:20:59,290 --> 00:21:05,830
realize they somehow map to functions of
Trend Micro. And as an example, just take
193
00:21:05,830 --> 00:21:11,250
three of these functions and look at their
call for graphs in IDA and we can see that
194
00:21:11,250 --> 00:21:16,400
they're pretty similar for the most part,
but I would say it's more interesting to
195
00:21:16,400 --> 00:21:21,810
note the small nuances or the small
differences between those particular
196
00:21:21,810 --> 00:21:26,070
functions. And as an example let's take
this pair of functions, VSinit and
197
00:21:26,070 --> 00:21:31,640
SVfunc005. Well, one interesting thing we
noticed at the very beginning is that
198
00:21:31,640 --> 00:21:37,550
while Trend Micro's engine uses mostly
Lipsey functions like "memset", for
199
00:21:37,550 --> 00:21:44,819
instance, the equivalent in SiliVaccine
would at some points in-line those
200
00:21:44,819 --> 00:21:50,010
functions, it would use function inlining
to convey the same function and that
201
00:21:50,010 --> 00:21:55,580
essentially hints at the fact that the
developer of SiliVaccine could have
202
00:21:55,580 --> 00:22:01,169
recompiled this particular Trend Micro
code with some kind of a compiler
203
00:22:01,169 --> 00:22:06,169
optimization that was not applied on the
original engine. You can see another
204
00:22:06,169 --> 00:22:10,540
example for this right here, with the
"memcpy" and "qmemcpy", its in-line
205
00:22:10,540 --> 00:22:17,840
equivalent. And let's look at another pair
for this matter. So we have VSgetVSCinfo
206
00:22:17,840 --> 00:22:24,299
and SVfunc004. Once again, function
inlining. But another artifact that was
207
00:22:24,299 --> 00:22:32,100
left here are these numbers you see right
here. So it turns out that this particular
208
00:22:32,100 --> 00:22:37,090
field that is populated in this structure
you see here is actually the engine
209
00:22:37,090 --> 00:22:44,680
version of this antivirus and it turns out
that the engine version used inside
210
00:22:44,680 --> 00:22:53,260
SiliVaccine is a 8.910 which is an engine
released by Trend Micro back in 2008. Now
211
00:22:53,260 --> 00:23:00,799
recall that this software is from 2013. So
basically whoever wrote this was using a
212
00:23:00,799 --> 00:23:07,590
five year old engine inside his code. And
finally, let's look at another pair:
213
00:23:07,590 --> 00:23:14,910
VSquit and SVfunc006. Once again, you can
see a call to a proprietary SiliVaccine
214
00:23:14,910 --> 00:23:19,549
function inside what used to be a Trend
Micro function. This is just some kind of
215
00:23:19,549 --> 00:23:24,619
a clean up function for a driver called
"svio" which has nothing to do with Trend
216
00:23:24,619 --> 00:23:34,420
Micro. And this again strengthens this
kind of speculation that, when compiling a
217
00:23:34,420 --> 00:23:39,800
SiliVaccine, there was some kind of use of
a proprietary resource that belongs to
218
00:23:39,800 --> 00:23:47,770
Trend Micro. Well, I would like to mention
at this point that this was not the only
219
00:23:47,770 --> 00:23:53,630
instance of a Trend Micro engine we found
in SiliVaccine. In the 2005 version which
220
00:23:53,630 --> 00:24:01,630
I mentioned earlier we actually found a
trace of another component by Trend Micro
221
00:24:01,630 --> 00:24:07,610
which is called tmfilter.sys. This is
actually a kernel mode equivalent of this
222
00:24:07,610 --> 00:24:14,940
engine called vsapi32. And this really
shows that this whole sort of copyright
223
00:24:14,940 --> 00:24:20,240
infringement was not a one-time thing. It
has been possibly going on for quite a few
224
00:24:20,240 --> 00:24:26,410
years. Now, we reached out to Trend Micro
to get the response and basically, just to
225
00:24:26,410 --> 00:24:35,750
sum this up, Trend Micro says that, yes,
SiliVaccine used a 10+ year old version of
226
00:24:35,750 --> 00:24:41,000
their engine in their code. They
said,like, "WTF? We did not do any
227
00:24:41,000 --> 00:24:47,070
business with North Korea" laughter.
