Check Point said the investigation began when its research team received a rare sample of North Korea’s ‘SiliVaccine’ anti-virus software from a freelance journalist who received it through an email
Security software maker Check Point announced that its researchers’ investigation into a North Korean anti-virus software, SiliVaccine, has found that a key component of the software’s code is a 10+-year-old copy of anti-virus engine code belonging to leading Japanese security vendor, Trend Micro.
“After detailed forensic analysis of SiliVaccine’s engine files - the software component that provides the core file scanning capability of the anti-virus - our research team discovered exact matches of SiliVaccine and large chunks of 10+-year-old anti-virus engine code belonging to Trend Micro,” said a statement from Check Point.
“For this to happen, the developers who built SiliVaccine could have had access to a compiled library from any of Trend Micro’s commercially released products, or, theoretically, source code access,” it said.
“We have seen no evidence that source code was involved,” said Trend Micro in response.
“Check Point has provided us with a copy of the software for verification. While we are unable to confirm the source or authenticity of that copy, it apparently incorporates a module based on a 10+ year-old version of the widely distributed Trend Micro scan engine used by a variety of our products,” the Japanese company further said.
Check Point said the investigation began when its research team received a very rare sample of North Korea’s ‘SiliVaccine’ anti-virus software froma freelance journalist with a focus on North Korean technology, who had received it as a link in a suspicious mail in July 2014, sent supposedly by a Japanese engineer. It contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, a Korean language readme file instructing how to use the software and a suspicious looking file posing as an update patch for SiliVaccine.
This patch update file was identified by Check Point researchers as JAKU, a highly resilient botnet forming malware that has infected around 19,000 victims, primarily by malicious Bit Torrent file shares.
“It has however been seen to target and track more specific individual victims in both South Korea and Japan, including members of International Non-Governmental Organizations (NGOs), engineering companies, academics, scientists and government employees,” said Check Point.
Check Point says Trend Micro’s indication that a widely licensed library was misappropriated may be behind SiliVaccine’s use of a 10+ year-old version of their scan engine is backed up by an additional analysis by the Check Point team of an older version of SiliVaccine too.
“This suggests that this is not a one-time occurrence,” it noted.