On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

Physical and dynamical characterisation of low Delta-V NEA (190491) 2000 FJ10

We investigated the physical properties and dynamical evolution of Near Earth Asteroid (NEA) (190491) 2000 FJ10 in order to assess the suitability of this accessible NEA as a space mission target. Photometry and colour determination were carried out with the 1.54 m Kuiper Telescope and the 10 m Southern African Large Telescope during the object's recent favourable apparition in 2011-12. During the earlier 2008 apparition, a spectrum of the object in the 6000-9000 Angstrom region was obtained with the 4.2 m William Herschel Telescope. Interpretation of the observational results was aided by numerical simulations of 1000 dynamical clones of 2000 FJ10 up to 10^6 yr in the past and in the future. The asteroid's spectrum and colours determined by our observations suggest a taxonomic classification within the S-complex although other classifications (V, D, E, M, P) cannot be ruled out. On this evidence, it is unlikely to be a primitive, relatively unaltered remnant from the early history of the solar system and thus a low priority target for robotic sample return. Our photometry placed a lower bound of 2 hrs to the asteroid's rotation period. Its absolute magnitude was estimated to be 21.54+-0.1 which, for a typical S-complex albedo, translates into a diameter of 130+-20 m. Our dynamical simulations show that it has likely been an Amor for the past 10^5 yr. Although currently not Earth-crossing, it will likely become so during the period 50 - 100 kyr in the future. It may have arrived from the inner or central Main Belt > 1 Myr ago as a former member of a low-inclination S-class asteroid family. Its relatively slow rotation and large size make it a suitable destination for a human mission. We show that ballistic Earth-190491-Earth transfer trajectories with Delta-V < 2 km s^-1 at the asteroid exist between 2052 and 2061.Comment: 2 Tables, 11 Figures, accepted for publication in Astronomy & Astrophysic

Clones and Macro co-changes

Ideally, any change that modifies the similar parts of a cloned code snippet should be propagated to all its duplicates. In practice however, consistent propagation of changes in clones does not always happen. Current evidence indicates that clone families have a 50% chance of having consistent changes. This paper measures cloning and co-changes at file level as a proxy to assess the frequency of consistent changes. Given that changes to a clone group are not necessarily propagated in the same commit transaction (i.e., late propagations), our analysis uses macro co-changes instead of the traditional definition of co-changes. Macro changes group bursts of changes that are closer among themselves than to other changes, regardless of author or message. Then, macro co-changes are sets of files that change in the same macro changes. Each cloned file is tagged depending on whether any of the files with which it macro co-changes is cloned with it (during the macro change) or not. Contrary to previous results, we discovered that most of the cloned files macro co-change only with files with which they share clones. Thus providing evidence that macro changes are appropriate to study the conjecture of clones requiring co-changes, and indicating that consistent changes might be the norm in cloned code