On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

The hyaluronan-binding serine protease from human plasma cleaves HMW and LMW kininogen and releases bradykinin

The influence of the hyaluronanbinding protease (PHBSP), a plasma enzyme with FVII- and pro-urokinase-activating potency, on components of the contact phase (kallikrein/kinin) system was investigated. No activation or cleavage of the proenzymes involved in the contact phase system was observed. The procofactor high molecular weight kininogen (HK), however, was cleaved in vitro by PHBSP in the absence of any charged surface, releasing the activated cofactor and the vasoactive nonapeptide bradykinin. Glycosoaminoglycans strongly enhanced the reaction. The cleavage was comparable to that of plasma kallikrein, but clearly different from that of coagulation factor FXIa. Upon extended incubation with PHBSP, the light chain was further processed, partially removing about 60 amino acid residues from the Nterminus of domain D5 of the light chain. These cleavage site(s) were distinct from plasma kallikrein or FXIa cleavage sites. PHBSP and, more interestingly, also plasma kallikrein could cleave low molecular weight kininogen in vitro, indicating that domains D5(H) and D6(H) are no prerequisite for kininogen cleavage. PHBSP was also able to release bradykinin from HK in plasma where the pro-cofactor circulates predominantly in complex with plasma kallikrein or FXI. In conclusion, PHBSP represents a novel kininogen-cleaving and bradykinin-releasing enzyme in plasma that shares significant catalytic similarities with plasma kallikrein. Since they are structurally unrelated in their heavy chains (propeptide), their similar in vivo catalytic activities might be directed at distinct sites where PHBSP could induce processes that are related to the kallikrein/kinin system

Weak Lensing Reconstruction and Power Spectrum Estimation: Minimum Variance Methods

Large-scale structure distorts the images of background galaxies, which allows one to measure directly the projected distribution of dark matter in the universe and determine its power spectrum. Here we address the question of how to extract this information from the observations. We derive minimum variance estimators for projected density reconstruction and its power spectrum and apply them to simulated data sets, showing that they give a good agreement with the theoretical minimum variance expectations. The same estimator can also be applied to the cluster reconstruction, where it remains a useful reconstruction technique, although it is no longer optimal for every application. The method can be generalized to include nonlinear cluster reconstruction and photometric information on redshifts of background galaxies in the analysis. We also address the question of how to obtain directly the 3-d power spectrum from the weak lensing data. We derive a minimum variance quadratic estimator, which maximizes the likelihood function for the 3-d power spectrum and can be computed either from the measurements directly or from the 2-d power spectrum. The estimator correctly propagates the errors and provides a full correlation matrix of the estimates. It can be generalized to the case where redshift distribution depends on the galaxy photometric properties, which allows one to measure both the 3-d power spectrum and its time evolution.Comment: revised version, 36 pages, AAS LateX, submitted to Ap

Weak lensing mass reconstruction of the interacting cluster 1E0657-558: Direct evidence for the existence of dark matter

We present a weak lensing mass reconstruction of the interacting cluster 1E0657-558 in which we detect both the main cluster and a sub-cluster. The sub-cluster is identified as a smaller cluster which has just undergone initial in-fall and pass-through of the primary cluster, and has been previously identified in both optical surveys and X-ray studies. The X-ray gas has been separated from the galaxies by ram-pressure stripping during the pass-through. The detected mass peak is located between the X-ray peak and galaxy concentration, although the position is consistent with the galaxy centroid within the errors of the mass reconstruction. We find that the mass peak for the main cluster is in good spatial agreement with the cluster galaxies and offset from the X-ray halo at 3.4 sigma significance, and determine that the mass-to-light ratios of the two components are consistent with those of relaxed clusters. The observed offsets of the lensing mass peaks from the peaks of the dominant visible mass component (the X-ray gas) directly demonstrate the presence, and dominance, of dark matter in this cluster. This proof of the dark matter existence holds true even under the assumption of modified Newtonian gravity (MOND); from the observed gravitational shear to optical light ratios and mass peak - X-ray gas offsets, the dark matter component in a MOND regime has a total mass which is at least equal to the baryonic mass of the system.Comment: 8 pages, 4 figure, accepted by Ap

