SiliVaccine: North Korea's Weapon of Mass Detection

BSidesLV 2018

Presented by: Michael Kajiloti, Mark Lechtik
Date: Tuesday August 07, 2018
Time: 14:00 - 14:55
Location: Breaking Ground

Meet SiliVaccine – North Korea’s national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by the government. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it; and what surprising discoveries we made about its program architecture — all the way down to the file scanning engine, drivers, and other puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product.How was SiliVaccine created? Who created it? what was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing it. If there is anything we learned, it’s that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.

Mark Lechtik

Security researcher at Check Point Software Technologies, deals with reverse engineering. Obsessed with unpacking niche malwares, and digging out gory technical details. Originally comes from Kazakhstan, and although can’t provide proof – claims to have family ties to Borat.

Michael Kajiloti

Michael is a security researcher with interests ranging from reverse engineering to cryptocurrencies. He currently works as the malware research team leader at Check Point, and enjoys teaching and giving lectures on the subjects he is passionate about.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats