1 00:00:00,000 --> 00:00:18,684 *35C3 preroll music* 2 00:00:18,684 --> 00:00:26,150 Herald: So our next speaker is Mark Lechtik and he is going to talk about 3 00:00:26,150 --> 00:00:33,280 SiliVaccine, North Korea's weapon of mass detection. Mark is the malware research 4 00:00:33,280 --> 00:00:38,470 team leader at checkpoint and he deals with reverse engineering and malware 5 00:00:38,470 --> 00:00:46,010 analysis both as occupation and as a hobby. So a huge round of applause to Mark 6 00:00:46,010 --> 00:00:54,780 *applause* and we are starting the talk. 7 00:00:54,780 --> 00:00:58,873 Mark Lechtik: Let's begin with a short video 8 00:00:58,873 --> 00:01:00,094 *Video* 9 00:02:07,560 --> 00:02:12,880 *Laughter* Ladies and gentleman, for those of you who 10 00:02:12,880 --> 00:02:19,700 don't know this lady in pink, her name is 리춘히, a good friend of mine, North Korea's 11 00:02:19,700 --> 00:02:27,040 main news presenter. And she just turned 75 years old this July. Let's give her a 12 00:02:27,040 --> 00:02:36,330 warm round of applause for her passionate introduction to SiliVaccine. Of course I'm 13 00:02:36,330 --> 00:02:41,080 lying, she's not my friend, nor did she even speak about SiliVaccine in this 14 00:02:41,080 --> 00:02:48,140 video. But still, kudos to her for grabbing your attention. And again, hello, 15 00:02:48,140 --> 00:02:53,370 thank you for joining me for this talk titled "SiliVaccine - North Korea's weapon 16 00:02:53,370 --> 00:03:01,590 of mass detection". Before I actually tell you about the research story here, I would 17 00:03:01,590 --> 00:03:08,590 like to introduce you to the two notorious dissidents who are behind this infamous 18 00:03:08,590 --> 00:03:13,900 research. You see them right here on the screen. One of them actually happens to be 19 00:03:13,900 --> 00:03:20,430 me. My name is Mark Lechtik. As previously mentioned, I'm the Maleware-research team 20 00:03:20,430 --> 00:03:27,880 leader at checkpoint and my partner in crime for this research is named Michael 21 00:03:27,880 --> 00:03:33,540 Kajiloti. Unfortunately, he couldn't be here today because he's in a vacation in 22 00:03:33,540 --> 00:03:39,540 Hawaii probably drinking some smoothie from a coconut. So I thought this would be 23 00:03:39,540 --> 00:03:47,330 a better picture. To Michael, have a lot of fun in your travel. Come home safely 24 00:03:47,330 --> 00:03:56,040 and beware of Koreans who stare at you suspiciously. Now, we both work at 25 00:03:56,040 --> 00:04:01,120 checkpoint as mentioned and without further ado let me give you a little bit 26 00:04:01,120 --> 00:04:09,920 of a background for this research. So this whole research actually began at one point 27 00:04:09,920 --> 00:04:15,470 this year around March when I was looking for something to read in Twitter and then 28 00:04:15,470 --> 00:04:21,079 I stumbled upon this article you see right here titled "Inside North Korea's Hacker 29 00:04:21,079 --> 00:04:27,260 Army" by Bloomberg and it's actually a pretty interesting piece, I recommend you 30 00:04:27,260 --> 00:04:37,210 to read it. It discusses particular a North Korean defector who was drafted to 31 00:04:37,210 --> 00:04:42,900 work for a government agency in North Korea and ended up raising money for the 32 00:04:42,900 --> 00:04:51,780 regime through hacking. And an interesting thing I noted throughout this publication 33 00:04:51,780 --> 00:04:58,570 is that the author tried to portray some kind of a narrative of North Korean state 34 00:04:58,570 --> 00:05:05,590 sponsored cyber operations and in particular in one paragraph he gives a 35 00:05:05,590 --> 00:05:10,750 representation of what seems to be the North Korean government's official comment 36 00:05:10,750 --> 00:05:16,540 to various hacking allegations made against North Korea by the West. And 37 00:05:16,540 --> 00:05:21,840 here's a quote: "So formally, North Korea denies engaging in hacking and describes 38 00:05:21,840 --> 00:05:27,710 accusations to that effect as 'enemy propaganda'. It says its overseas computer 39 00:05:27,710 --> 00:05:33,090 efforts are directed at promoting its antivirus software in the global market. 40 00:05:33,090 --> 00:05:36,870 The country has for more than a decade been working on such programs including 41 00:05:36,870 --> 00:05:43,270 one called SiliVaccine. Now looking at this, you're probably asking yourselves: 42 00:05:43,270 --> 00:05:48,760 What the hell is SiliVaccine? Well, as you may understand by now, SiliVaccine is an 43 00:05:48,760 --> 00:05:54,210 antivirus that is developed and used exclusively in North Korea. So this is 44 00:05:54,210 --> 00:06:01,160 basically a North Korean antivirus. Or how I like to call it: The Kim Jong Un-tivirus. 45 00:06:01,160 --> 00:06:08,190 *laughter* Now obviously this is a very rare product. You can't find it on 46 00:06:08,190 --> 00:06:12,770 the Internet, you cannot download it anywhere. It basically resides only inside 47 00:06:12,770 --> 00:06:18,850 the DPRK. As far as we could tell in this research it's actively developed since 48 00:06:18,850 --> 00:06:25,320 2003 and the version that I'm going to focus on here today is version 4.0, which 49 00:06:25,320 --> 00:06:33,920 was released in 2013. Just as a caveat: We are also in possession of another version 50 00:06:33,920 --> 00:06:39,870 from 2005, which was one of the early versions of SiliVaccine and I will mention 51 00:06:39,870 --> 00:06:44,900 it a little bit later throughout this talk. Now if you know anything about North 52 00:06:44,900 --> 00:06:51,340 Korea, then one thing you should note is that there is actually no internet inside 53 00:06:51,340 --> 00:06:57,590 North Korea, right. Instead, what they have is what's called an Intranet, which 54 00:06:57,590 --> 00:07:06,729 is this highly restricted but glorified local area network; and, having that in 55 00:07:06,729 --> 00:07:12,110 mind, you must be thinking "Why the hell would North Korea use an antivirus in the 56 00:07:12,110 --> 00:07:17,340 first place?". Well, there are a few interesting explanations for that: One, 57 00:07:17,340 --> 00:07:23,050 the more exotic one, is to actually protect against threats that might reside 58 00:07:23,050 --> 00:07:28,201 within media that is smuggled to the country. And for this matter as an 59 00:07:28,201 --> 00:07:32,979 example, it turns out that there is actually a phenomenon of USB sticks with 60 00:07:32,979 --> 00:07:40,229 Western media that somehow magically find their way inside North Korea. And then 61 00:07:40,229 --> 00:07:46,409 they get sold in the country's black market to citizens. And I know it sounds 62 00:07:46,409 --> 00:07:50,860 totally fucked up, but remember, it's North Korea and to convince you a little 63 00:07:50,860 --> 00:07:56,460 bit better, you're invited to go to this website called "flash drives for freedom", 64 00:07:56,460 --> 00:08:03,699 which is actually a crowd-source funding project for USB sticks that get written 65 00:08:03,699 --> 00:08:14,620 with content from the West and smuggled into North Korea. So just a fun fact, if 66 00:08:14,620 --> 00:08:20,930 you have any kind of problems with your local IRS, don't worry. The smuggled USB 67 00:08:20,930 --> 00:08:28,800 stick is 100 percent tax refundable. As for the content inside of it, well, it 68 00:08:28,800 --> 00:08:35,650 contains just all kinds of information, entertainment content from the West like 69 00:08:35,650 --> 00:08:42,830 Wikipedia articles and South Korean soap operas, which somehow managed to threaten 70 00:08:42,830 --> 00:08:48,500 the North Korean regime. But anyways, there's also another explanation for the 71 00:08:48,500 --> 00:08:53,890 existence of this antivirus, and this is the fact that is actually stated by North 72 00:08:53,890 --> 00:08:59,650 Korea itself, is to raise money for the regime by selling this product in the 73 00:08:59,650 --> 00:09:05,920 worldwide market. As a matter of fact to corroborate this, we can refer to the 2005 74 00:09:05,920 --> 00:09:10,060 version of SiliVaccine that I mentioned previously, which you can see here on the 75 00:09:10,060 --> 00:09:15,700 screen, was written both in Korean and English, which might hint at the fact that 76 00:09:15,700 --> 00:09:20,700 whoever wrote this version tried to make it more appealing for English-speaking 77 00:09:20,700 --> 00:09:27,540 users as well as Korean ones. Now you also must be asking yourselves: "How the hell 78 00:09:27,540 --> 00:09:32,840 did we get our hands on the software in the first place?" Well, the answer to this 79 00:09:32,840 --> 00:09:37,590 lies in the Bloomberg article I mentioned earlier. It linked to a blogpost by this 80 00:09:37,590 --> 00:09:44,720 guy named Martin Williams. Martin Williams is a journalist who covers various kinds 81 00:09:44,720 --> 00:09:51,970 of news items related to North Korea. And he actually got this particular software 82 00:09:51,970 --> 00:09:57,080 through, I would say, a slightly suspicious email from a guy calling 83 00:09:57,080 --> 00:10:02,910 himself Kang Yong Hak, a security engineer from Japan, who wanted to give it to him 84 00:10:02,910 --> 00:10:08,050 as a journalistic lead. And remember this email, we will talk about it a little bit 85 00:10:08,050 --> 00:10:14,940 later. Now of course Martin was kind enough to share the software with us and 86 00:10:14,940 --> 00:10:20,420 it's the place to thank him for making this whole research possible. Now what did 87 00:10:20,420 --> 00:10:25,390 we want to find out in this research? So first of all, we wanted to understand the 88 00:10:25,390 --> 00:10:31,100 technical structure of the software. How is it built? Through which we hope to get 89 00:10:31,100 --> 00:10:36,779 somewhat of an anthropological view on some of the practices employed by the 90 00:10:36,779 --> 00:10:44,300 North Korean engineers meaning how engineers with restricted resources tackle 91 00:10:44,300 --> 00:10:50,840 a big project like building an antivirus from scratch. Also we wanted to see if we 92 00:10:50,840 --> 00:10:57,110 can find any kind of abnormal behavior inside this antivirus. Some things that 93 00:10:57,110 --> 00:11:02,720 could have been left in place and expose some hidden agenda of the developers and 94 00:11:02,720 --> 00:11:07,630 in particular we try to locate any potential backdoor that could have been 95 00:11:07,630 --> 00:11:13,200 deliberately put in place as a means of surveillance against the citizens. So with 96 00:11:13,200 --> 00:11:22,790 that in mind let's take a short overview of the antivirus architecture and for this 97 00:11:22,790 --> 00:11:27,000 matter let's start with the software libraries that comprise it, the first of 98 00:11:27,000 --> 00:11:33,680 which is called SV shell. This is just a basic shell extension that introduces this 99 00:11:33,680 --> 00:11:41,020 entry in the context menu which you can see if you click the right mouse button. 100 00:11:41,020 --> 00:11:48,480 And this is basically meant to just do a manual scan on a file using SiliVaccine. 101 00:11:48,480 --> 00:11:52,590 And you know what - let's just test this feature and see if it works. So here we 102 00:11:52,590 --> 00:12:01,480 have malware, we right-click, we press on this feature and nothing happens which is 103 00:12:01,480 --> 00:12:06,589 really just some kind of a bug that we see right from the very beginning of testing 104 00:12:06,589 --> 00:12:12,990 this antivirus spoiler. There are more, but never mind. Let's move on. The next 105 00:12:12,990 --> 00:12:19,230 component we see here is one called SVKernel.dll. Now this is in fact the file 106 00:12:19,230 --> 00:12:24,240 scanning the engine of this antivirus. And this is really the core component that 107 00:12:24,240 --> 00:12:31,269 contains the logic that implements virus scanner files. This .dll exposes roughly 108 00:12:31,269 --> 00:12:37,410 20 export functions with the names SVfunc001 through SVfunc020 - very 109 00:12:37,410 --> 00:12:42,630 ambiguous naming convention - and they are of course used in conjunction with 110 00:12:42,630 --> 00:12:48,370 patterns or signatures which is the content that allows the software to decide 111 00:12:48,370 --> 00:12:54,910 if a given file is malicious or not. Then we have another group of components which 112 00:12:54,910 --> 00:13:01,170 is pretty self-explanatory. These are the GUI components the first of which is this 113 00:13:01,170 --> 00:13:07,920 tray menu you can see on the right corner of the screen. And this little menu allows 114 00:13:07,920 --> 00:13:15,360 you to execute any other GUI menus in this antivirus. For instance you can see the 115 00:13:15,360 --> 00:13:23,260 following menu where you can do a full scan on the file system. You can play 116 00:13:23,260 --> 00:13:29,670 around with some of the configurations of this antivirus. It's also possible to do 117 00:13:29,670 --> 00:13:35,260 some whitelisting and blacklisting actions. And basically this is a GUI one- 118 00:13:35,260 --> 00:13:43,550 stop shop for all of this antivirus' features and other... oh, before talking 119 00:13:43,550 --> 00:13:48,250 about the other components, SVmain actually communicates with a driver called 120 00:13:48,250 --> 00:13:54,980 SVHook.sys. This is a driver that is meant to convey some information as the main 121 00:13:54,980 --> 00:14:01,390 from the Kernel space. We will discuss this driver a little bit later. Then we 122 00:14:01,390 --> 00:14:07,790 have the update mechanism of the antivirus which will basically download any kind of 123 00:14:07,790 --> 00:14:13,029 update binaries and components or update signatures and we'll verify them with an 124 00:14:13,029 --> 00:14:20,070 external component called SVDiffUpd.exe. And of course, as I mentioned, everything 125 00:14:20,070 --> 00:14:27,430 here resides inside North Korea's Intranet. So this update client will 126 00:14:27,430 --> 00:14:33,060 communicate with a server inside North Korea and it will do so using a custom 127 00:14:33,060 --> 00:14:38,720 update protocol which works on top of the HTTP protocol. And here you can see some 128 00:14:38,720 --> 00:14:43,670 of the messages exchanged between this update client and server. And one thing I 129 00:14:43,670 --> 00:14:49,050 would like you to notice is the vast amount of information conveyed through 130 00:14:49,050 --> 00:14:54,149 this update protocol. You can see fields like a