Also they're saying, "We have no idea how
228
00:24:47,070 --> 00:24:53,570
they got our engine." But they do hint at
the fact that they worked with some
229
00:24:53,570 --> 00:25:00,150
vendors as OEM back at that time and maybe
it's possible that one of these OEMs
230
00:25:00,150 --> 00:25:07,590
leaked their code or what not. So who
knows. So other than, you know, looking at
231
00:25:07,590 --> 00:25:12,990
this; other than saying that this is a
very kind of secretive antivirus that's
232
00:25:12,990 --> 00:25:18,830
developed inside North Korea, we couldn't
help but notice that there are quite a lot
233
00:25:18,830 --> 00:25:23,530
of mechanisms used by the authors to
conceal the fact that they're using a
234
00:25:23,530 --> 00:25:28,620
third party product. And again, I remind
you: we just realized that SiliVaccine is
235
00:25:28,620 --> 00:25:32,860
essentially using a Trend Micro engine and
we thought - if they're using the same
236
00:25:32,860 --> 00:25:36,169
engine this doesn't mean that they're
actually using the same signatures as
237
00:25:36,169 --> 00:25:42,600
well. So if we compare this on the surface
then it seems that no because SiliVaccine
238
00:25:42,600 --> 00:25:49,400
has multiple patterned files while Trend
Micro has one single large file. And also
239
00:25:49,400 --> 00:25:56,870
there seems to be no kind of similarity
between them on the binary level, but if
240
00:25:56,870 --> 00:26:02,120
we look a little bit deeper then we can
find the place in the code where those
241
00:26:02,120 --> 00:26:07,880
particular pattern files are being loaded.
This happens in SVKernel.dll in a
242
00:26:07,880 --> 00:26:13,970
particular function called SVfunc19. And
what happens there is that the name of the
243
00:26:13,970 --> 00:26:21,419
particular pattern file of one of the
parent files is being calculated or
244
00:26:21,419 --> 00:26:26,520
generated, then a handle to this file is
obtained, the contents of the file are
245
00:26:26,520 --> 00:26:32,059
being read, then this particular file is
being decrypted, the decrypted chunk is
246
00:26:32,059 --> 00:26:36,830
appended to some buffer in memory, the ID
of this chunk is incremented and this
247
00:26:36,830 --> 00:26:42,150
whole process repeats. So essentially what
this function does is to load the part of
248
00:26:42,150 --> 00:26:47,460
files one by one, decrypt them and append
them all together. Now before I talk a
249
00:26:47,460 --> 00:26:51,480
little more about the encryption here,
let's talk a little bit about the
250
00:26:51,480 --> 00:26:56,770
encryption key because there's something
interesting here. So this is the
251
00:26:56,770 --> 00:27:04,440
encryption key used there. A seemingly
random English string. We thought: "does
252
00:27:04,440 --> 00:27:10,049
it mean anything in Korean?". It doesn't
mean anything in any language, actually,
253
00:27:10,049 --> 00:27:14,990
but an interesting thing happens when we
take this particular string to a Korean-
254
00:27:14,990 --> 00:27:22,899
English keyboard and we try to type it
while accidentally forgetting to switch to
255
00:27:22,899 --> 00:27:29,029
English. So we get this Korean string. And
if we translate this Korean string to
256
00:27:29,029 --> 00:27:35,970
English, turns out that it literally means
"pattern encryption" laughter and
257
00:27:35,970 --> 00:27:53,530
applause. Thank you. laughter* OK, so we
decided to look a bit deeper now regarding
258
00:27:53,530 --> 00:27:58,370
the encryption itself. We saw a lot of
encryption mechanics inside. Some have
259
00:27:58,370 --> 00:28:04,270
some cryptographic artifacts that resemble
the Shahwan algorithm, for instance, and
260
00:28:04,270 --> 00:28:08,980
all kinds of other stuff. We basically
didn't really bother understanding this
261
00:28:08,980 --> 00:28:12,900
whole mechanism very deeply because we
were interested in the decrypted pattern
262
00:28:12,900 --> 00:28:19,080
files which we could simply dump from
memory and that's what we did. And after
263
00:28:19,080 --> 00:28:26,060
dumping this from memory and comparing the
two signature files one to another we can
264
00:28:26,060 --> 00:28:30,841
actually see a similarity in the header
and if we scroll a little bit down we can
265
00:28:30,841 --> 00:28:35,130
also see that there is quite much of a
similarity in strings. Actually there is
266
00:28:35,130 --> 00:28:41,049
more than 90 percent match on the strings
in those two files. And the difference is
267
00:28:41,049 --> 00:28:48,069
probably due to the version of those
pattern files. Now that's not the end. We
268
00:28:48,069 --> 00:28:54,550
decided to test this thing. So we scanned
a bunch of files with SiliVaccine. They
269
00:28:54,550 --> 00:28:59,479
were all detected. We scanned them also
with Trend Micro. They were also detected.
270
00:28:59,479 --> 00:29:04,250
But there is something interesting here.
