North Korea’s Anti-Virus SiliVaccine is a 10-year-old copy of one of Trend Micro’s
Researchers Mark Lechtik and Michael Kajiloti from Check Point, an online security company, said in an analysis and investigation report released on Tuesday that they conducted an exposing investigation on the North Korean anti-virus software SiliVaccine.
The survey results show that a key component of the SiliVaccine source code uses a 10-year-old outdated scan engine module developed by Trend Micro, a Japanese security solution provider, and bundled with a so-called “JAKU” malware.
The researchers stated that the copy of the software used for the analysis was provided by Martyn Williams, a freelance writer who is also editor-in-chief of North Korea Science and Technology Network. According to Williams, a person named Kang Yong Hak who claimed to be a Japanese engineer sent him anti-virus software by e-mail on July 8, 2014, but within hours of receiving the e-mail, This person’s email has been disabled.
The email body contains a link to Dropbox hosting a zip file. This zip file contains a copy of the SiliVaccine software along with a readme document written in Korean that teaches how to use the software, and a file that looks suspiciously like the SiliVaccine software patch.
After analyzing the engine files of SiliVaccine, Mark Lechtik and Michael Kajiloti found that their source code exactly matched the anti-virus engine source code developed by Trend Micro more than ten years ago. Trend Micro is a completely independent Japanese company headquartered in Tokyo. Network Security Solution Provider, which has no cooperation with North Korean companies.
Although these codes are not completely duplicated, there is enough similarity to confirm that the code does indeed come from Trend Micro, and SiliVaccine’s developers just made some custom modifications based on it, trying to hide the fact that the code matches.
In general, the purpose of antivirus software is to block all known malware signatures. However, an in-depth investigation of SiliVaccine shows that it aims to ignore a particular signature. Mark Lechtik and Michael Kajiloti found a hard-coded malware signature white list named “Mal.Nucrp.F (detected by Trend Micro as MAL_NUCRP-5)” in the SiliVaccine source code. This is a family of malware, which means that even if SiliVaccine detects such malware, it will not delete it or warn the user.
Not only that, the survey also found that the copy of SiliVaccine provided by Williams also bundled with a malicious software named “Jaku.” According to an analysis released by the cybersecurity technology firm Forcepoint in May 2016, Jaku is a botnet targeted primarily at scientists, engineers, and academics.
JAKU’s operations team is believed to be associated with North Korea, using mainly fake seed files provided by the BT website to infect victims. At that time, about 19,000 computer users became victims, 42% of them from South Korea, 31% from Japan, 9% from China, and 6% from the United States.
In addition, the patch files mentioned in the zip file mentioned above have also been confirmed to be used to provide the first-stage dropper of Jaku malware. Mark Lechtik and his colleague Michael Kajiloti said that they will present the survey results in detail at the Caro Workshop computer security conference held in Portland, Oregon on May 23rd.
Source, Image: checkpoint