serial number, some kind of an 131 00:14:54,149 --> 00:15:00,700 interface ID and IP which is for the most part kind of suspicious. I mean, why the 132 00:15:00,700 --> 00:15:06,720 hell do they need all of this information just for an update mechanism? But since we 133 00:15:06,720 --> 00:15:12,709 don't have any access to the server or any kind of way to understand how the user 134 00:15:12,709 --> 00:15:18,050 communicates with it we can't really tell why this information is collected so we'll 135 00:15:18,050 --> 00:15:24,610 just leave this fact as is. Another interesting thing is that the whole HTTP 136 00:15:24,610 --> 00:15:31,779 protocol was manually implemented by the developers and along the way they did some 137 00:15:31,779 --> 00:15:37,040 interesting mistakes for instance the content length field of the HTTP header is 138 00:15:37,040 --> 00:15:43,220 written with an underscore here which is kind of a mistake. It's not the way it is 139 00:15:43,220 --> 00:15:50,399 intended to be used. Also the authors wanted to convey the update client's 140 00:15:50,399 --> 00:15:56,610 identity to the server and they did so with the user agent which is a pretty 141 00:15:56,610 --> 00:16:02,360 typical way of doing this but instead of only using the user agent they added 142 00:16:02,360 --> 00:16:08,400 another field called "User-Dealer". I have no idea what kind of dealer they had in 143 00:16:08,400 --> 00:16:14,990 mind *laughter* but obviously this has nothing to do with the HTTP protocol. And 144 00:16:14,990 --> 00:16:20,089 speaking of dealers there is yet another component here called SVDealer.exe which 145 00:16:20,089 --> 00:16:25,330 is actually the real-time scanning component of this antivirus which you can 146 00:16:25,330 --> 00:16:31,160 enable through the tray menu as well. And this particular component will use another 147 00:16:31,160 --> 00:16:38,170 driver called SVFilter.sys which is a file system filter driver meant to intercept 148 00:16:38,170 --> 00:16:47,910 all kinds of access to the file system and issue the underlying file to a scan prior 149 00:16:47,910 --> 00:16:52,800 to actually doing any kind of action on it. And, again, we'll discuss this 150 00:16:52,800 --> 00:16:57,890 particular driver later on. At this point I should mention that the two components 151 00:16:57,890 --> 00:17:02,959 here that actually do any kind of scanning tests are SVDealer and SVMain that you see 152 00:17:02,959 --> 00:17:07,839 here on the screen. Obviously they would have to use the file scanning engine for 153 00:17:07,839 --> 00:17:12,270 this purpose and also a bunch of signatures which are represented through a 154 00:17:12,270 --> 00:17:20,429 series of files called the pattern files. Another thing here that we have as a 155 00:17:20,429 --> 00:17:27,609 driver that I'm not going to talk about at all. This is a driver called ststdi2.sys. 156 00:17:27,609 --> 00:17:32,010 This is basically a TDI network filter driver. If you don't have any idea what I 157 00:17:32,010 --> 00:17:35,890 just said, this is perfectly fine because this driver does absolutely nothing 158 00:17:35,890 --> 00:17:40,919 *laughter*. It just resides inside this antivirus and collects all kinds of 159 00:17:40,919 --> 00:17:45,510 information about TCP connections and it should be queried theoretically by other 160 00:17:45,510 --> 00:17:50,420 components. But no one ever queries it so it seems like it's just some kind of a 161 00:17:50,420 --> 00:17:56,350 residue from previous versions of SiliVaccine. So we'll just leave it be, I 162 00:17:56,350 --> 00:18:01,430 guess. And another interesting point here is that a lot of these components you see 163 00:18:01,430 --> 00:18:08,580 here were protected with a legitimate protector, a commercial protector called 164 00:18:08,580 --> 00:18:13,140 Themeda which - if you heard of it, you probably know - it's a pain in the ass to 165 00:18:13,140 --> 00:18:19,380 reverse engineer. Luckily for us, whoever used this protector did not enable a lot 166 00:18:19,380 --> 00:18:26,870 of its features and we could unpack it with moderate efforts. This is the full 167 00:18:26,870 --> 00:18:31,380 architecture of this antivirus. I'm not going to go any further in it. You can 168 00:18:31,380 --> 00:18:38,020 read about it in our publication, full publication about this software. Actually 169 00:18:38,020 --> 00:18:43,530 I want to focus in all of this complicated scheme on one particular component which I 170 00:18:43,530 --> 00:18:48,520 already discussed. This is SVKernel.dll. I remind you: this is the file scanning 171 00:18:48,520 --> 00:18:54,919 engine of the antivirus. This is really the heart and soul of this whole software 172 00:18:54,919 --> 00:18:59,000 and this is why we're going to talk about it next. And I would like to begin this 173 00:18:59,000 --> 00:19:05,560 discussion about this component with what every good reverse engineer looks at. And 174 00:19:05,560 --> 00:19:10,500 these are strings, of course. And the first thing we did was to open this file 175 00:19:10,500 --> 00:19:17,090 and look at its strings and, like every professional reverse engineer, we looked 176 00:19:17,090 --> 00:19:22,620 them up on Google *laughter* and here is, ladies and gentlemen, where it actually 177 00:19:22,620 --> 00:19:29,280 gets interesting because it turns out that if we look it up Google we come to another 178 00:19:29,280 --> 00:19:39,870 file called vsapi32.dll. Now what is vsapi32.dll? As it turns out, this is yet 179 00:19:39,870 --> 00:19:45,090 another file scanning engine. Actually it's a file scanning engine belonging to a 180 00:19:45,090 --> 00:19:52,940 big corporate in the security field and that is Trend Micro *laughter* which we 181 00:19:52,940 --> 00:19:59,240 thought was kind of surprising. And looking at this, we thought: does it mean 182 00:19:59,240 --> 00:20:06,220 that this .dll is in some way incorporated inside SiliVaccine? Did they use any kind 183 00:20:06,220 --> 00:20:12,250 of interesting way of incorporating its functionality inside their engine? Well, 184 00:20:12,250 --> 00:20:19,340 let's find out *laughter*. So here on the screen you can see what's called the 185 00:20:19,340 --> 00:20:26,710 binary diff. This is a binary comparison between those two engines. On the left 186 00:20:26,710 --> 00:20:29,640 side you can see the Trend Micro engine and on the right side you can see the 187 00:20:29,640 --> 00:20:35,160 SiliVaccine engine and actually you can notice a few things here. For one, there's 188 00:20:35,160 --> 00:20:42,220 a 100 percent match between more than a thousand functions of those two engines. A 189 00:20:42,220 --> 00:20:48,550 thousand functions is like a quarter of SiliVaccine's engine code. And then you 190 00:20:48,550 --> 00:20:53,950 can see also that there's a 100 percent match on some of the export functions. In 191 00:20:53,950 --> 00:20:59,290 fact, if you look at all of the first 18 export functions in SiliVaccine, you 192 00:20:59,290 --> 00:21:05,830 realize they somehow map to functions of Trend Micro. And as an example, just take 193 00:21:05,830 --> 00:21:11,250 three of these functions and look at their call for graphs in