Although they're using the same signatures
271
00:29:04,250 --> 00:29:09,180
and same strings the detection names are
totally different. And that is, ladies and
272
00:29:09,180 --> 00:29:15,120
gentlemen, suspicious. So it turns out
there's a reason for this and the reason
273
00:29:15,120 --> 00:29:20,610
is that SiliVaccine actually renames the
signature names before displaying them to
274
00:29:20,610 --> 00:29:26,780
the user. And here is how this works. So
basically SiliVaccine will take a Trend
275
00:29:26,780 --> 00:29:34,830
Micro signature name, for this purpose
"TROJ_STEAL-1". It would then replace it,
276
00:29:34,830 --> 00:29:42,730
strip it of the underscores and dashes and
then replace the prefix with some kind of
277
00:29:42,730 --> 00:29:47,980
word based on a string based on a
predefined dictionary. It will also
278
00:29:47,980 --> 00:29:55,050
replace the suffix from a number to a
letter. It will modify the casing, append
279
00:29:55,050 --> 00:29:59,970
everything together with dots and this is
how you get a SiliVaccine signature
280
00:29:59,970 --> 00:30:06,580
laughter. So looking at all of this it's
interesting to note that the authors are
281
00:30:06,580 --> 00:30:11,610
probably trying to hide something. So just
to summarize all of these hiding
282
00:30:11,610 --> 00:30:17,559
mechanisms, let's just briefly take a look
at what we've already seen. So basically
283
00:30:17,559 --> 00:30:22,620
all of the files or most of the files in
this software are protected with Themida,
284
00:30:22,620 --> 00:30:28,450
a commercial protector, which means that
the binary files do not have any kind of
285
00:30:28,450 --> 00:30:34,300
string artifacts that allow a researcher
to understand what he's looking at. Also
286
00:30:34,300 --> 00:30:39,340
the pattern files are encrypted so we
don't have any string artifacts there. You
287
00:30:39,340 --> 00:30:45,590
can't understand from those signature
files what you're looking at. And finally,
288
00:30:45,590 --> 00:30:49,800
the malware signatures are renamed in real
time, so it means that even in real time
289
00:30:49,800 --> 00:30:55,970
you cannot tell what was the original
signature or where it came from. So
290
00:30:55,970 --> 00:31:00,220
essentially the user and a researcher
won't have any way of knowing that this
291
00:31:00,220 --> 00:31:05,721
product is using the engine of Trend
Micro, which is puzzling. So, moving on -
292
00:31:05,721 --> 00:31:11,890
let's talk about more of the fishy things
that go inside of this product. Namely,
293
00:31:11,890 --> 00:31:18,219
while analyzing it, we've seen a lot of
the following instances of this string,
294
00:31:18,219 --> 00:31:27,260
"Mal.Nucrp.F", and we realized that, based
on its format, it's probably some kind of
295
00:31:27,260 --> 00:31:33,279
a signature name. So we decided to
understand what it was. We ran our
296
00:31:33,279 --> 00:31:41,039
algorithm in reverse and we get the
following detection name - "Mal_NUCRP-5".
297
00:31:41,039 --> 00:31:44,390
But what's the deal with the signature,
why does it even stand out from the other
298
00:31:44,390 --> 00:31:51,270
ones? Well, here are two instances where
this particular signature name is used. So
299
00:31:51,270 --> 00:31:55,370
here you can see actually that what
happens with this signature is that a file
300
00:31:55,370 --> 00:32:01,409
is being scanned to detect if it's
malicious or not. Then, if it was found to
301
00:32:01,409 --> 00:32:05,820
be malicious, its detection name is
compared against the string and if that's
302
00:32:05,820 --> 00:32:12,630
the case, then SiliVaccine will simply
ignore this file laughter, which is
303
00:32:12,630 --> 00:32:20,120
suspicious laughter. Now, of course, we
wanted to test this thing so we ran 6
304
00:32:20,120 --> 00:32:25,799
files that were supposed to be detected
with this particular detection name. In
305
00:32:25,799 --> 00:32:31,299
Trend Micro they were all detected. Then
we decided to run them in SiliVaccine and
306
00:32:31,299 --> 00:32:36,470
nothing was detected laughter. And
actually, this is quite surprising because
307
00:32:36,470 --> 00:32:40,870
we did a little bit of QA on this and it
turns out that for the most part it's
308
00:32:40,870 --> 00:32:45,820
okay. But then in one instance they made a
typo and in the white list it's something
309
00:32:45,820 --> 00:32:52,510
called "Mal.Nurcrp.F" laughter which has
no equivalent in Trend Micro's engine,
310
00:32:52,510 --> 00:32:59,090
which begs the question: WTF is "nucrp"?.
