SiliVaccine: investigating North Korea’s anti-virus software
May 2018 by Check Point
Researchers at Check Point have been investigating ‘SiliVaccine’, North Korea’s native anti-virus software, after obtaining a very rare sample of the program that was anonymously sent to Martyn Williams, a freelance journalist with a focus on North Korean technology. Check Point established that a key component of SiliVaccine’s code is a 10-year-old copy of software components from Trend Micro, the Japanese security vendor.
For this to happen, the SiliVaccine developers must have had access to either the source code of the vendor’s engine or a library file of it, both of which are proprietary components and are not accessible to the public. Evidence from Check Point’s research found that the North Korean government has collaborated with companies located in Japan to create multiple software products, one of which is SiliVaccine. Japan and North Korea, however, are officially enemies.
The analysis also showed that the SiliVaccine anti-virus software is designed to not block one specific malware signature – showing that the North Korean regime does not want to alert its users to it. Check Point’s researchers also found that patch update files for the AV software contained the JAKU malware, which has been used to target and track more specific individual victims in both South Korea and Japan, including members of International Non-Governmental Organizations (NGOs), tech companies, academics, scientists and government employees. Check Point believes this could have been included as a way to target journalists who write about North Korean affairs.
The Check Point team notified Trend Micro of their detection engine being used in SiliVaccine. Trend responded promptly and were highly cooperative. Its response was: “Trend Micro is aware of the research by Check Point on the ‘SiliVaccine’ North Korean anti-virus product, and Check Point has provided us with a copy of the software for verification. While we are unable to confirm the source or authenticity of that copy, it apparently incorporates a module based on a 10+ year-old version of the widely distributed Trend Micro scan engine used by a variety of our products. Trend Micro has never done business in or with North Korea.
“We are confident that any such usage of the module is entirely unlicensed and illegal, and we have seen no evidence that source code was involved. The scan engine version at issue is quite old and has been widely incorporated in commercial products from Trend Micro and third party security products through various OEM deals over the years, so the specific means by which it may have been obtained by the creators of SiliVaccine is unknown. Trend Micro takes a strong stance against software piracy, however legal recourse in this case would not be productive. We do not believe that the infringing use at issue poses any material risk to our customers.”
Trend Micro’s indication that a widely licensed library was misappropriated may be behind SiliVaccine’s use of a 10+ year-old version of their scan engine is backed up by an additional analysis our team made of an older version of SiliVaccine, too. This suggests that this is not a one-time occurrence.
This exploration into SiliVaccine raises suspicions of authenticity and motives of the IT security products and operations of North Korea, and points to yet another example of state-sponsored technologies being used in the current cyber-security landscape.