IDA and we can see that 194 00:21:11,250 --> 00:21:16,400 they're pretty similar for the most part, but I would say it's more interesting to 195 00:21:16,400 --> 00:21:21,810 note the small nuances or the small differences between those particular 196 00:21:21,810 --> 00:21:26,070 functions. And as an example let's take this pair of functions, VSinit and 197 00:21:26,070 --> 00:21:31,640 SVfunc005. Well, one interesting thing we noticed at the very beginning is that 198 00:21:31,640 --> 00:21:37,550 while Trend Micro's engine uses mostly Lipsey functions like "memset", for 199 00:21:37,550 --> 00:21:44,819 instance, the equivalent in SiliVaccine would at some points in-line those 200 00:21:44,819 --> 00:21:50,010 functions, it would use function inlining to convey the same function and that 201 00:21:50,010 --> 00:21:55,580 essentially hints at the fact that the developer of SiliVaccine could have 202 00:21:55,580 --> 00:22:01,169 recompiled this particular Trend Micro code with some kind of a compiler 203 00:22:01,169 --> 00:22:06,169 optimization that was not applied on the original engine. You can see another 204 00:22:06,169 --> 00:22:10,540 example for this right here, with the "memcpy" and "qmemcpy", its in-line 205 00:22:10,540 --> 00:22:17,840 equivalent. And let's look at another pair for this matter. So we have VSgetVSCinfo 206 00:22:17,840 --> 00:22:24,299 and SVfunc004. Once again, function inlining. But another artifact that was 207 00:22:24,299 --> 00:22:32,100 left here are these numbers you see right here. So it turns out that this particular 208 00:22:32,100 --> 00:22:37,090 field that is populated in this structure you see here is actually the engine 209 00:22:37,090 --> 00:22:44,680 version of this antivirus and it turns out that the engine version used inside 210 00:22:44,680 --> 00:22:53,260 SiliVaccine is a 8.910 which is an engine released by Trend Micro back in 2008. Now 211 00:22:53,260 --> 00:23:00,799 recall that this software is from 2013. So basically whoever wrote this was using a 212 00:23:00,799 --> 00:23:07,590 five year old engine inside his code. And finally, let's look at another pair: 213 00:23:07,590 --> 00:23:14,910 VSquit and SVfunc006. Once again, you can see a call to a proprietary SiliVaccine 214 00:23:14,910 --> 00:23:19,549 function inside what used to be a Trend Micro function. This is just some kind of 215 00:23:19,549 --> 00:23:24,619 a clean up function for a driver called "svio" which has nothing to do with Trend 216 00:23:24,619 --> 00:23:34,420 Micro. And this again strengthens this kind of speculation that, when compiling a 217 00:23:34,420 --> 00:23:39,800 SiliVaccine, there was some kind of use of a proprietary resource that belongs to 218 00:23:39,800 --> 00:23:47,770 Trend Micro. Well, I would like to mention at this point that this was not the only 219 00:23:47,770 --> 00:23:53,630 instance of a Trend Micro engine we found in SiliVaccine. In the 2005 version which 220 00:23:53,630 --> 00:24:01,630 I mentioned earlier we actually found a trace of another component by Trend Micro 221 00:24:01,630 --> 00:24:07,610 which is called tmfilter.sys. This is actually a kernel mode equivalent of this 222 00:24:07,610 --> 00:24:14,940 engine called vsapi32. And this really shows that this whole sort of copyright 223 00:24:14,940 --> 00:24:20,240 infringement was not a one-time thing. It has been possibly going on for quite a few 224 00:24:20,240 --> 00:24:26,410 years. Now, we reached out to Trend Micro to get the response and basically, just to 225 00:24:26,410 --> 00:24:35,750 sum this up, Trend Micro says that, yes, SiliVaccine used a 10+ year old version of 226 00:24:35,750 --> 00:24:41,000 their engine in their code. They said,like, "WTF? We did not do any 227 00:24:41,000 --> 00:24:47,070 business with North Korea" *laughter*. Also they're saying, "We have no idea how 228 00:24:47,070 --> 00:24:53,570 they got our engine." But they do hint at the fact that they worked with some 229 00:24:53,570 --> 00:25:00,150 vendors as OEM back at that time and maybe it's possible that one of these OEMs 230 00:25:00,150 --> 00:25:07,590 leaked their code or what not. So who knows. So other than, you know, looking at 231 00:25:07,590 --> 00:25:12,990 this; other than saying that this is a very kind of secretive antivirus that's 232 00:25:12,990 --> 00:25:18,830 developed inside North Korea, we couldn't help but notice that there are quite a lot 233 00:25:18,830 --> 00:25:23,530 of mechanisms used by the authors to conceal the fact that they're using a 234 00:25:23,530 --> 00:25:28,620 third party product. And again, I remind you: we just realized that SiliVaccine is 235 00:25:28,620 --> 00:25:32,860 essentially using a Trend Micro engine and we thought - if they're using the same 236 00:25:32,860 --> 00:25:36,169 engine this doesn't mean that they're actually using the same signatures as 237 00:25:36,169 --> 00:25:42,600 well. So if we compare this on the surface then it seems that no because SiliVaccine 238 00:25:42,600 --> 00:25:49,400 has multiple patterned files while Trend Micro has one single large file. And also 239 00:25:49,400 --> 00:25:56,870 there seems to be no kind of similarity between them on the binary level, but if 240 00:25:56,870 --> 00:26:02,120 we look a little bit deeper then we can find the place in the code where those 241 00:26:02,120 --> 00:26:07,880 particular pattern files are being loaded. This happens in SVKernel.dll in a 242 00:26:07,880 --> 00:26:13,970 particular function called SVfunc19. And what happens there is that the name of the 243 00:26:13,970 --> 00:26:21,419 particular pattern file of one of the parent files is being calculated or 244 00:26:21,419 --> 00:26:26,520 generated, then a handle to this file is obtained, the contents of the file are 245 00:26:26,520 --> 00:26:32,059 being read, then this particular file is being decrypted, the decrypted chunk is 246 00:26:32,059 --> 00:26:36,830 appended to some buffer in memory, the ID of this chunk is incremented and this 247 00:26:36,830 --> 00:26:42,150 whole process repeats. So essentially what this function does is to load the part of 248 00:26:42,150 --> 00:26:47,460 files one by one, decrypt them and append them all together. Now before I talk a 249 00:26:47,460 --> 00:26:51,480 little more about the encryption here, let's talk a little bit about the 250 00:26:51,480 --> 00:26:56,770 encryption key because there's something interesting here. So this is the 251 00:26:56,770 --> 00:27:04,440 encryption key used there. A seemingly random English string. We thought: "does 252 00:27:04,440 --> 00:27:10,049 it mean anything in Korean?". It doesn't mean anything in any language, actually, 253 00:27:10,049 --> 00:27:14,990 but an interesting thing happens when we take this particular string to a Korean- 254 00:27:14,990 --> 00:27:22,899 English keyboard and we try to type it while accidentally forgetting to switch to 255 00:27:22,899 --> 00:27:29,029 English. So we get this Korean string. And if we translate this Korean string to 256 00:27:29,029 --> 00:27:35,970 English, turns out that it literally means "pattern encryption" *laughter* and 257 00:27:35,970 --> 00:27:53,530 applause*. Thank you. *laughter* OK, so