And according to Trend Micro's
311
00:32:59,090 --> 00:33:06,059
Encyclopedia, which is a thing apparently,
"MAL_NUCRP-5" is described as some kind of
312
00:33:06,059 --> 00:33:12,100
a signature related to some old malware
named "NUWAR", "TUBS", "ZHELAT". We
313
00:33:12,100 --> 00:33:16,980
checked all of them. They have no relation
whatsoever to North Korea. But deeper
314
00:33:16,980 --> 00:33:22,429
inspection of this signature name reveals
that actually this "mal" prefix you see
315
00:33:22,429 --> 00:33:28,309
right here means that this is a generic
detection that flags files based on some
316
00:33:28,309 --> 00:33:34,160
heuristic which, in essence, might detect
a whole spectrum of files. So
317
00:33:34,160 --> 00:33:38,020
unfortunately, based only on this
information, we cannot know what malware
318
00:33:38,020 --> 00:33:43,909
was exactly detected here or really if it
was malware at all. But we can still
319
00:33:43,909 --> 00:33:49,029
speculate on why this whitelist thing was
done. And for one, the most obvious
320
00:33:49,029 --> 00:33:53,200
speculation would be that there is some
kind of an existing North Korean tool
321
00:33:53,200 --> 00:33:57,740
installed on citizens' computers and the
authors didn't want to trigger an alert
322
00:33:57,740 --> 00:34:02,720
about it being malicious. It's also
possible that the authors wanted some
323
00:34:02,720 --> 00:34:08,929
option to develop such a tool in the
future and they inserted this signature in
324
00:34:08,929 --> 00:34:13,418
order to conceal this future component
with this particular whitelisting
325
00:34:13,418 --> 00:34:20,309
mechanism. It's also possible that since
the authors used a third party engine, the
326
00:34:20,309 --> 00:34:26,569
Trend Micro engine, that this signature
mistakenly detected one of SiliVaccine's
327
00:34:26,569 --> 00:34:31,969
original components as malware, which they
clearly wanted to avoid. And of course
328
00:34:31,969 --> 00:34:37,809
it's also possible that this whole thing
is some kind of an idiotic false positive
329
00:34:37,809 --> 00:34:45,119
management fix. But I would say this is
unlikely. All right - let's move on and
330
00:34:45,119 --> 00:34:50,708
talk about the kernel side of SiliVaccine.
And remember: SiliVaccine has three kernel
331
00:34:50,708 --> 00:34:55,749
mode drivers, but actually only two of
them are utilized, SVfilter and
332
00:34:55,749 --> 00:35:02,539
SVHook.sys. So let's focus on them. And we
started snooping around and looking at
333
00:35:02,539 --> 00:35:07,630
these drivers. And the first thing we
noticed is some fishy stuff like the fact
334
00:35:07,630 --> 00:35:13,849
that its entry point resides in the relog
section and that it's supposedly packed
335
00:35:13,849 --> 00:35:20,330
with some kind of a packer called
"BopCrypt" which we never heard of. And we
336
00:35:20,330 --> 00:35:25,420
looked around "BopCrypt"; turned out this
is an old Russian PE packer that
337
00:35:25,420 --> 00:35:30,569
supposedly contains some common protection
features such as anti-debug measures and
338
00:35:30,569 --> 00:35:35,380
polymorphic code. Now this is not really
good news when dealing with the kernel
339
00:35:35,380 --> 00:35:40,939
driver because who wants to debug
polymorphic code into kernel. So we
340
00:35:40,939 --> 00:35:46,309
thought: wait a second, before we dive in
and do all of this stuff maybe we can
341
00:35:46,309 --> 00:35:50,390
actually find some kind of an answer by
looking at this file again from the
342
00:35:50,390 --> 00:35:56,839
outside. And turns out that our answer was
right there and our answer is 42
343
00:35:56,839 --> 00:36:03,299
laughter. Actually it's hex42. So
evidently, this whole crazy protection
344
00:36:03,299 --> 00:36:09,559
scheme here is that the text section that
contains the actual driver is sort with a
345
00:36:09,559 --> 00:36:16,710
single byte of the value 42 hex. So with
this insane protection mechanism which we
346
00:36:16,710 --> 00:36:23,160
were able to bypass we were able to look
at the drivers themselves and the first
347
00:36:23,160 --> 00:36:27,499
one of them, SVfilter.sys - I remind you
that this is a file system filter driver -
348
00:36:27,499 --> 00:36:31,959
this is loaded and utilized by SVDealer.
