There’s something not quite right about North Korea’s antivirus software.
SiliVaccine, as the software is known, appears to contain a decade-old component pirated from a Japanese security firm. What’s more, investigators who’ve examined the software say it was purposefully designed to ignore a known malware signature linked to a number of malware families.
The software was reportedly acquired by freelance journalist Martyn Williams, the operator of a website dedicated to North Korean technology. Williams received a link to the software in a suspicious email years ago and has written about installing and testing the program. The files, which Williams received via a Dropbox link, were sent by somebody claiming to be a Japanese engineer.
Per Williams, who ran the software on a Windows machine after confirming it wasn’t malicious, the home-grown antivirus application was in its fourth version, as of September 2014.
The IP address used by SiliVaccine, Williams reported, “resides in a block set aside for use on local networks rather than the global Internet, so only works from within North Korea’s nationwide intranet.”
Check Point, a Tel Aviv-based IT software company, more recently analysed SiliVaccine. It announced today that SiliVaccine’s antivirus engine code belongs to Trend Micro, a threat intelligence firm headquartered in Japan that specialises in cloud computing.
Trend Micro confirmed its developers created the code over a decade ago. “Trend Micro has never done business in or with North Korea,” the company said. “We are confident that any such usage of the module is entirely unlicensed and illegal, and we have seen no evidence that source code was involved.”
Trend Micro said it was confident the alleged theft of the module did not pose any risk to its customers.
What’s more, the malware SiliVaccine was apparently designed to ignore is normally blocked by Trend Micro’s detection engine. Check Point said it wasn’t clear which malicious file was being ignored by the software, adding: “What is clear is that the North Korean regime does not want to alert its users to it.”
Trend Micro told Gizmodo that the signature is normally detected using heuristics, a scanning method that identifies malware based on behaviour patterns, used primarily for unrecognised malware. The signature whitelisted by SiliVaccine has been used in the past to detect a number of NUWAR, TIBS, and ZHELAT variants.
Trend Micro added that while it takes a strong stance against software piracy, taking legal action against the North Korean government (DPRK) would not be very productive.
How Trend Micro’s code found its way into SiliVaccine is a mystery that’s difficult to unravel, but Check Point said there are two companies through to have authored the software, the North Korean state IT company known as PGI, and STS Tech-Service.
According to Check Point, STS Tech-Service is known to have worked with two companies based in Japan, Silver Star and Magnolia, which have previously cooperated with a North Korean research entity known as the Korean Computer Centre.
The file received by Williams is also said to have contained malware affiliated with JAKU, which is used to construct botnets and has reportedly been used to target and track specific individuals—namely, academics, scientists, and government employees. According to a 2016 report by the Raytheon-owned security firm Forcepoint, the individuals specifically targeted shared a common theme: North Korea.
Check Point’s investigation found that the JAKU file contained the digital signature of “Ningbo Gaoxinqu zhidian Electric Power Technology,” which is known to distribute malware, including those used by Dark Hotel, an advanced persistent threat (APT) known to selectively target travellers using hotel-provided wifi. The aim, presumably, is to gain corporate network access through the use of keylogger and backdoor malware.
The JAKU malware was not found combined with SiliVaccine, Check Point said, “but could have been included in the zip file as a way to target journalists such as Mr Williams.”