we decided to look a bit deeper now regarding 258 00:27:53,530 --> 00:27:58,370 the encryption itself. We saw a lot of encryption mechanics inside. Some have 259 00:27:58,370 --> 00:28:04,270 some cryptographic artifacts that resemble the Shahwan algorithm, for instance, and 260 00:28:04,270 --> 00:28:08,980 all kinds of other stuff. We basically didn't really bother understanding this 261 00:28:08,980 --> 00:28:12,900 whole mechanism very deeply because we were interested in the decrypted pattern 262 00:28:12,900 --> 00:28:19,080 files which we could simply dump from memory and that's what we did. And after 263 00:28:19,080 --> 00:28:26,060 dumping this from memory and comparing the two signature files one to another we can 264 00:28:26,060 --> 00:28:30,841 actually see a similarity in the header and if we scroll a little bit down we can 265 00:28:30,841 --> 00:28:35,130 also see that there is quite much of a similarity in strings. Actually there is 266 00:28:35,130 --> 00:28:41,049 more than 90 percent match on the strings in those two files. And the difference is 267 00:28:41,049 --> 00:28:48,069 probably due to the version of those pattern files. Now that's not the end. We 268 00:28:48,069 --> 00:28:54,550 decided to test this thing. So we scanned a bunch of files with SiliVaccine. They 269 00:28:54,550 --> 00:28:59,479 were all detected. We scanned them also with Trend Micro. They were also detected. 270 00:28:59,479 --> 00:29:04,250 But there is something interesting here. Although they're using the same signatures 271 00:29:04,250 --> 00:29:09,180 and same strings the detection names are totally different. And that is, ladies and 272 00:29:09,180 --> 00:29:15,120 gentlemen, suspicious. So it turns out there's a reason for this and the reason 273 00:29:15,120 --> 00:29:20,610 is that SiliVaccine actually renames the signature names before displaying them to 274 00:29:20,610 --> 00:29:26,780 the user. And here is how this works. So basically SiliVaccine will take a Trend 275 00:29:26,780 --> 00:29:34,830 Micro signature name, for this purpose "TROJ_STEAL-1". It would then replace it, 276 00:29:34,830 --> 00:29:42,730 strip it of the underscores and dashes and then replace the prefix with some kind of 277 00:29:42,730 --> 00:29:47,980 word based on a string based on a predefined dictionary. It will also 278 00:29:47,980 --> 00:29:55,050 replace the suffix from a number to a letter. It will modify the casing, append 279 00:29:55,050 --> 00:29:59,970 everything together with dots and this is how you get a SiliVaccine signature 280 00:29:59,970 --> 00:30:06,580 *laughter*. So looking at all of this it's interesting to note that the authors are 281 00:30:06,580 --> 00:30:11,610 probably trying to hide something. So just to summarize all of these hiding 282 00:30:11,610 --> 00:30:17,559 mechanisms, let's just briefly take a look at what we've already seen. So basically 283 00:30:17,559 --> 00:30:22,620 all of the files or most of the files in this software are protected with Themida, 284 00:30:22,620 --> 00:30:28,450 a commercial protector, which means that the binary files do not have any kind of 285 00:30:28,450 --> 00:30:34,300 string artifacts that allow a researcher to understand what he's looking at. Also 286 00:30:34,300 --> 00:30:39,340 the pattern files are encrypted so we don't have any string artifacts there. You 287 00:30:39,340 --> 00:30:45,590 can't understand from those signature files what you're looking at. And finally, 288 00:30:45,590 --> 00:30:49,800 the malware signatures are renamed in real time, so it means that even in real time 289 00:30:49,800 --> 00:30:55,970 you cannot tell what was the original signature or where it came from. So 290 00:30:55,970 --> 00:31:00,220 essentially the user and a researcher won't have any way of knowing that this 291 00:31:00,220 --> 00:31:05,721 product is using the engine of Trend Micro, which is puzzling. So, moving on - 292 00:31:05,721 --> 00:31:11,890 let's talk about more of the fishy things that go inside of this product. Namely, 293 00:31:11,890 --> 00:31:18,219 while analyzing it, we've seen a lot of the following instances of this string, 294 00:31:18,219 --> 00:31:27,260 "Mal.Nucrp.F", and we realized that, based on its format, it's probably some kind of 295 00:31:27,260 --> 00:31:33,279 a signature name. So we decided to understand what it was. We ran our 296 00:31:33,279 --> 00:31:41,039 algorithm in reverse and we get the following detection name - "Mal_NUCRP-5". 297 00:31:41,039 --> 00:31:44,390 But what's the deal with the signature, why does it even stand out from the other 298 00:31:44,390 --> 00:31:51,270 ones? Well, here are two instances where this particular signature name is used. So 299 00:31:51,270 --> 00:31:55,370 here you can see actually that what happens with this signature is that a file 300 00:31:55,370 --> 00:32:01,409 is being scanned to detect if it's malicious or not. Then, if it was found to 301 00:32:01,409 --> 00:32:05,820 be malicious, its detection name is compared against the string and if that's 302 00:32:05,820 --> 00:32:12,630 the case, then SiliVaccine will simply ignore this file *laughter*, which is 303 00:32:12,630 --> 00:32:20,120 suspicious *laughter*. Now, of course, we wanted to test this thing so we ran 6 304 00:32:20,120 --> 00:32:25,799 files that were supposed to be detected with this particular detection name. In 305 00:32:25,799 --> 00:32:31,299 Trend Micro they were all detected. Then we decided to run them in SiliVaccine and 306 00:32:31,299 --> 00:32:36,470 nothing was detected *laughter*. And actually, this is quite surprising because 307 00:32:36,470 --> 00:32:40,870 we did a little bit of QA on this and it turns out that for the most part it's 308 00:32:40,870 --> 00:32:45,820 okay. But then in one instance they made a typo and in the white list it's something 309 00:32:45,820 --> 00:32:52,510 called "Mal.Nurcrp.F" *laughter* which has no equivalent in Trend Micro's engine, 310 00:32:52,510 --> 00:32:59,090 which begs the question: WTF is "nucrp"?. And according to Trend Micro's 311 00:32:59,090 --> 00:33:06,059 Encyclopedia, which is a thing apparently, "MAL_NUCRP-5" is described as some kind of 312 00:33:06,059 --> 00:33:12,100 a signature related to some old malware named "NUWAR", "TUBS", "ZHELAT". We 313 00:33:12,100 --> 00:33:16,980 checked all of them. They have no relation whatsoever to North Korea. But deeper 314 00:33:16,980 --> 00:33:22,429 inspection of this signature name reveals that actually this "mal" prefix you see 315 00:33:22,429 --> 00:33:28,309 right here means that this is a generic detection that flags files based on some 316 00:33:28,309 --> 00:33:34,160 heuristic which, in essence, might detect a whole spectrum of files. So 317 00:33:34,160 --> 00:33:38,020 unfortunately, based only on this information, we cannot know what malware 318 00:33:38,020 --> 00:33:43,909 was exactly detected here or really if it was malware at all. But we can still 319 00:33:43,909 --> 00:33:49,029 speculate on why this whitelist thing was done. And for one, the most obvious 320 00:33:49,029 --> 00:33:53,200 speculation would be that there is some kind of an existing North Korean tool 321 00:33:53,200 --> 00:33:57,740 installed on citizens' computers and the authors didn't want to trigger an alert 322 00:33:57,740 --> 00:34:02,720 about it being malicious. It's also possible that the authors wanted some 323 00:34:02,720 --> 00:34:08,929 option to develop such a tool in the future and they inserted this signature in 324 00:34:08,929 --> 00:34:13,418 order to conceal this future component with this particular whitelisting 325 00:34:13,418 --> 00:34:20,309 mechanism. It's also possible that since the authors used a third party engine, the 326 00:34:20,309 --> 00:34:26,569 Trend Micro engine, that this signature mistakenly detected one of SiliVaccine's 327 00:34:26,569 --> 00:34:31,969 original components as malware, which they clearly wanted to avoid. And of course 328 00:34:31,969 --> 00:34:37,809 it's also possible that this whole thing is some kind of an idiotic false positive 329 00:34:37,809 --> 00:34:45,119 management fix. But I would say this is unlikely. All right - let's move on and 330 00:34:45,119 --> 00:34:50,708 talk about the kernel side of SiliVaccine. And remember: SiliVaccine has three kernel 331 00:34:50,708 --> 00:34:55,749 mode drivers, but actually only two of them are utilized, SVfilter and 332 00:34:55,749 --> 00:35:02,539 SVHook.sys. So let's focus on them. And we started snooping around and looking at 333 00:35:02,539 --> 00:35:07,630 these drivers. And the first thing we noticed is some fishy stuff like the fact 334 00:35:07,630 --> 00:35:13,849 that its entry point resides in the relog section and that it's supposedly packed 335 00:35:13,849 --> 00:35:20,330 with some kind of a packer called "BopCrypt" which we never heard of. And we 336 00:35:20,330 --> 00:35:25,420 looked around "BopCrypt"; turned out this is an old Russian PE packer that 337 00:35:25,420 --> 00:35:30,569 supposedly contains some common protection features such as anti-debug measures and 338 00:35:30,569 --> 00:35:35,380 polymorphic code. Now this is not really good news when dealing with the kernel 339 00:35:35,380 --> 00:35:40,939 driver because who wants to debug polymorphic code into kernel. So we 340 00:35:40,939 --> 00:35:46,309 thought: wait a second, before we dive in and do all of this stuff maybe we can 341 00:35:46,309 --> 00:35:50,390 actually find some kind of an answer by looking at this file again from the 342 00:35:50,390 --> 00:35:56,839 outside. And turns out that our answer was right there and our answer is 42 343 00:35:56,839 --> 00:36:03,299 *laughter*. Actually it's hex42. So evidently, this whole crazy protection 344 00:36:03,299 --> 00:36:09,559 scheme here is that the text section that contains the actual driver is sort with a 345 00:36:09,559 --> 00:36:16,710 single byte of the value 42 hex. So with this insane protection mechanism which we 346 00:36:16,710 --> 00:36:23,160 were able to bypass we were able to look at the drivers themselves and the first 347 00:36:23,160 --> 00:36:27,499 one of them, SVfilter.sys - I remind you that this is a file system filter driver - 348 00:36:27,499 --> 00:36:31,959 this is loaded and utilized by SVDealer. This is the real time scanning component 349 00:36:31,959 --> 00:36:36,839 and it has two main functionalities. One is to actually scan files upon access so 350 00:36:36,839 --> 00:36:42,500 it would intercept any kind of activity with the file system and it would take the 351 00:36:42,500 --> 00:36:50,319 underlying file and would issue it to SVDealer to conduct a scan on it and also 352 00:36:50,319 --> 00:36:55,490 it's actually used to protect the antivirus as binaries themselves to avoid 353 00:36:55,490 --> 00:37:04,450 any kind of malfunction against them by the user. And it really took us quite some 354 00:37:04,450 --> 00:37:09,210 time to realize that these are the only two things that this driver does because 355 00:37:09,210 --> 00:37:14,940 the code for them is really a mess. And I'm going to save you some time and 356 00:37:14,940 --> 00:37:20,300 explain the flaw of this driver by simplifying it a little bit. So this is 357 00:37:20,300 --> 00:37:26,779 how SVfilter.sys works in a nutshell. The first action it does is waste time 358 00:37:26,779 --> 00:37:34,279 *laughter*. So it does a lot of redundant checks that seem to have no effect on this 359 00:37:34,279 --> 00:37:39,450 code whatsoever. Then it moves on to see if the file scanned here is actually 360 00:37:39,450 --> 00:37:44,690 binary related to the antivirus itself. Of course if it is done it will deny access 361 00:37:44,690 --> 00:37:51,160 to it. Then it moves to the very important action of wasting a lot more time 362 00:37:51,160 --> 00:37:58,430 *laughter* by doing what seems to be pretty much garbage code. And finally at 363 00:37:58,430 --> 00:38:04,040 some point it will take the file, it will scan it and if the file seems to be 364 00:38:04,040 --> 00:38:09,269 malicious then it will deny the access to it. Otherwise it will allow the access. So 365 00:38:09,269 --> 00:38:14,950 this is pretty much everything to say about SVfilter. There was another driver 366 00:38:14,950 --> 00:38:23,859 called SVHook.sys which is utilized by the main GUI component, SVMain.exe. You look 367 00:38:23,859 --> 00:38:28,289 at this name, you think, yes, it probably hooks stuff. No - it doesn't actually hook 368 00:38:28,289 --> 00:38:35,730 anything. It's actually used to query some kind of process object data from the 369 00:38:35,730 --> 00:38:43,660 kernel and really it's quite of a confusing driver because it seems to have 370 00:38:43,660 --> 00:38:50,960 like 13 ioctls. Only 3 are ever used and it's highly, highly buggy. There's a lot 371 00:38:50,960 --> 00:39:01,420 of bugs there. So for instance, we've seen the following function where there's an 372 00:39:01,420 --> 00:39:10,270 ioctl issued to this driver and it really seems that those two components, SVMain 373 00:39:10,270 --> 00:39:15,910 and SVHook, were really developed by two different developers. So here we can see 374 00:39:15,910 --> 00:39:24,680 that this programmer who wrote this particular ioctl call actually used a 375 00:39:24,680 --> 00:39:31,209 buffer of size 12. Now you would assume that those two developers have agreed that 376 00:39:31,209 --> 00:39:36,869 this should be the buffer size, right? Well, evidently the second developer was 377 00:39:36,869 --> 00:39:42,520 not really notified about this and in fact checks explicitly that the buffer size is 378 00:39:42,520 --> 00:39:50,819 12 and if that's the case nothing happens *laughter*. Which really is a piece of 379 00:39:50,819 --> 00:39:58,549 shit code that does nothing *laughter*. So while looking into this, we tried to dig a 380 00:39:58,549 --> 00:40:03,130 little bit deeper and understand why those bugs happen and we think we have an 381 00:40:03,130 --> 00:40:10,009 answer. So just strolling around we see a lot of this. If you look at this you 382 00:40:10,009 --> 00:40:14,609 realize that you're looking at a lot of debug prints used by the author and you 383 00:40:14,609 --> 00:40:22,549 see that one of the parts of the strings referenced here is "sub_00something" which 384 00:40:22,549 --> 00:40:27,809 is an IDA-auto-generated name. Which to me, ladies