This is the real time scanning component
349
00:36:31,959 --> 00:36:36,839
and it has two main functionalities. One
is to actually scan files upon access so
350
00:36:36,839 --> 00:36:42,500
it would intercept any kind of activity
with the file system and it would take the
351
00:36:42,500 --> 00:36:50,319
underlying file and would issue it to
SVDealer to conduct a scan on it and also
352
00:36:50,319 --> 00:36:55,490
it's actually used to protect the
antivirus as binaries themselves to avoid
353
00:36:55,490 --> 00:37:04,450
any kind of malfunction against them by
the user. And it really took us quite some
354
00:37:04,450 --> 00:37:09,210
time to realize that these are the only
two things that this driver does because
355
00:37:09,210 --> 00:37:14,940
the code for them is really a mess. And
I'm going to save you some time and
356
00:37:14,940 --> 00:37:20,300
explain the flaw of this driver by
simplifying it a little bit. So this is
357
00:37:20,300 --> 00:37:26,779
how SVfilter.sys works in a nutshell. The
first action it does is waste time
358
00:37:26,779 --> 00:37:34,279
laughter. So it does a lot of redundant
checks that seem to have no effect on this
359
00:37:34,279 --> 00:37:39,450
code whatsoever. Then it moves on to see
if the file scanned here is actually
360
00:37:39,450 --> 00:37:44,690
binary related to the antivirus itself. Of
course if it is done it will deny access
361
00:37:44,690 --> 00:37:51,160
to it. Then it moves to the very important
action of wasting a lot more time
362
00:37:51,160 --> 00:37:58,430
laughter by doing what seems to be
pretty much garbage code. And finally at
363
00:37:58,430 --> 00:38:04,040
some point it will take the file, it will
scan it and if the file seems to be
364
00:38:04,040 --> 00:38:09,269
malicious then it will deny the access to
it. Otherwise it will allow the access. So
365
00:38:09,269 --> 00:38:14,950
this is pretty much everything to say
about SVfilter. There was another driver
366
00:38:14,950 --> 00:38:23,859
called SVHook.sys which is utilized by the
main GUI component, SVMain.exe. You look
367
00:38:23,859 --> 00:38:28,289
at this name, you think, yes, it probably
hooks stuff. No - it doesn't actually hook
368
00:38:28,289 --> 00:38:35,730
anything. It's actually used to query some
kind of process object data from the
369
00:38:35,730 --> 00:38:43,660
kernel and really it's quite of a
confusing driver because it seems to have
370
00:38:43,660 --> 00:38:50,960
like 13 ioctls. Only 3 are ever used and
it's highly, highly buggy. There's a lot
371
00:38:50,960 --> 00:39:01,420
of bugs there. So for instance, we've seen
the following function where there's an
372
00:39:01,420 --> 00:39:10,270
ioctl issued to this driver and it really
seems that those two components, SVMain
373
00:39:10,270 --> 00:39:15,910
and SVHook, were really developed by two
different developers. So here we can see
374
00:39:15,910 --> 00:39:24,680
that this programmer who wrote this
particular ioctl call actually used a
375
00:39:24,680 --> 00:39:31,209
buffer of size 12. Now you would assume
that those two developers have agreed that
376
00:39:31,209 --> 00:39:36,869
this should be the buffer size, right?
Well, evidently the second developer was
377
00:39:36,869 --> 00:39:42,520
not really notified about this and in fact
checks explicitly that the buffer size is
378
00:39:42,520 --> 00:39:50,819
12 and if that's the case nothing happens
laughter. Which really is a piece of
379
00:39:50,819 --> 00:39:58,549
shit code that does nothing laughter. So
while looking into this, we tried to dig a
380
00:39:58,549 --> 00:40:03,130
little bit deeper and understand why those
bugs happen and we think we have an
381
00:40:03,130 --> 00:40:10,009
answer. So just strolling around we see a
lot of this. If you look at this you
382
00:40:10,009 --> 00:40:14,609
realize that you're looking at a lot of
debug prints used by the author and you
383
00:40:14,609 --> 00:40:22,549
see that one of the parts of the strings
referenced here is "sub_00something" which
384
00:40:22,549 --> 00:40:27,809
is an IDA-auto-generated name. Which to
me, ladies and gentlemen, seems like
385
00:40:27,809 --> 00:40:33,390
instead of looking at authentic code, we
were in fact reverse engineering a
386
00:40:33,390 --> 00:40:38,319
reverse.engineered driver. So essentially
what happened here is that the developer
387
00:40:38,319 --> 00:40:46,069
of SVHook took some driver, decompile it,
copied the code and added a bunch of debug
388
00:40:46,069 --> 00:40:51,599
prints in order to try to understand what
he was copying and it seems he didn't only
389
00:40:51,599 --> 00:40:57,599
fail to understand it but he also forgot
to remove this trail of debug prints. That
390
00:40:57,599 --> 00:41:05,339
demonstrates his elite coding skills. So
we are nearly at the end and we talked
391
00:41:05,339 --> 00:41:10,089
quite a bit about the technical parts here
but to get the full picture I think it's a
392
00:41:10,089 --> 00:41:15,980
good idea to look at the development story
behind the software. So in essence, who is
393
00:41:15,980 --> 00:41:22,099
behind SiliVaccine? Well, to tackle this
question we resorted to some version info
394
00:41:22,099 --> 00:41:26,660
that can be found inside the antivirus as
binaries. And there we found some version
395
00:41:26,660 --> 00:41:30,710
manifest that pointed at several
