North Korea's antivirus software whitelisted mystery malware
'SiliVaccine' uses ancient, stolen, Trend Micro AV engine and bad home-brew crypto
North Korea’s very own antivirus software has been revealed as based on a 10-year-old application made by Trend Micro, but with added nasties.
So says Check Point, which was sent a copy of the “SiliVaccine” application and after analysis declared it contained “large chunks of 10+-year-old antivirus engine code belonging to Trend Micro”.
Trend Micro has confirmed that analysis.
Intriguingly, Check Point alleges that SiliVaccine has whitelisted one virus signature that Trend Micro’s products could detect. Just why North Korea’s government wants software that won’t spot some viruses is not hard to guess: a totalitarian dictatorship can only sustain itself with pervasive surveillance and leaving a backdoor that allows viruses in would facilitate just that.
Check Point’s analysis of SiliVaccine found some other oddities, such as the use of the Themida and Unopix, “packing” tools commonly used to make reverse engineering difficult. As SiliVaccine has no known legal competitors in the hermit kingdom, the need for such precautions is not obvious. There’s also a home-brew encryption scheme that’s based on SHA1 to protect virus signatures, but with an easy-to-find and simple key that translates from Korean as “Pattern encryption”.
Much of the tool’s code is convoluted, there’s a feature that lists the names of malicious files for no apparent reason and a driver named to suggest one function but which instead does another. And does it badly, at that.
Check Point received the software from freelance journalist Martyn Williams, who sent what was billed as an installer but was actually a self-extracting WinRAR file. Such files are .exes, and unpack their contents without requiring an extraction program. The file containing SiliVaccine offered an installer for the application plus a patch that turned out to be an installer for the JAKU malware.
Check Point While notes that “attribution is always a difficult task in cyber security” and won’t therefore pin the application’s oddities on North Korea’s government. But its researchers did feel safe saying “What is clear, however, are the shady practices and questionable goals of SiliVaccine’s creators and backers.” ®