North Korean anti-virus uses old Trend Micro components

Trend isn't too fussed about the code connection, given that the components are 10 years-old

Researchers at Checkpoint have published a report showing that North Korea's SiliVaccine, the country's anti-virus product, uses functional elements taken from a ten-year-old copy of Trend Micro's anti-virus.

Checkpoint's investigation began when IDG's Martyn Williams shared a sample of the software for analysis. Williams has previously written about the DPRK offering on the North Korea Tech blog.

While North Korea is a known threat actor, the nation itself has said such claims are little more than enemy propaganda. SciliVaccine has been hailed by the country as one of the legitimate tech advances next to the Red Star operating system.

When Checkpoint researchers examined the sample shared by Williams, they discovered "large chunks of anti-virus engine code belonging to Trend Micro."

"Furthermore, this exact match coding had been well hidden by SiliVaccine’s authors. With Trend Micro being a Japanese company, and Japan and North Korea enjoying no official diplomatic or political relationship, this is a surprising discovery," Checkpoint said in a blog post.

Another curious discovery was the fact the DPRK's AV has a built-in whitelist for malware with characteristics similar to NUWAR and ZHELAT.

In a statement Trend Micro said they were aware of Checkpoint's research but denied knowing how their code appeared in a product developed by North Korea.

Trend Micro is aware of the research by Check Point on the ‘SiliVaccine’ North Korean anti-virus product, and Check Point has provided us with a copy of the software for verification. While we are unable to confirm the source or authenticity of that copy, it apparently incorporates a module based on a 10+ year-old version of the widely distributed Trend Micro scan engine used by a variety of our products," the company said.

"Trend Micro has never done business in or with North Korea. We are confident that any such usage of the module is entirely unlicensed and illegal, and we have seen no evidence that source code was involved. The scan engine version at issue is quite old and has been widely incorporated in commercial products from Trend Micro and third-party security products through various OEM deals over the years, so the specific means by which it may have been obtained by the creators of SiliVaccine is unknown."

Checkpoint says their finding align with Trend's and speculate that the code appropriation wasn't a one-time event. A full breakdown of the code is available on Checkpoint's blog.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.