companies, the first one of which is
396
00:41:30,710 --> 00:41:35,790
called PGI (Pyongyang Guangdong
Information Technology). It seems to be
397
00:41:35,790 --> 00:41:40,190
some kind of a North Korean establishment,
a known one, that specializes in network
398
00:41:40,190 --> 00:41:46,559
security software. But really the more
interesting company that we found there
399
00:41:46,559 --> 00:41:53,660
was called "STS Tech-Service" which is
really this kind of shady company that has
400
00:41:53,660 --> 00:41:58,369
no trace of its activity online. We
couldn't find any kind of artifact that
401
00:41:58,369 --> 00:42:08,190
shows what this company does or what is
its main field of occupation. So we still
402
00:42:08,190 --> 00:42:14,940
can answer some questions about STS tech
service. For instance we can say that STS
403
00:42:14,940 --> 00:42:20,910
tech service is highly likely based in the
DPRK North Korea and that is due to this
404
00:42:20,910 --> 00:42:25,549
brochure you see here on the screen which
is taken from a trade fair that took place
405
00:42:25,549 --> 00:42:32,649
in Pyongyang back in 2006. And in this
particular trade fair this company, STS
406
00:42:32,649 --> 00:42:38,099
Tech-Service, they participated. We
contacted the organizers and they actually
407
00:42:38,099 --> 00:42:42,809
confirmed that STS Tech- Service did come
from North Korean side. Still, some
408
00:42:42,809 --> 00:42:47,329
questions remain. Is that a private
company in North Korea or is that even a
409
00:42:47,329 --> 00:42:51,569
thing? Is that a government entity? Is
that the same thing in North Korea? We
410
00:42:51,569 --> 00:42:59,310
don't know. Actually, another source told
us that this company might be a
411
00:42:59,310 --> 00:43:04,089
subdivision of the KPA (where KPA stands
for Korean People's Army), but we have no
412
00:43:04,089 --> 00:43:09,589
way of corroborating this. And you
remember that Trend Micro stated that
413
00:43:09,589 --> 00:43:16,719
their engine could have been leaked from
third party. Could that third party be
414
00:43:16,719 --> 00:43:21,809
this company? Well we don't know actually,
but what we did see and which was really
415
00:43:21,809 --> 00:43:28,299
interesting is a particular connection
between North Korea and Japan that repeats
416
00:43:28,299 --> 00:43:33,400
throughout this whole research so for one
we've already seen that SVKernel is
417
00:43:33,400 --> 00:43:40,599
basically some kind of modified version of
Trend Micro's engine. But then we've also
418
00:43:40,599 --> 00:43:45,450
seen that STS Tech-Service at some point
cooperated with a company called Silver
419
00:43:45,450 --> 00:43:51,910
Star Japan on a particular application. As
a matter of fact it not only cooperated
420
00:43:51,910 --> 00:43:55,630
with them but also with another company
called Magnolia which also resides in
421
00:43:55,630 --> 00:44:00,680
Japan. Actually Silver Star and Magnolia
reside in the same address in Japan, which
422
00:44:00,680 --> 00:44:05,890
is quite interesting. And then in a
particular instance all of these three
423
00:44:05,890 --> 00:44:12,400
companies - Magnolia, Silver Star and STS
Tech-Service cooperated with the KCC, a
424
00:44:12,400 --> 00:44:17,989
very famous North Korean research
establishment, the Korean Computer Center,
425
00:44:17,989 --> 00:44:24,249
on another application. And it's important
to say that while we can be very easily
426
00:44:24,249 --> 00:44:29,010
drawn to some conclusions here and
speculate on some very wild scenarios,
427
00:44:29,010 --> 00:44:33,440
especially given the fact that North Korea
and Japan are not friends, we need to
428
00:44:33,440 --> 00:44:37,720
remember that this is just a crazy web of
connections that we unraveled here. And
429
00:44:37,720 --> 00:44:41,400
actually we cannot say much about this
other than pointing out the connections
430
00:44:41,400 --> 00:44:49,440
themselves. Still I can say that we did
find some traces of maliciousness in this
431
00:44:49,440 --> 00:44:56,809
whole package and at this point we
thought: all right, we are done with the
432
00:44:56,809 --> 00:45:04,599
research; could it be that there is no
malware or backdoor here? Well, it turns
433
00:45:04,599 --> 00:45:11,419
out that if we look back on this e-mail
sent by this supposedly Japanese engineer,
434
00:45:11,419 --> 00:45:18,340
Kang yong hak and reinspect the installer
provided in this particular email, then
435
00:45:18,340 --> 00:45:23,039
actually it has no metadata. And that's
not surprising because this installer is
436
00:45:23,039 --> 00:45:26,880
in fact this file is in fact a self-
extracting archive which contains the real
437
00:45:26,880 --> 00:45:33,660
installer of SiliVaccine. But then it also
contains another file called "SVpatch4.0"
438
00:45:33,660 --> 00:45:39,759
which - well, OK. But when you look at the
metadata you see it's supposedly related
439
00:45:39,759 --> 00:45:47,220
to Microsoft automatic updates which is,
again, highly suspicious laughter. Now,
440
00:45:47,220 --> 00:45:52,209
we decided to look deeper in this file and
it turns out that actually this file is a
441
00:45:52,209 --> 00:45:57,349
signed binary. And if you look the issue
up on Google we come to a Kaspersky report
442
00:45:57,349 --> 00:46:03,079
about the Darkhotel APT. Very alarming.
