Explore the intricacies of SiliVaccine, North Korea's national anti-virus solution, in this 58-minute conference talk from Recon 2018 Montreal. Delve into the reverse-engineering process of this rare software, uncovering its program architecture, file scanning engine, system-level drivers, and user mode utilities. Discover the surprising findings and puzzling implementation details of this secretive product, developed exclusively for the DPRK over fifteen years. Learn about the challenges faced during the investigation, the shady practices underlying North Korean state-sponsored software, and the potential implications of such a tool. Gain insights from security researchers Mark Lechtik and Michael Kajiloti as they discuss their motivations, methodologies, and the unexpected connections they uncovered, including possible links to Japanese technology.
SiliVaccine - North Korea's Weapon of Mass Detection
Overview
Syllabus
Intro
THE STORY BEGINS WITH ...
WHAT IS SILIVACCINE?
NORTH KOREAN AV?
HOW DID WE OBTAIN IT?
MOTIVATION
SOFTWARE ARCHITECTURE
STRINGS
CODE SIMILARITY
CODE DIFFERENCE
TREND MICRO'S RESPONSE
LOOKING DEEPER
THE ENCRYPTION KEY
OVERCOMING ENCRYPTION
RENAMING IS EASY
WHAT'S WITH THIS STRING?
WHAT IS GOING ON HERE?
WHY WHITELIST?
A STORY ABOUT 3 DRIVERS
WHAT IS THE ANSWER???
VERSION INFO
WHO'S STS TECH-SERVICE?
THE JAPANESE CONNECTION
EXAMINING THE PACKAGE
DIGGING DEEPER
CONCLUSION
UNANSWERED QUESTIONS
Taught by
Recon Conference
