SiliVaccine: North Korea's Weapon of Mass Detection How I Learned to Stop Worrying and Love the Backdoor

Mark Lechtik

52 min

52 min 2018-12-27

2018-12-27 7414

7414 Fahrplan

Playlists: '35c3' videos starting here

Meet SiliVaccine – North Korea's national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by dedicated government teams for over fifteen years. When we heard of this strange software, we were immediately driven to investigate it: it's not every day that you can catch a glimpse of the malware landscape inside the closed garden of the DPRK's intranet. In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it, despite the hair-tearing obstacles; and what surprising discoveries we made about its program architecture – all the way down to the file scanning engine, the system level drivers, the user mode utilities, and the most bizarre and puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product, away from the public eye. How was SiliVaccine created? Who created it? What was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing this product. If there is anything we learned from this research, it's that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is "thank you but no thank you". Disclaimer: No significant knowledge in reverse engineering is required to understand the talk. We break down our thought process and methodology to its very basics, so that this talk can relate to both technical and non-technical audiences. Another Disclaimer: We guarantee an entertaining talk. :)

https://research.checkpoint.com/silivaccine-a-look-inside-north-koreas-anti-virus/

https://recon.cx/2018/montreal/schedule/system/event_attachments/attachments/000/000/055/original/RECON-MTL-2018-silivaccine_weapon_of_mass_detection.pdf

https://www.forbes.com/sites/thomasbrewster/2018/05/01/north-korea-antivirus-has-mystery-code-from-trend-micro/

https://www.theregister.co.uk/2018/05/02/north_korea_silivaccine_av_software_analysis/

Download

Related

Embed Share:







Tags