Process Management

Process Management - What Is Process? What Is Process Control Block What Is Concurrent Processes? What Is Process Creation? What Is Process Termination?  

Process

A Program In Execution Is Called As Process. A System Can Be Viewed As A Collection Of Processes. Operating System Process Execute System Code And User Processes Execute User Code. A Process Needs Certain Resources Like CPU Time, Memory Files And I/O Devices To Accomplish Its Task. The Operating System Is Responsible For (1) Creation And Deletion Of User And User Processes (2) The Scheduling Of Processes. (2) Provision Of Mechanisms For Synchronisation Communication And Deadlock Handling For Processes.  

Process Control Block (PCB)

A PCB (Process Control Block) Is A Data Structure Containing Information Regarding A Specific Process Control Block.Each Process Is Represented In An Operating System By Its Own Process Control Block. This Includes- (a) Process State May Be New, Ready, Running, Waiting Or Halted. (b) Program Counter Indicates The Address Of The Next Instruction To Be Executed For This Process. (c) CPU Registers Include Accumulators, Index Registers, Stack Pointers, And General Purpose Registers. This Information Is Saved When An Interrupt Occurs. (d) CPU Scheduling Information Include Process, Priority, Pointers, For Scheduling Queues Etc.

Concurrent Processes

The Processes In A System Can Execute Concurrently. To Provide Concurrent Execution A Mechanism For Process Creation And Termination Is Required.

What Is Process Creation?

A Process May Create Several New Processes via a Create System Call. The Creating Process Is Called S Parent Process While New Processes Are Called Children Processes. A Parent May Execute Concurrently With Its Children Or It May Wait Until All Its Children Have Terminated.

Process Termination

A Process Terminates When It Finishes Executing Its Last Statement And Asks The Operating System To Delete The Process. A Process Can Also Cause The Termination Of Another Process via a System Call. Usually, Such A System Call Can Be Invoked By Only The Parent Of The Process That Is To Be Terminated.

Relation Between Processes

A Process Executing In The Operating System May Be Either Independent Process Or A Cooperating Process. 1.Independent Process  Such A Process Cannot Affect Or Be Affected By Other Processes Executing In The System. 2.Cooperating Process  Such A Process Can Be Affected Or Can Affect The  Other Processes Executing In The System.

Processor Scheduling

Almost All Computer Resources Are Scheduled Before The CPU Being One Of The Central Resources Also Requires Scheduling.             Read the full article

Yummy ftp pro crash

#YUMMY FTP PRO CRASH HOW TO#

#YUMMY FTP PRO CRASH CRACKED#

#YUMMY FTP PRO CRASH INSTALL#

#YUMMY FTP PRO CRASH UPGRADE#

Can vouch for Cold Turkey - just be sure to block cold Turkey as well so you can't make alterations. Downgrade your computer into a typewriter that forces you to write, nothing else. The website and app blocker that blocks distractions so you can be more productive. Many web hosting companies are having sales right now, for example A2 Hosting is offering hosting with WordPress for as little as $2/month if you sign up for a 3 year package Cold Turkey - The Toughest Website Blocker on the Internet. com domain through Google Domains for $12/year, which includes domain privacy protection. Users Can Easily List The Websites They Want To PreventThem From Accessing The It's surprisingly affordable. For Example, If Your Computer System Is Shared By OtherUsers, Using This Software Can Block Other People's Access To SomeWeb Pages. It's Easy To Setup, Install, And Launch, Allowing Users ToQuickly Block Web Browsers From Accessing Web Pages In A ShortTime. You can also block applications, add daily time limits, exceptions, or even use it to lock yourself out of your computerĬold Turkey Blocker 3.4 TheApplication Is Powerful And Powerful To Restrict Access To WebPages. You can set it to block anything from a specific webpage to the entire Internet. Cold Turkey Blocker pro crack is designed to be easy to configure for your specific needs.