and gentlemen, seems like 385 00:40:27,809 --> 00:40:33,390 instead of looking at authentic code, we were in fact reverse engineering a 386 00:40:33,390 --> 00:40:38,319 reverse.engineered driver. So essentially what happened here is that the developer 387 00:40:38,319 --> 00:40:46,069 of SVHook took some driver, decompile it, copied the code and added a bunch of debug 388 00:40:46,069 --> 00:40:51,599 prints in order to try to understand what he was copying and it seems he didn't only 389 00:40:51,599 --> 00:40:57,599 fail to understand it but he also forgot to remove this trail of debug prints. That 390 00:40:57,599 --> 00:41:05,339 demonstrates his elite coding skills. So we are nearly at the end and we talked 391 00:41:05,339 --> 00:41:10,089 quite a bit about the technical parts here but to get the full picture I think it's a 392 00:41:10,089 --> 00:41:15,980 good idea to look at the development story behind the software. So in essence, who is 393 00:41:15,980 --> 00:41:22,099 behind SiliVaccine? Well, to tackle this question we resorted to some version info 394 00:41:22,099 --> 00:41:26,660 that can be found inside the antivirus as binaries. And there we found some version 395 00:41:26,660 --> 00:41:30,710 manifest that pointed at several companies, the first one of which is 396 00:41:30,710 --> 00:41:35,790 called PGI (Pyongyang Guangdong Information Technology). It seems to be 397 00:41:35,790 --> 00:41:40,190 some kind of a North Korean establishment, a known one, that specializes in network 398 00:41:40,190 --> 00:41:46,559 security software. But really the more interesting company that we found there 399 00:41:46,559 --> 00:41:53,660 was called "STS Tech-Service" which is really this kind of shady company that has 400 00:41:53,660 --> 00:41:58,369 no trace of its activity online. We couldn't find any kind of artifact that 401 00:41:58,369 --> 00:42:08,190 shows what this company does or what is its main field of occupation. So we still 402 00:42:08,190 --> 00:42:14,940 can answer some questions about STS tech service. For instance we can say that STS 403 00:42:14,940 --> 00:42:20,910 tech service is highly likely based in the DPRK North Korea and that is due to this 404 00:42:20,910 --> 00:42:25,549 brochure you see here on the screen which is taken from a trade fair that took place 405 00:42:25,549 --> 00:42:32,649 in Pyongyang back in 2006. And in this particular trade fair this company, STS 406 00:42:32,649 --> 00:42:38,099 Tech-Service, they participated. We contacted the organizers and they actually 407 00:42:38,099 --> 00:42:42,809 confirmed that STS Tech- Service did come from North Korean side. Still, some 408 00:42:42,809 --> 00:42:47,329 questions remain. Is that a private company in North Korea or is that even a 409 00:42:47,329 --> 00:42:51,569 thing? Is that a government entity? Is that the same thing in North Korea? We 410 00:42:51,569 --> 00:42:59,310 don't know. Actually, another source told us that this company might be a 411 00:42:59,310 --> 00:43:04,089 subdivision of the KPA (where KPA stands for Korean People's Army), but we have no 412 00:43:04,089 --> 00:43:09,589 way of corroborating this. And you remember that Trend Micro stated that 413 00:43:09,589 --> 00:43:16,719 their engine could have been leaked from third party. Could that third party be 414 00:43:16,719 --> 00:43:21,809 this company? Well we don't know actually, but what we did see and which was really 415 00:43:21,809 --> 00:43:28,299 interesting is a particular connection between North Korea and Japan that repeats 416 00:43:28,299 --> 00:43:33,400 throughout this whole research so for one we've already seen that SVKernel is 417 00:43:33,400 --> 00:43:40,599 basically some kind of modified version of Trend Micro's engine. But then we've also 418 00:43:40,599 --> 00:43:45,450 seen that STS Tech-Service at some point cooperated with a company called Silver 419 00:43:45,450 --> 00:43:51,910 Star Japan on a particular application. As a matter of fact it not only cooperated 420 00:43:51,910 --> 00:43:55,630 with them but also with another company called Magnolia which also resides in 421 00:43:55,630 --> 00:44:00,680 Japan. Actually Silver Star and Magnolia reside in the same address in Japan, which 422 00:44:00,680 --> 00:44:05,890 is quite interesting. And then in a particular instance all of these three 423 00:44:05,890 --> 00:44:12,400 companies - Magnolia, Silver Star and STS Tech-Service cooperated with the KCC, a 424 00:44:12,400 --> 00:44:17,989 very famous North Korean research establishment, the Korean Computer Center, 425 00:44:17,989 --> 00:44:24,249 on another application. And it's important to say that while we can be very easily 426 00:44:24,249 --> 00:44:29,010 drawn to some conclusions here and speculate on some very wild scenarios, 427 00:44:29,010 --> 00:44:33,440 especially given the fact that North Korea and Japan are not friends, we need to 428 00:44:33,440 --> 00:44:37,720 remember that this is just a crazy web of connections that we unraveled here. And 429 00:44:37,720 --> 00:44:41,400 actually we cannot say much about this other than pointing out the connections 430 00:44:41,400 --> 00:44:49,440 themselves. Still I can say that we did find some traces of maliciousness in this 431 00:44:49,440 --> 00:44:56,809 whole package and at this point we thought: all right, we are done with the 432 00:44:56,809 --> 00:45:04,599 research; could it be that there is no malware or backdoor here? Well, it turns 433 00:45:04,599 --> 00:45:11,419 out that if we look back on this e-mail sent by this supposedly Japanese engineer, 434 00:45:11,419 --> 00:45:18,340 Kang yong hak and reinspect the installer provided in this particular email, then 435 00:45:18,340 --> 00:45:23,039 actually it has no metadata. And that's not surprising because this installer is 436 00:45:23,039 --> 00:45:26,880 in fact this file is in fact a self- extracting archive which contains the real 437 00:45:26,880 --> 00:45:33,660 installer of SiliVaccine. But then it also contains another file called "SVpatch4.0" 438 00:45:33,660 --> 00:45:39,759 which - well, OK. But when you look at the metadata you see it's supposedly related 439 00:45:39,759 --> 00:45:47,220 to Microsoft automatic updates which is, again, highly suspicious *laughter*. Now, 440 00:45:47,220 --> 00:45:52,209 we decided to look deeper in this file and it turns out that actually this file is a 441 00:45:52,209 --> 00:45:57,349 signed binary. And if you look the issue up on Google we come to a Kaspersky report 442 00:45:57,349 --> 00:46:03,079 about the Darkhotel APT. Very alarming. And then we decided to dig deeper and 443 00:46:03,079 --> 00:46:07,999 analyze this file. So we did some analysis. We realized that this is 444 00:46:07,999 --> 00:46:15,529 actually the stage one malware from a known campaign called Jaku uncovered by 445 00:46:15,529 --> 00:46:23,500 Forcepoint in 2016. Now what is Jaku? Jaku was an ongoing botnet campaign, it 446 00:46:23,500 --> 00:46:28,790 targeted mainly North Korea and Japan. And while it infected a lot of victims the 447 00:46:28,790 --> 00:46:34,089 later stages of the malware - stages 2 and 3 - were only used against a select group 448 00:46:34,089 --> 