SiliVaccine: North Korea's Weapon of Mass Detection presented at BSidesLasVegas 2018

by Mark Lechtik, Michael Kajiloti,

Summary : Meet SiliVaccine – North Korea’s national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by the government. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it; and what surprising discoveries we made about its program architecture — all the way down to the file scanning engine, drivers, and other puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product.How was SiliVaccine created? Who created it? what was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing it. If there is anything we learned, it’s that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.