HST/ACS weak lensing analysis of the galaxy cluster RDCS 1252.9-2927 at z=1.24

We present a weak lensing analysis of one of the most distant massive galaxy cluster known, RDCS 1252.9-2927 at z=1.24, using deep images from the Advanced Camera for Survey (ACS) on board the Hubble Space Telescope (HST). By taking advantage of the depth and of the angular resolution of the ACS images, we detect for the first time at z>1 a clear weak lensing signal in both the i (F775W) and z (F850LP) filters. We measure a 5-\sigma signal in the i band and a 3-\sigma signal in the shallower z band image. The two radial mass profiles are found to be in very good agreement with each other, and provide a measurement of the total mass of the cluster inside a 1Mpc radius of M(<1Mpc) = (8.0 +/- 1.3) x 10^14 M_\odot in the current cosmological concordance model h =0.70, \Omega_m=0.3, \Omega_\Lambda=0.7, assuming a redshift distribution of background galaxies as inferred from the Hubble Deep Fields surveys. A weak lensing signal is detected out to the boundary of our field (3' radius, corresponding to 1.5Mpc at the cluster redshift). We detect a small offset between the centroid of the weak lensing mass map and the brightest cluster galaxy, and we discuss the possible origin of this discrepancy. The cumulative weak lensing radial mass profile is found to be in good agreement with the X-ray mass estimate based on Chandr and XMM-Newton observations, at least out to R_500=0.5Mpc.Comment: 38 pages, ApJ in press. Full resolution images available at http://www.eso.org/~prosati/RDCS1252/Lombardi_etal_accepted.pd

Galaxies at z=4 and the Formation of Population II

We report the discovery of four high-redshift objects (3.3 < z < 4) observed behind the rich cluster CL0939+4713 (Abell 851). One object (DG 433) has a redshift of z=3.3453; the other three objects have redshifts of z\approx 4: A0 at z=3.9819, DG 353 and P1/P2 at z=3.9822. It is possible that all four objects are being lensed in some way by the cluster, DG 433 being weakly sheared, A0 being strongly sheared, and DG 353 and P1/P2 being an image pair of a common source object; detailed modelling of the cluster potential will be necessary to confirm this hypothesis. The weakness of common stellar wind features like N V and especially C IV in the spectra of these objects argues for sub-solar metallicities, at least as low as the SMC. DG 353 and DG 433, which have ground-based colors, are moderately dusty [E_{int}(B-V) < 0.15], similar to other z>3 galaxies. Star formation rates range from 2.5 (7.8) h^{-2} to 22. (78.) h^{-2} M_{\odot}/yr, for q_0=0.5 (0.05), depending on assumptions about gravitational lensing and extinction, also typical of other z>3 galaxies. These objects are tenatively identified as the low-metallicity proto-spheroid clumps that will merge to form the Population II components of today's spheroids.Comment: 16 pages, including 2 PostScript figures. Needs aaspp4.sty (included). Accepted for publication in the Astrophysical Journa

Electronic doping of graphene by deposited transition metal atoms

We perform a phenomenological analysis of the problem of the electronic doping of a graphene sheet by deposited transition metal atoms, which aggregate in clusters. The sample is placed in a capacitor device such that the electronic doping of graphene can be varied by the application of a gate voltage and such that transport measurements can be performed via the application of a (much smaller) voltage along the graphene sample, as reported in the work of Pi et al. [Phys. Rev. B 80, 075406 (2009)]. The analysis allows us to explain the thermodynamic properties of the device, such as the level of doping of graphene and the ionisation potential of the metal clusters in terms of the chemical interaction between graphene and the clusters. We are also able, by modelling the metallic clusters as perfect conducting spheres, to determine the scattering potential due to these clusters on the electronic carriers of graphene and hence the contribution of these clusters to the resistivity of the sample. The model presented is able to explain the measurements performed by Pi et al. on Pt-covered graphene samples at the lowest metallic coverages measured and we also present a theoretical argument based on the above model that explains why significant deviations from such a theory are observed at higher levels of coverage.Comment: 16 pages, 10 figure