And then we decided to dig deeper and
443
00:46:03,079 --> 00:46:07,999
analyze this file. So we did some
analysis. We realized that this is
444
00:46:07,999 --> 00:46:15,529
actually the stage one malware from a
known campaign called Jaku uncovered by
445
00:46:15,529 --> 00:46:23,500
Forcepoint in 2016. Now what is Jaku? Jaku
was an ongoing botnet campaign, it
446
00:46:23,500 --> 00:46:28,790
targeted mainly North Korea and Japan. And
while it infected a lot of victims the
447
00:46:28,790 --> 00:46:34,089
later stages of the malware - stages 2 and
3 - were only used against a select group
448
00:46:34,089 --> 00:46:39,140
of individuals with North Korea and
Pyongyang being the common theme between
449
00:46:39,140 --> 00:46:44,089
them. Now another interesting connection
that was outlined by Forcepoint is between
450
00:46:44,089 --> 00:46:49,140
Jaku and Darkhotel which is really further
evidence to this kind of an interesting
451
00:46:49,140 --> 00:46:55,919
connection on top of what we saw with the
certificate used previously. Now who could
452
00:46:55,919 --> 00:47:00,220
be the target here? It could be the case
that every SiliVaccine installation is
453
00:47:00,220 --> 00:47:04,140
bundled with this malware, but we don't
think so. We actually think that the
454
00:47:04,140 --> 00:47:09,610
target was Martin Williams who deals
vastly with North Korea. And it is
455
00:47:09,610 --> 00:47:17,219
possible that this particular malware was
used against him. So this is pretty much
456
00:47:17,219 --> 00:47:21,759
the end and I would like to, before I let
you go, summarize everything that we've
457
00:47:21,759 --> 00:47:29,749
seen in this talk. Let's look back and see
those things. So for one we have seen that
458
00:47:29,749 --> 00:47:35,719
SiliVaccine has been illegally using Trend
Micro's engine and it was not a one-time
459
00:47:35,719 --> 00:47:43,029
thing. It has been done at least two times
and probably over multiple versions and
460
00:47:43,029 --> 00:47:50,279
for several years. Then we've also seen
that the authors of SiliVaccine tried to
461
00:47:50,279 --> 00:47:56,799
conceal the fact that they used this
engine with some interesting mechanism.
462
00:47:56,799 --> 00:48:02,979
Then we've seen that there is an explicit
whitelisting of a particular signature and
463
00:48:02,979 --> 00:48:08,989
that the installation of SiliVaccine comes
bundled with the malware called Jaku. Now,
464
00:48:08,989 --> 00:48:13,870
while having these understandings we still
have some unanswered questions. For
465
00:48:13,870 --> 00:48:19,809
instance, we've seen that there are some
artifacts that point at the fact that the
466
00:48:19,809 --> 00:48:24,509
code of SiliVaccine might have been
recompiled with some other optimizations
467
00:48:24,509 --> 00:48:29,661
that were not in Trend Micro' engine in
the first place. So, having said that, how
468
00:48:29,661 --> 00:48:34,669
did the SiliVaccine authors obtain such an
access to a proprietary resource? We have
469
00:48:34,669 --> 00:48:42,949
no idea. Also this white-listed signature
- we cannot say what it represents. It's a
470
00:48:42,949 --> 00:48:48,259
heuristic signature so we cannot really
tell if it was trying to whitelist a
471
00:48:48,259 --> 00:48:54,569
malicious tool or a benign software. It's
not very clear. And then also the Jaku
472
00:48:54,569 --> 00:48:59,829
malware. Since we only have one instance
of this particular software from 2013 it's
473
00:48:59,829 --> 00:49:06,039
hard to say if it's bundled with all
versions or only with this one. And while
474
00:49:06,039 --> 00:49:10,719
I can't answer all of these questions
concisely I do want to point out that
475
00:49:10,719 --> 00:49:16,299
throughout this research we've seen a lot
of effort done to develop this particular
476
00:49:16,299 --> 00:49:21,359
product and through this effort we've
stumbled upon quite many illegal and shady
477
00:49:21,359 --> 00:49:27,999
practices employed by the DPRK to develop
their own homebrew software. A software
478
00:49:27,999 --> 00:49:33,079
that, remember, maybe sometime in another
time and in a perfect world could have
479
00:49:33,079 --> 00:49:37,839
been totally legitimate. And with that in
mind I would like to thank you for your
480
00:49:37,839 --> 00:49:41,884
attention and hope you enjoy your time at
CCC.
