Key components of the ‘SiliVaccine' AV software are identical to a 10-year old copy of Japanese security vendor Trend Micro's AV software, claim researchers from Check Point.
“The authors of ‘SiliVaccine' must have had access to Trend Micro proprietary resources and components over the course of many years, this is not a one off leak. We have two different versions of ‘SiliVaccine' almost a decade apart, both with proprietary Trend Micro code”, Check Point researcher Michael Kajiloti told SC Media UK.
Although other elements of the ‘SiliVaccine' software exhibit indicators consistent with reverse engineering - the drivers in particular - the file scanning engine element from Trend contains no such artifacts, according to the researchers. “This AV software is not just one component of course - other elements have traces of reverse engineering too, it has been pieced together from other sources [in addition to Trend Micro] - it is really a frankenstein anti-virus. However, the likelihood that this [file scanning engine] code is reverse engineered is very low - the amount of effort required is immense - whoever wrote this had to have knowledge of how the Trend Micro product is built - it's not just the result of looking at the publicly-available product, echoed Check Point researcher Mark Lechtik.
Trend Micro responded to the comments, and were keen to downplay the level of access required, as Greg Young, vice president for cybersecurity, Trend Micro told SC Media UK: “There was absolutely no source code involvement. Trend Micro does not make its source code available outside of Trend Micro in any capacity, nor has the company been the victim of a breach. This was our VSAPI scan engine library module (that is widely available in all of our products) that was used without license. This is downloaded as part of a trial version of our anti-virus products, which is similar to internet-available trial versions from every other anti-virus product makers. An analogy is that of distributing unlicensed versions of Windows: Microsoft source code hasn't been stolen nor has there been a leak: it is pirating or using products without a licence.”
The vendor had previously commented: “Trend Micro has never done business in or with North Korea. The scan engine version at issue is quite old and has been widely incorporated in commercial products from Trend Micro and third party security products through various OEM deals over the years, so the specific means by which it may have been obtained by the creators of SiliVaccine is unknown. Trend Micro takes a strong stance against software piracy, however legal recourse in this case would not be productive. We do not believe that the infringing use at issue poses any material risk to our customers.”
The investigation began with a sample of ‘SiliVaccine' being sent to a freelance journalist with a focus on North Korean technology, Martyn Williams. The sample came with a suspicious ‘patch' - which turned out to be infected with a stage one dropper for the JAKU malware, itself linked with a series of attacks ascribed to North Korea. Not only that, but the file is signed by a “certificate that is extremely similar to one of the certificates reportedly used in the DarkHotel APT campaign.”
The analysis also showed that the SiliVaccine anti-virus software is designed to not block one specific heuristic signature, with the option of whitelisting others, behaviour that the researchers classified as highly suspicious. “The most likely explanation is that they already have a tools with this signature that they don't want detected. The other explanation is that it is a backdoor - it could be an effort to remove false positives, and even to prevent part of the software itself being detected… However, they have not whitelisted any other signatures.”
‘SiliVaccine' was originally designed to be an exportable AV tool, according to the researchers, evidenced by the fact that the earliest sample has dual-language (Korean and English) menus. However, this newest sample is intended for internal use only, and contacts a North Korean intranet server for updates.