Everything wrong with North Korea’s Homegrown SiliVaccine Antivirus

SiliVaccine, North Korea’s very own antivirus program gives us a rare peek at how the country operates. The software code not only reveals a backdoor but also stolen code from a competitor.

Security researchers at Check Point Security, the former makers of ZoneAlarm line up of products, obtained two SiliVaccine samples and started to dissect it in an attempt to undercover how the antivirus protects its users from outside threats, and also how the antivirus company can use that software to spy on its users.

SiliVaccine antivirus

Background

Journalist Martin Williams obtained the sample back in 2014. A Japanese tipster, identifying as “Kang Yong Hak” mailed him the Dropbox link to the software.

At that time, he detailed the functions of the program which was at version 4.0 and was published in 2002. The publishers of the software were named PyongyangGwangmyong Information Technology and STS Tech-Service.

Williams then contacted a trusted British antivirus firm in 2014 with the sample of the Korean antivirus program and after testing they concluded that the software did not appear to be malicious.

Bundled Malware

Some weeks ago, Check Point again re-examined the software sample and found out that it contained stolen code from the Japan-based antivirus maker – Trend Micro.

Trend Micro has been a well-known name in the security software scene for quite a long time. The re-examination also revealed that the software contained a malware as a patch that made the software purposely ignore some specific malware code signatures.

This is a security hole that could allow the software to stay silent if any malware is being installed. The bundled malware is known as JAKU.

SiliVaccine news

It is an extremely resilient malware that forms a botnet and is usually spread through BitTorrent networks.

Check Point researcher Mark Lechtik said in an interview with Threatpost that they believed that Williams was being targeted by North Korea.

The researchers also shared the fact that Williams seemed to be a part of a wider distribution of this software.

Trend Micro’s stolen antivirus scan engine

On the other hand, Trend Micro also confirmed that SiliVaccine used a part of their software illegally, but it does not jeopardize the current users of Trend Micro security products in any way.

It is still a mystery how Trend Micro’s code found a way into North Korea’s antivirus program. Trend Micro says that even though it takes s strong stance against piracy, it would not be productive to take any legal action against the government of North Korea.

Even though Japan and North Korea do not have any official or political diplomatic, such findings are quite surprising. Like the Trend Micro product, North Korea’s antivirus also blocks malware, allows users to perform scans and even more.

SiliVaccine Unsafe

However, it does not flag certain types of malware and that can be used to snoop on its users.

This revelation of SiliVaccine raises more suspicions of the motives and the authenticity of the IT operations and products of North Korea.

The finding, however, makes one thing very clear – that is, the questionable and shady goals of SiliVaccine’s creators and those who have funded the product.