00:46:39,140 of individuals with North Korea and Pyongyang being the common theme between 449 00:46:39,140 --> 00:46:44,089 them. Now another interesting connection that was outlined by Forcepoint is between 450 00:46:44,089 --> 00:46:49,140 Jaku and Darkhotel which is really further evidence to this kind of an interesting 451 00:46:49,140 --> 00:46:55,919 connection on top of what we saw with the certificate used previously. Now who could 452 00:46:55,919 --> 00:47:00,220 be the target here? It could be the case that every SiliVaccine installation is 453 00:47:00,220 --> 00:47:04,140 bundled with this malware, but we don't think so. We actually think that the 454 00:47:04,140 --> 00:47:09,610 target was Martin Williams who deals vastly with North Korea. And it is 455 00:47:09,610 --> 00:47:17,219 possible that this particular malware was used against him. So this is pretty much 456 00:47:17,219 --> 00:47:21,759 the end and I would like to, before I let you go, summarize everything that we've 457 00:47:21,759 --> 00:47:29,749 seen in this talk. Let's look back and see those things. So for one we have seen that 458 00:47:29,749 --> 00:47:35,719 SiliVaccine has been illegally using Trend Micro's engine and it was not a one-time 459 00:47:35,719 --> 00:47:43,029 thing. It has been done at least two times and probably over multiple versions and 460 00:47:43,029 --> 00:47:50,279 for several years. Then we've also seen that the authors of SiliVaccine tried to 461 00:47:50,279 --> 00:47:56,799 conceal the fact that they used this engine with some interesting mechanism. 462 00:47:56,799 --> 00:48:02,979 Then we've seen that there is an explicit whitelisting of a particular signature and 463 00:48:02,979 --> 00:48:08,989 that the installation of SiliVaccine comes bundled with the malware called Jaku. Now, 464 00:48:08,989 --> 00:48:13,870 while having these understandings we still have some unanswered questions. For 465 00:48:13,870 --> 00:48:19,809 instance, we've seen that there are some artifacts that point at the fact that the 466 00:48:19,809 --> 00:48:24,509 code of SiliVaccine might have been recompiled with some other optimizations 467 00:48:24,509 --> 00:48:29,661 that were not in Trend Micro' engine in the first place. So, having said that, how 468 00:48:29,661 --> 00:48:34,669 did the SiliVaccine authors obtain such an access to a proprietary resource? We have 469 00:48:34,669 --> 00:48:42,949 no idea. Also this white-listed signature - we cannot say what it represents. It's a 470 00:48:42,949 --> 00:48:48,259 heuristic signature so we cannot really tell if it was trying to whitelist a 471 00:48:48,259 --> 00:48:54,569 malicious tool or a benign software. It's not very clear. And then also the Jaku 472 00:48:54,569 --> 00:48:59,829 malware. Since we only have one instance of this particular software from 2013 it's 473 00:48:59,829 --> 00:49:06,039 hard to say if it's bundled with all versions or only with this one. And while 474 00:49:06,039 --> 00:49:10,719 I can't answer all of these questions concisely I do want to point out that 475 00:49:10,719 --> 00:49:16,299 throughout this research we've seen a lot of effort done to develop this particular 476 00:49:16,299 --> 00:49:21,359 product and through this effort we've stumbled upon quite many illegal and shady 477 00:49:21,359 --> 00:49:27,999 practices employed by the DPRK to develop their own homebrew software. A software 478 00:49:27,999 --> 00:49:33,079 that, remember, maybe sometime in another time and in a perfect world could have 479 00:49:33,079 --> 00:49:37,839 been totally legitimate. And with that in mind I would like to thank you for your 480 00:49:37,839 --> 00:49:41,884 attention and hope you enjoy your time at CCC. 481 00:49:41,884 --> 00:49:53,004 *applause* 482 00:49:53,004 --> 00:50:02,339 Herald: Thank you, Mark, that was wonderful. We have plenty of time for 483 00:50:02,339 --> 00:50:08,029 questions and we have two microphones. One is in the middle of the room and one is 484 00:50:08,029 --> 00:50:14,430 sort of outside of the stage. So please queue up if you want to ask questions. And 485 00:50:14,430 --> 00:50:17,229 we already have a question on the microphone 1. 486 00:50:17,229 --> 00:50:20,800 Audience member 1: Do you have any idea why they chose Trend Micro over any other 487 00:50:20,800 --> 00:50:22,990 engine? Mark: Excuse me, could you repeat the 488 00:50:22,990 --> 00:50:25,659 question and raise your hand, because I didn't see you? 489 00:50:25,659 --> 00:50:29,009 Audience member 1: Do you have any idea why they chose Trend Micro and not any 490 00:50:29,009 --> 00:50:35,039 other engine, like an open source engine? Mark: Do I have any idea of Trend Micro 491 00:50:35,039 --> 00:50:38,039 tools is what? I'm sorry. Audience member 1: Do you have any idea 492 00:50:38,039 --> 00:50:41,749 why Trend Micro was chosen by them? Mark: Ah, why Trend Micro. 493 00:50:41,749 --> 00:50:43,989 Audience member 1: In comparison to anything else? 494 00:50:43,989 --> 00:50:46,069 Mark: Actually I have no idea. I really don't. 495 00:50:46,069 --> 00:50:48,579 Audience member 1: Thank you. Mark: If you know, then tell me, please. 496 00:50:48,579 --> 00:50:51,430 *laughter* Herald: microphone 2. 497 00:50:51,430 --> 00:50:57,229 Audience member 2: So have you looked at the fact that this antipiracy is a .exe. 498 00:50:57,229 --> 00:51:02,039 So it runs on Windows but all of North Korea runs with Red Star OS which is a 499 00:51:02,039 --> 00:51:05,709 Unix. Mark: Well, as far as I could tell from 500 00:51:05,709 --> 00:51:10,959 people I discussed with who do know a few things about North Korea actually Red Star 501 00:51:10,959 --> 00:51:15,769 OS is not the most common operating system there. In fact it's barely used because, 502 00:51:15,769 --> 00:51:23,359 well, to say it shortly, it's shit but they do use what seems to be some kind of 503 00:51:23,359 --> 00:51:29,359 Chinese versions of Windows XP and Windows 7. So this is intended to run on these 504 00:51:29,359 --> 00:51:33,519 operating systems. Herald: Thank you. Another question from 505 00:51:33,519 --> 00:51:36,039 mic 1. Audience member 3: How did you get the 506 00:51:36,039 --> 00:51:42,139 2005 version of the antivirus? Mark: Come to me later and I'll tell you. 507 00:51:42,139 --> 00:51:46,669 *laughter* Herald: Mic 1, please. 508 00:51:46,669 --> 00:51:51,499 Audience member 4: Yeah I just wanted to know if you checked that the Jaku malware 509 00:51:51,499 --> 00:51:57,400 was not part of this whitelist program. Mark: Oh yes, we checked it. Actually this 510 00:51:57,400 --> 00:52:05,349 was not the white-listed signature. It was actually not detected by SiliVaccine, but 511 00:52:05,349 --> 00:52:09,400 it was also not detectable by Trend Micro. It was not detected by anyone 512 00:52:09,400 --> 00:52:15,809 actually so it was not the white-listed signature. 513 00:52:15,809 --> 00:52:20,506 Herald: Thank you. That's all. Thank you, Mark. Thank you for the amazing talk. 514 00:52:20,506 --> 00:52:22,726 *applause* 515 00:52:22,726 --> 00:52:27,912 *35C3 postroll music* 516 00:52:27,912 --> 00:52:45,000 subtitles created by c3subtitles.de in the year 2019. Join, and help us!