#YUMMY FTP PRO CRASH HOW TO#

People use.Ģ019 Cold Turkey - How to Unblock - In 1 minute! - YouTube Cold TurkeyBlocker lets you temporarily block online distractions to help you focus and finish your work sooner. Other distraction blockers are too easy to circumvent. You can also block applications, add daily time limits, exceptions, or even use it to lock yourself out of your computer! Probably the most stubborn app ever. Cold Turkey Blocker pro crack is designed to be easy to configure for your specific needs.Cold Turkey is a lightweight software application built specifically for helping you block various online websites, such as Facebook, Twitter, YouTube, MySpace, Reddit, and Wikipedia, as well as programs Windows 8, Windows 7, Windows Vista, Windows XP.It has the capability of blocking various websites and Internet/Network applications (especially web browsers) in custom periods of time, in order to avoid interruptions, and to finish tasks you planned more intently Cold Turkey Blocker (formerly called Cold Turkey) is a practical tool for temporarily restricting Internet access.Read documentation on vendor website for setup, etc.

#YUMMY FTP PRO CRASH UPGRADE#

Search the Upgrade button, and press Activate button. Close Cold Turkey Blocker (you can use ProcessHacker).

#YUMMY FTP PRO CRASH INSTALL#

Download file from: Cold Turkey Blocker v4.0 Install the soft.

Cold Turkey Blocker Pro Crack is network software that can block ads & adult materials & havee several reasons why websites should be blocked.

Only Cold Turkey Blocker lets you block applications, the whole internet, and even your entire computer Any website blocker can block Facebook, Reddit and Youtube. In the pro version, you can also lock a block using a password or during active scheduled blocks.

You can choose to lock your block: until a specified time or time window everyday, until a restart, or until you type a customizable amount of random text.

#YUMMY FTP PRO CRASH CRACKED#

Home Cold Turkey Blocker Pro Crack Cold Turkey v4.2 Cracked By Abo Jamal - Ma-x Grou

Metin 2 TR: processhacker-2.39: yang bot, 7x çekme, farm bot hileli dosyayı ücretsiz indirin

Original Post from Trend Micro Author: Trend Micro

by Noel Anthony Llimos and Michael Jhon Ofiaza (Threats Analysts)

We have been tracking Trickbot banking trojan activity and recently discovered a variant of the malware (detected by Trend Micro as TrojanSpy.Win32.TRICKBOT.TIGOCDC) from distributed spam emails that contain a Microsoft Word document with enabled macro. Once the document is clicked, it drops a heavily obfuscated JS file (JavaScript) that downloads Trickbot as its payload. This malware also checks for the number of running processes in the affected machine; if it detects that it’s in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment.

Aside from its information theft capabilities, it also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware. Based on our telemetry, this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada, and India.

Figure 1. Infection chain

In a sample email, the spam purports to be a subscription notification involving advertising providers, even telling the user that it submitted an application for a three-year subscription and settled a sum of money with the sender. The mail then explains that several more fees will be charged to the user’s card in the coming transactions. It ends by prompting the user to see the attached document for all the settlement and subscription information. The document in question contains the malicious script.

The distributed Word document presents the user with the following notification (see Figure 2) that states the content can be viewed by enabling macro content. It’s worth noting that the document hides the JS script in the document itself and not in the macro. It does this by disguising the script through the same font color as the document background.

Figure 2. Document asking users to enable macro

The script is obfuscated and contains different functions. In order to decrypt a function, it will use another function that will convert it to a single character.

Figure 3. Function for decryption

Upon successfully deobfuscating the file, we were able to analyze it and observed some interesting behaviors. Upon execution, it will display a fake Microsoft error to trick the user with an error message that pops up after enabling the macro. But actually, the JS file is already running in the background.

Figure 4. Fake Microsoft error

For persistence, the malware creates a copy of itself into the Startup folder as Shell.jse. The JS file also checks for running processes — what’s particularly notable is the malware’s anti-analysis or evasion characteristic, which checks for the total number of all the running processes in the victim’s machine, which means it will not proceed with its execution if there are not enough processes running.

If the running processes are under 1,400 characters (length of the string), the malware assumes it to be an indicator that it is running in a virtual or sandbox environment. It will also check for the existence of processes usually used for analysis. Aside from these, the malware inspects if the environment it runs in relates to specific usernames.

