SiliVaccine: North Korea’s Weapon of Mass Detection

Mark Lechtik, Check Point

SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by dedicated government teams for over fifteen years. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you can catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.

In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it, despite the hair-tearing obstacles; and what surprising discoveries we made about its program architecture — all the way down to the file scanning engine, the system level drivers, the user mode utilities, and the most bizarre and puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product, away from the public eye.

How was SiliVaccine created? Who created it? what was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing this product. If there is anything we learned from this research, it’s that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.

Reason this topic should be considered:

  • Gives a view into a very rare product from North Korea, that hasn’t been technically covered by anyone so far
  • Sheds light on what happens behind the curtains of North Korea’s software production industry
  • Reflects the in-depth reverse engineering process of a protected AV product
  • Contains very interesting discoveries, both from technical and political standpoints
  • It’s going to be a very fun and entertaining presentation

Mark Lechtik

Security researcher at Check Point Software Technologies, deals with reverse engineering and malware analysis both as occupation and hobby. Enjoys deep diving into a variety of malwares, digging out their gory technical details and outlining their underlying stories and threat actors. Originally comes from Kazakhstan, and although can’t provide proof – claims to have family ties to Borat.

The Dynamic Security Ecosystem
Other Topics