back

SiliVaccine: North Korea's Weapon of Mass Detection

How I Learned to Stop Worrying and Love the Backdoor

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:52:44
Language
English
Abstract
Meet SiliVaccine – North Korea's national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by dedicated government teams for over fifteen years. When we heard of this strange software, we were immediately driven to investigate it: it's not every day that you can catch a glimpse of the malware landscape inside the closed garden of the DPRK's intranet.

In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it, despite the hair-tearing obstacles; and what surprising discoveries we made about its program architecture – all the way down to the file scanning engine, the system level drivers, the user mode utilities, and the most bizarre and puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product, away from the public eye.

How was SiliVaccine created? Who created it? What was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing this product. If there is anything we learned from this research, it's that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is "thank you but no thank you".

Disclaimer: No significant knowledge in reverse engineering is required to understand the talk. We break down our thought process and methodology to its very basics, so that this talk can relate to both technical and non-technical audiences.

Another Disclaimer: We guarantee an entertaining talk. :)

No description available.

Talk ID
9375
Event:
35c3
Day
1
Room
Eliza
Start
2:10 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Mark Lechtik
Talk Slug & media link
35c3-9375-silivaccine_north_korea_s_weapon_of_mass_detection

Talk & Speaker speed statistics

Very rough underestimation:
135.8 wpm
768.5 spm
140.5 wpm
799.9 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
135.8 wpm
768.5 spm
northsilivaccineenginetrendfilecalledmicrokoreaantiviruslaughterfactfilesdriverinterestingsignaturethinginsidekoreansoftwaremalwaremarkcodeversionbitbasicallytalkcomponenttimeturnsinstancefunctionsideapointdetectedunderstandfunctionupdatecomponentsfindstring1placemembercoursecompanyauthorsscanningaudienceprettyaccess
Mark Lechtik:
140.5 wpm
799.9 spm
northsilivaccinefileenginecalledtrendkoreaantiviruslaughterfilesdriverinterestingmicrofactinsidekoreanthingsoftwaresignaturecodebitversionmalwarebasicallycomponentturnsfunctionsinstancetalkpointtimeunderstandfindcomponentsupdatefunctionstringcompanycourseplacescanningauthorsthoughtprettyanswerjapankernelaccesspatterndetected