Figure 5. A snippet of checked processes and usernames

Figure 6. Code error shown if anything matches the check

Here’s a list of processes and debugging tools the malware checks for in the affected system:

AgentSimulator.exe

B.exe

BehaviorDumper

BennyDB.exe

ctfmon.exe

DFLocker64

FrzState2k

gemu – ga.exe

iexplore.exe

ImmunityDebugger

LOGSystem.Agent.Service.exe

lordPE.exe

ProcessHacker

procexp

Procmon

PROCMON

Proxifier.exe

tcpdump

VBoxService

VBoxTray.exe

vmtoolsd

vmware

VzService.exe

windanr.exe

Wireshark

Upon further analysis, we’ve also compiled the usernames the malware checks for based on the following strings:

Emily

HAPUBWS

Hong Lee

Johnson

milozs

Peter Wilson

SystemIT | admin

VmRemoteGuest

WIN7 – TRAPS

For the malware’s payload, it will connect to the URL hxxps://185[.]159[.]82[.]15/hollyhole/c644[.]php then checks for the file to be downloaded. If it is an executable file, it will save the file to %Temp% as {random}.exe and execute it afterwards. If the file is not an executable, it will then save it as {random}.cro in the same folder. The .cro file will then be decoded using certutil.exe, saved as {random}.exe in the same directory, and executed. Upon further research, we discovered that the downloaded .exe file is a variant of the Trickbot malware.

Figure 7. The file is saved, random names get generated, and .cro is decoded using certutil.exe

Aside from stealing system information such as OS, CPU, and memory information; user accounts; installed programs and services; IP configuration; and network information (configuration, users, and domain settings), this Trickbot variant also gathers the following credentials and information from applications and internet browsers.

Application credentials

Filezilla

Microsoft Outlook

PuTTy

Remote Desktop (RDP)

VNC

WinSCP

Browser credentials and information (Google Chrome, Internet Explorer, Microsoft Edge, and Mozilla Firefox)

Autofills

Billing info data

Browsing history

Credit card data

HTTP POST responses

Internet cookies

Usernames and passwords

      This malware also uses a point-of-sale (PoS) extraction module called psfin32, which identifies PoS-related terms located in the domain of interest. The module uses LDAP queries to search for PoS information on machines with the following substrings:

*ALOHA*

*BOH*

*CASH*

*LANE*

*MICROS*

*POS*

*REG*

*RETAIL*

*STORE*

*TERM*

The variant also appears to drop shadnewdll, a proxy module that intercepts and modifies web traffic on an affected device to create fraudulent bank transactions over the network. Additionally, according to security researcher Brad Duncan, the module shares similarities with the banking trojan IcedID, which redirects victims to fake online banking sites or attaches to a browser process to inject fake content in phishing schemes.

In such cases where the malware fails to connect, it will search for files with the following extensions in the removable and network drives. These extensions are file types used by Microsoft Office and OpenDocument:

.doc

.xls

.pdf

.rtf

.txt

.pub

.odt

.ods

.odp

.odm

.odc

.odb

Files with the aforementioned extensions will be saved in the %Temp% folder as ascii.txt. The said files will all then be deleted and replaced with a copy of the malware and the extension .jse (but is actually a JS file).

Figure 8. Scanning for files and replacing it with a copy of itself

Defending Against Trickbot: Trend Micro Recommendations and Solutions

Information-stealing malware Trickbot has become a cybercriminal mainstay for infecting machines and compromising emails, and has been used to reportedly steal more than 250 million accounts. This new development shows how cybercriminals can constantly tweak an existing banking trojan to add new capabilities. Users, however, can prevent these attacks by simply following best practices against spam. Aside from awareness of the telltale signs of a spam email such as suspicious sender address and glaring grammatical errors, we also recommend that users refrain from opening email attachments from unverified sources.

Users and enterprises can also benefit from protection that uses a multilayered approach against risks brought by threats like Trickbot. We recommend employing endpoint application control that reduces attack exposure by ensuring only files, documents, and updates associated with whitelisted applications and sites can be installed, downloaded, and viewed. Endpoint solutions powered by XGen security such as Trend Micro Security and Trend Micro Network Defense can detect related malicious files and URLs and protect users’ systems. Trend Micro Smart Protection Suites and Trend Micro Worry-Free Business Security, which have behavior monitoring capabilities, can additionally protect from these types of threats by detecting malicious files such as the document and JS file involved in this campaign, as well as blocking all related malicious URLs.

The Trend Micro Deep Discovery Inspector protects customers from threats that may lead to C&C connection and data exfiltration via these DDI rules:

1645: Possible Self-Signed SSL certificate detected

2780: TRICKBOT – HTTP (Request)

Indicators of Compromise (IoCs)

SHA-256 Trend Micro Pattern Detection Trend Micro Predictive Machine Learning Detection Note 0242ebb681eb1b3dbaa751320dea56e31c5e52c8324a7de125a8144cc5270698 TrojanSpy.Win32. TRICKBOT.TIGOCDC TROJ.Win32.TRX.XXPE50FFF031 Trickbot 16429e95922c9521f7a40fa8f4c866444a060122448b243444dd2358a96a344c Trojan.W97M. JASCREX.A Downloader.VBA.TRX.XXVBAF01FF004 Document file 666515eec773e200663fbd5fcad7109e9b97be11a83b41b8a4d73b7f5c8815ff Trojan.W97M. JASCREX.AB Downloader.VBA.TRX.XXVBAF01FF004 Document file 41cd7fec5eaad44d2dba028164b9b9e2d1c6ea9d035679651b3b344542c40d45 Trojan.W97M. JASCREX.AD Downloader.VBA.TRX.XXVBAF01FF004 Document file 970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2 Trojan.W97M. JASCREX.AC Document file 8537d74885aed5cab758607e253a60433ef6410fd9b9b1c571ddabe6304bb68a TrojanSpy.JS. NEMUCOD.BONINGH Dropped JS file (with .dat extension) 970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2 Spam email hxxps://185[.]159[.]82[.]15/hollyhole/c644[.]php Malicious URL

Check Point Research also tweeted about this campaign last July.

The post Latest Trickbot Campaign Delivered via Highly Obfuscated JS File appeared first on .

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Trend Micro Latest Trickbot Campaign Delivered via Highly Obfuscated JS File Original Post from Trend Micro Author: Trend Micro by Noel Anthony Llimos and Michael Jhon Ofiaza (Threats Analysts)

ProcessHacker: monitor system resources, debug software and detect malware

Original Post from Security Affairs Author: Pierluigi Paganini

BlackBerry Cylance has addressed a bypass vulnerability recently discovered in its AI-based antivirus engine CylancePROTECT product.

Experts at cybersecurity firm Skylight announced last week that they have devised a method to bypass BlackBerry Cylance’s AI-based antivirus engine, now the company addressed the issue with an update and attempted to downplay the impact of the issue.

They discovered that the AI-based engine appeared to give special treatment to the files associated with a popular unnamed videogame.

The experts used specific strings from the game’s executable and appended them to known malicious file to masquerade them.

“We chose Cylance for practical reasons, namely, it is publicly available and widely regarded as a leading vendor in the field,” reads a post published by Skylight. “However, we believe that the process presented in this post can be translated to other pure AI products as well.”

Skylight tested the universal bypass technique with popular hacking tools such as Mimikatz, ProcessHacker and Meterpreter, and well-known malware such as CoinMiner, Dridex, Emotet, Gh0stRAT, Kovter, Nanobot, Qakbot, Trickbot, and Zeus. The results were disconcerting, the technique obtained a success rate of over 83% in bypassing the Cylance engine when tested against 384 malicious files. In most of cases the files were rated as harmless.

Skylight publicly disclosed the issue without giving time to BlackBerry Cylance to address the flaw with the release of a security patch, anyway Cylance investigated the problem during the weekend.

The vendor explained that the technique could not be classified as a universal bypass.

“On July 18th, researchers publicly disclosed a specific bypass of CylancePROTECT®.” reads the post published by Cylance. “We verified the issue was not a universal bypass as reported, but rather a technique that allowed for one of the anti-malware components of the product to be bypassed in certain circumstances. The issue has been resolved for cloud-based scoring and a new agent will be rolled out to endpoints in the next few days. ”

The vendor added that the issue, in limited circumstances, could be used to manipulate the type of features analyzed by the engine.

“Features can be any aspect of a file which can be interpreted or measured. These features are then passed to a mathematical algorithm for analysis.” continues Cylance.

“This vulnerability allows the manipulation of a specific type of feature analyzed by the algorithm that in limited circumstances will cause the model to reach an incorrect conclusion.”

BlackBerry Cylance has implemented some changes to the algorithm that should detect feature manipulation. An update has already been pushed to the systems and the company plans to release a new agent to its endpoints over the next days.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Cylance AI-based antivirus engine, hacking)

The post BlackBerry Cylance addresses AI-based antivirus engine bypass appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini BlackBerry Cylance addresses AI-based antivirus engine bypass Original Post from Security Affairs Author: Pierluigi Paganini BlackBerry Cylance has addressed a bypass vulnerability recently discovered in its AI-based antivirus engine CylancePROTECT product.

Original Post from Security Affairs Author: Pierluigi Paganini

Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Cybercrime gang tracked as TA505 has been active since 2014 and focusing on Retail and Banking industries. The group that is known for the distribution of the Dridex Trojan and the Locky ransomware, has released other pieces of malware including the tRat backdoor and the AndroMut downloader. 

In mid-2017, the group released BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

��CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.” reads the analysis published by CrowdStrike.

“We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER.”

Now experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop a new malware.

First variants of BitPaymer initially delivered a ransom note containing the ransom amount and the onion address of the payment portal. Later versions did not include the above info, instead, the variant appeared in the threat landscape since July 2018 only included two emails to negotiate the ransom and to contact to receive the instructions for the payment.

The latest variant observed by the experts in November 2018 includes the victim’s name in the ransom note, it also uses 256-bit AES in cipher block chaining (CBC) mode for encryption.

“Since the update in November 2018, INDRIK SPIDER has actively used the latest version of BitPaymer in at least 15 confirmed ransomware attacks. These attacks have continued throughout 2019, with multiple incidents occurring in June and July of 2019 alone.” continues the analysis.

According to the experts, DoppelPaymer was used for the first time in a targeted attack in June 2019. Experts detected eight distinct malware builds that wasused at least in attacks against three victims. 

The ransom amounts asked to the victims in the attacks were different and ranged from approximately $25,000 to $1,200,000 worth of Bitcoin. 

The ransom note dropped by the DoppelPaymer ransomware doesn’t include the ransom amount, instead, it contains the onion address for a TOR-based payment portal that is identical to the original BitPaymer portal. 

The authors of DoppelPaymer improved the source code of the BitPaymer.

“numerous modifications were made to the BitPaymer source code to improve and enhance DoppelPaymer’s functionality. For instance, file encryption is now threaded, which can increase the rate at which files are encrypted.” continues the report. “The network enumeration code was updated to parse the victim system’s Address Resolution Protocol (ARP) table, retrieved with the command arp.exe -a. The resulting IP addresses of other hosts on the local network are combined with domain resolution results via nslookup.exe.”

DoppelPaymer leverages ProcessHacker, a legitimate open-source administrative utility, to terminates processes and services that may interfere with the file encryption process.

“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019.” concludes CrowdStrike. “The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomare, TA505)

The post DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape Original Post from Security Affairs Author: Pierluigi Paganini Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Original Post from FireEye Author: Kyle Wilhoit

The Syrian Electronic Army has made news for its recent attacks on major communications websites, Forbes, and an alleged attack on CENTCOM. While these attacks garnered public attention, the activities of another group – The Syrian Malware Team – have gone largely unnoticed. The group’s activities prompted us to take a closer look. We discovered this group using a .NET based RAT called BlackWorm to infiltrate their targets.

The Syrian Malware Team is largely pro-Syrian government, as seen in one of their banners featuring Syrian President Bashar al-Assad. Based on the sentiments publicly expressed by this group it is likely that they are either directly or indirectly involved with the Syrian government. Further certain members of the Syrian Malware Team have ties to the Syrian Electronic army (SEA) known to be linked to the Syrian government. This indicates that the Syrian Malware Team may also be possibly an offshoot or part of the SEA.

Banner used by the Syrian Malware Team

BlackWorm Authorship

We found at least two distinct versions of the BlackWorm tool, including an original/private version (v0.3.0) and the Dark Edition (v2.1). The original BlackWorm builder was co-authored by Naser Al Mutairi from Kuwait, better known by his online moniker ‘njq8’. He is also known to have coded njw0rm, njRAT/LV, and earlier versions of H-worm/Houdini. We found his code being used in a slew of other RATs such as Fallaga and Spygate. BlackWorm v0.3.0 was also co-authored by another actor, Black Mafia.

About section within the original version of BlackWorm builder

Within the underground development forums, it’s common for threat actors to collaborate on toolsets. Some write the base tools that other attackers can use; others modify and enhance existing tools.

The BlackWorm builder v2.1 is a prime example of actors modifying and enhancing current RATs. After njq8 and Black Mafia created the original builder, another author, Black.Hacker, enhanced its feature set.