Single Proton Knock-Out Reactions from 24,25,26F

The cross sections of the single proton knock-out reactions from 24F, 25F, and 26F on a 12C target were measured at energies of about 50 MeV/nucleon. Ground state populations of 6.6+-.9 mb, 3.8+-0.6 mb for the reactions 12C(24F,23O) and 12C(25F,24O) were extracted, respectively. The data were compared to calculations based on the many-body shell model and the eikonal theory. In the reaction 12C(26F,25O) the particle instability of 25O was confirmed

Weak Lensing Analysis of the z~0.8 cluster CL 0152-1357 with the Advanced Camera for Surveys

We present a weak lensing analysis of the X-ray luminous cluster CL 0152-1357 at z~0.84 using HST/ACS observations. The unparalleled resolution and sensitivity of ACS enable us to measure weakly distorted, faint background galaxies to the extent that the number density reaches ~175 arcmin^-2. The PSF of ACS has a complicated shape that also varies across the field. We construct a PSF model for ACS from an extensive investigation of 47 Tuc stars in a modestly crowded region. We show that this model PSF excellently describes the PSF variation pattern in the cluster observation when a slight adjustment of ellipticity is applied. The high number density of source galaxies and the accurate removal of the PSF effect through moment-based deconvolution allow us to restore the dark matter distribution of the cluster in great detail. The direct comparison of the mass map with the X-ray morphology from Chandra observations shows that the two peaks of intracluster medium traced by X-ray emission are lagging behind the corresponding dark matter clumps, indicative of an on-going merger. The overall mass profile of the cluster can be well described by an NFW profile with a scale radius of r_s =309+-45 kpc and a concentration parameter of c=3.7+-0.5. The mass estimates from the lensing analysis are consistent with those from X-ray and Sunyaev-Zeldovich analyses. The predicted velocity dispersion is also in good agreement with the spectroscopic measurement from VLT observations. In the adopted WMAP cosmology, the total projected mass and the mass-to-light ratio within 1 Mpc are estimated to be 4.92+-0.44 10^14 solar mass and 95+-8 solar mass/solar luminosity, respectively.Comment: Accepted for publication in Astrophysical Journal. 58 pages, 26 figures. Figures have been degraded to meet size limit; a higher resolution version available at http://acs.pha.jhu.edu/~mkjee/ms_cl0152.pd

Mining the gap: evolution of the magnitude gap in X-ray galaxy groups from the 3 square degree XMM coverage of CFHTLS

We present a catalog of 129 X-ray galaxy groups, covering a redshift range 0.04<z<1.23, selected in the ~3 square degree part of the CFHTLS W1 field overlapping XMM observations performed under the XMM-LSS project. We carry out a statistical study of the redshift evolution out to redshift one of the magnitude gap between the first and the second brightest cluster galaxies of a well defined mass-selected group sample. We find that the slope of the relation between the fraction of groups and the magnitude gap steepens with redshift, indicating a larger fraction of fossil groups at lower redshifts. We find that 22.2$\pm$6% of our groups at z$\leq$0.6 are fossil groups. We compare our results with the predictions of three semi-analytic models based on the Millennium simulation. The intercept of the relation between the magnitude of the brightest galaxy and the value of magnitude gap becomes brighter with increasing redshift. This trend is steeper than the model predictions which we attribute to the younger stellar age of the observed brightest cluster galaxies. This trend argues in favor of stronger evolution of the feedback from active galactic nuclei at z<1 compared to the models. The slope of the relation between the magnitude of the brightest cluster galaxy and the value of the gap does not evolve with redshift and is well reproduced by the models, indicating that the tidal galaxy stripping, put forward as an explanation of the occurrence of the magnitude gap, is both a dominant mechanism and is sufficiently well modeled