481
00:49:41,884 --> 00:49:53,004
applause
482
00:49:53,004 --> 00:50:02,339
Herald: Thank you, Mark, that was
wonderful. We have plenty of time for
483
00:50:02,339 --> 00:50:08,029
questions and we have two microphones. One
is in the middle of the room and one is
484
00:50:08,029 --> 00:50:14,430
sort of outside of the stage. So please
queue up if you want to ask questions. And
485
00:50:14,430 --> 00:50:17,229
we already have a question on the
microphone 1.
486
00:50:17,229 --> 00:50:20,800
Audience member 1: Do you have any idea
why they chose Trend Micro over any other
487
00:50:20,800 --> 00:50:22,990
engine?
Mark: Excuse me, could you repeat the
488
00:50:22,990 --> 00:50:25,659
question and raise your hand, because I
didn't see you?
489
00:50:25,659 --> 00:50:29,009
Audience member 1: Do you have any idea
why they chose Trend Micro and not any
490
00:50:29,009 --> 00:50:35,039
other engine, like an open source engine?
Mark: Do I have any idea of Trend Micro
491
00:50:35,039 --> 00:50:38,039
tools is what? I'm sorry.
Audience member 1: Do you have any idea
492
00:50:38,039 --> 00:50:41,749
why Trend Micro was chosen by them?
Mark: Ah, why Trend Micro.
493
00:50:41,749 --> 00:50:43,989
Audience member 1: In comparison to
anything else?
494
00:50:43,989 --> 00:50:46,069
Mark: Actually I have no idea. I really
don't.
495
00:50:46,069 --> 00:50:48,579
Audience member 1: Thank you.
Mark: If you know, then tell me, please.
496
00:50:48,579 --> 00:50:51,430
laughter
Herald: microphone 2.
497
00:50:51,430 --> 00:50:57,229
Audience member 2: So have you looked at
the fact that this antipiracy is a .exe.
498
00:50:57,229 --> 00:51:02,039
So it runs on Windows but all of North
Korea runs with Red Star OS which is a
499
00:51:02,039 --> 00:51:05,709
Unix.
Mark: Well, as far as I could tell from
500
00:51:05,709 --> 00:51:10,959
people I discussed with who do know a few
things about North Korea actually Red Star
501
00:51:10,959 --> 00:51:15,769
OS is not the most common operating system
there. In fact it's barely used because,
502
00:51:15,769 --> 00:51:23,359
well, to say it shortly, it's shit but
they do use what seems to be some kind of
503
00:51:23,359 --> 00:51:29,359
Chinese versions of Windows XP and Windows
7. So this is intended to run on these
504
00:51:29,359 --> 00:51:33,519
operating systems.
Herald: Thank you. Another question from
505
00:51:33,519 --> 00:51:36,039
mic 1.
Audience member 3: How did you get the
506
00:51:36,039 --> 00:51:42,139
2005 version of the antivirus?
Mark: Come to me later and I'll tell you.
507
00:51:42,139 --> 00:51:46,669
laughter
Herald: Mic 1, please.
508
00:51:46,669 --> 00:51:51,499
Audience member 4: Yeah I just wanted to
know if you checked that the Jaku malware
509
00:51:51,499 --> 00:51:57,400
was not part of this whitelist program.
Mark: Oh yes, we checked it. Actually this
510
00:51:57,400 --> 00:52:05,349
was not the white-listed signature. It was
actually not detected by SiliVaccine, but
511
00:52:05,349 --> 00:52:09,400
it was also not detectable by Trend
Micro. It was not detected by anyone
512
00:52:09,400 --> 00:52:15,809
actually so it was not the white-listed
signature.
513
00:52:15,809 --> 00:52:20,506
Herald: Thank you. That's all. Thank you,
Mark. Thank you for the amazing talk.
514
00:52:20,506 --> 00:52:22,726
applause
515
00:52:22,726 --> 00:52:27,912
35C3 postroll music
516
00:52:27,912 --> 00:52:45,000
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!