About section within BlackWorm Dark Edition builder

Black.Hacker’s banner on social media

As an interesting side note, ‘njq8’ took down his blog in recent months and announced a cease in all malware development activity on his Twitter and Facebook account, urging others to stop as well. This is likely a direct result of the lawsuit filed against him by Microsoft.

BlackWorm RAT Features

The builder for BlackWorm v0.3.0 is fairly simple and allows for very quick payload, but doesn’t allow any configuration other than the IP address for command and control (C2).

Building binary through BlackWorm v0.3.0

BlackWorm v0.3.0 controller

BlackWorm v0.3.0 supports the following commands between the controller and the implant:

ping Checks if victim is online closeserver Exits the implant restartserver Restarts the implant sendfile Transfer and run file from server download Download and run file from URL ddos Ping flood target msgbox Message interaction with victim down Kill critical windows processes blocker Block specified website by pointing resolution to 127.0.0.1 logoff Logout out of windows restart Restart system shutdown Shutdown system more Disable task manager, registry tools, system restore. Also blocks keyboard and mouse input hror Displays a startling flash video

In addition to the features supported by the command structure, the payload can:

Seek and kill no-ip processes DUC30 and DUC20

Disable Task Manager to kill process dialog

Copy itself to USB drives and create autorun entries

Copy itself to common peer-to-peer (P2P) share locations

Collect system information such as OS, username, hostname, presence of camera, active window name, etc., to display in the controller

Kill the following analysis processes (if found):

procexp

SbieCtrl

SpyTheSpy

SpeedGear

Wireshark

MBAM

ApateDNS

IPBlocker

cPorts

ProcessHacker

AntiLogger

The Syrian Malware Team primarily uses another version of BlackWorm called the Dark Edition (v2.1). BlackWorm v2.1 was released on a prolific underground forum where information and code is often shared, traded and sold.

BlackWorm v2.1 has the same abilities as the original version and additional functionality, including bypassing UAC, disabling host firewalls and spreading over network shares. Unlike its predecessor, it also allows for granular control of the features available within the RAT. These additional controls allow the RAT user to enable and disable features as needed. Binary output can be also be generated in multiple formats, such as .exe, .src and .dll.

BlackWorm Dark Edition builder

Syrian Malware Team

We observed activity from the Syrian Malware Team going as far back as Jan. 1, 2011. Based on Facebook posts, they are allegedly directly or indirectly involved with the Syrian government. Their Facebook page shows they are still very active, with a post as recent as July 16th, 2014.

Syrian Malware Team’s Facebook page

The Syrian Malware Team has been involved in everything from profiling targets to orchestrating attacks themselves. There are seemingly multiple members, including:

https://www.facebook.com/hawk.syrian.9

https://www.facebook.com/kays.syr

Partial list of self-proclaimed Syrian Malware Team members

Some of these people have posted malware-related items on Facebook.

Facebook posting of virus scanning of files

While looking for Dark Edition samples, we discovered a binary named svchost.exe (MD5: 015c51e11e314ff99b1487d92a1ba09b). We quickly saw indicators that it was created by BlackWorm Dark Edition.

Configuration options within code

The malware communicated out to 178.44.115.196, over port 5050, with a command structure of:

!0/j|n12121212_64F3BF1F/j|n{Hostname}/j|n{Username}/j|nUSA/j|nWin 7 Professional SP1 x86/j|nNo/j|n2.4.0 [ Dark Edition]/j|n/j|n{ActiveWindowName}/j|n[endof]

When looking at samples of Dark Edition BlackWorm being used by the Syrian Malware Team, the strings “Syrian Malware,” or “Syrian Malware Team” are often used in the C2 communications or within the binary strings.

Additional pivoting off of svchost.exe brought us to three additional samples apparently built with BlackWorm Dark Edition. E.exe, (MD5: a8cf815c3800202d448d035300985dc7) a binary that drew our attention, looked to be a backdoor with the Syrian Malware strings within it.

When executed, the binary beacons to aliallosh.sytes.net on port 1177. This C2 has been seen in multiple malware runs often associated with Syria.  The command structure of the binary is:

!0/j|nSyrian Malware/j|n{Hostname}/j|n{Username}/j|nUSA/j|nWin 7 Professional SP1 x86/j|nNo/j|n