On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

The hyaluronan-binding serine protease from human plasma cleaves HMW and LMW kininogen and releases bradykinin

The influence of the hyaluronanbinding protease (PHBSP), a plasma enzyme with FVII- and pro-urokinase-activating potency, on components of the contact phase (kallikrein/kinin) system was investigated. No activation or cleavage of the proenzymes involved in the contact phase system was observed. The procofactor high molecular weight kininogen (HK), however, was cleaved in vitro by PHBSP in the absence of any charged surface, releasing the activated cofactor and the vasoactive nonapeptide bradykinin. Glycosoaminoglycans strongly enhanced the reaction. The cleavage was comparable to that of plasma kallikrein, but clearly different from that of coagulation factor FXIa. Upon extended incubation with PHBSP, the light chain was further processed, partially removing about 60 amino acid residues from the Nterminus of domain D5 of the light chain. These cleavage site(s) were distinct from plasma kallikrein or FXIa cleavage sites. PHBSP and, more interestingly, also plasma kallikrein could cleave low molecular weight kininogen in vitro, indicating that domains D5(H) and D6(H) are no prerequisite for kininogen cleavage. PHBSP was also able to release bradykinin from HK in plasma where the pro-cofactor circulates predominantly in complex with plasma kallikrein or FXI. In conclusion, PHBSP represents a novel kininogen-cleaving and bradykinin-releasing enzyme in plasma that shares significant catalytic similarities with plasma kallikrein. Since they are structurally unrelated in their heavy chains (propeptide), their similar in vivo catalytic activities might be directed at distinct sites where PHBSP could induce processes that are related to the kallikrein/kinin system

Weak Lensing Reconstruction and Power Spectrum Estimation: Minimum Variance Methods

Large-scale structure distorts the images of background galaxies, which allows one to measure directly the projected distribution of dark matter in the universe and determine its power spectrum. Here we address the question of how to extract this information from the observations. We derive minimum variance estimators for projected density reconstruction and its power spectrum and apply them to simulated data sets, showing that they give a good agreement with the theoretical minimum variance expectations. The same estimator can also be applied to the cluster reconstruction, where it remains a useful reconstruction technique, although it is no longer optimal for every application. The method can be generalized to include nonlinear cluster reconstruction and photometric information on redshifts of background galaxies in the analysis. We also address the question of how to obtain directly the 3-d power spectrum from the weak lensing data. We derive a minimum variance quadratic estimator, which maximizes the likelihood function for the 3-d power spectrum and can be computed either from the measurements directly or from the 2-d power spectrum. The estimator correctly propagates the errors and provides a full correlation matrix of the estimates. It can be generalized to the case where redshift distribution depends on the galaxy photometric properties, which allows one to measure both the 3-d power spectrum and its time evolution.Comment: revised version, 36 pages, AAS LateX, submitted to Ap

Weak Lensing Analysis of the z~0.8 cluster CL 0152-1357 with the Advanced Camera for Surveys

We present a weak lensing analysis of the X-ray luminous cluster CL 0152-1357 at z~0.84 using HST/ACS observations. The unparalleled resolution and sensitivity of ACS enable us to measure weakly distorted, faint background galaxies to the extent that the number density reaches ~175 arcmin^-2. The PSF of ACS has a complicated shape that also varies across the field. We construct a PSF model for ACS from an extensive investigation of 47 Tuc stars in a modestly crowded region. We show that this model PSF excellently describes the PSF variation pattern in the cluster observation when a slight adjustment of ellipticity is applied. The high number density of source galaxies and the accurate removal of the PSF effect through moment-based deconvolution allow us to restore the dark matter distribution of the cluster in great detail. The direct comparison of the mass map with the X-ray morphology from Chandra observations shows that the two peaks of intracluster medium traced by X-ray emission are lagging behind the corresponding dark matter clumps, indicative of an on-going merger. The overall mass profile of the cluster can be well described by an NFW profile with a scale radius of r_s =309+-45 kpc and a concentration parameter of c=3.7+-0.5. The mass estimates from the lensing analysis are consistent with those from X-ray and Sunyaev-Zeldovich analyses. The predicted velocity dispersion is also in good agreement with the spectroscopic measurement from VLT observations. In the adopted WMAP cosmology, the total projected mass and the mass-to-light ratio within 1 Mpc are estimated to be 4.92+-0.44 10^14 solar mass and 95+-8 solar mass/solar luminosity, respectively.Comment: Accepted for publication in Astrophysical Journal. 58 pages, 26 figures. Figures have been degraded to meet size limit; a higher resolution version available at http://acs.pha.jhu.edu/~mkjee/ms_cl0152.pd

HST/ACS weak lensing analysis of the galaxy cluster RDCS 1252.9-2927 at z=1.24

We present a weak lensing analysis of one of the most distant massive galaxy cluster known, RDCS 1252.9-2927 at z=1.24, using deep images from the Advanced Camera for Survey (ACS) on board the Hubble Space Telescope (HST). By taking advantage of the depth and of the angular resolution of the ACS images, we detect for the first time at z>1 a clear weak lensing signal in both the i (F775W) and z (F850LP) filters. We measure a 5-\sigma signal in the i band and a 3-\sigma signal in the shallower z band image. The two radial mass profiles are found to be in very good agreement with each other, and provide a measurement of the total mass of the cluster inside a 1Mpc radius of M(<1Mpc) = (8.0 +/- 1.3) x 10^14 M_\odot in the current cosmological concordance model h =0.70, \Omega_m=0.3, \Omega_\Lambda=0.7, assuming a redshift distribution of background galaxies as inferred from the Hubble Deep Fields surveys. A weak lensing signal is detected out to the boundary of our field (3' radius, corresponding to 1.5Mpc at the cluster redshift). We detect a small offset between the centroid of the weak lensing mass map and the brightest cluster galaxy, and we discuss the possible origin of this discrepancy. The cumulative weak lensing radial mass profile is found to be in good agreement with the X-ray mass estimate based on Chandr and XMM-Newton observations, at least out to R_500=0.5Mpc.Comment: 38 pages, ApJ in press. Full resolution images available at http://www.eso.org/~prosati/RDCS1252/Lombardi_etal_accepted.pd

Weak lensing mass reconstruction of the interacting cluster 1E0657-558: Direct evidence for the existence of dark matter

We present a weak lensing mass reconstruction of the interacting cluster 1E0657-558 in which we detect both the main cluster and a sub-cluster. The sub-cluster is identified as a smaller cluster which has just undergone initial in-fall and pass-through of the primary cluster, and has been previously identified in both optical surveys and X-ray studies. The X-ray gas has been separated from the galaxies by ram-pressure stripping during the pass-through. The detected mass peak is located between the X-ray peak and galaxy concentration, although the position is consistent with the galaxy centroid within the errors of the mass reconstruction. We find that the mass peak for the main cluster is in good spatial agreement with the cluster galaxies and offset from the X-ray halo at 3.4 sigma significance, and determine that the mass-to-light ratios of the two components are consistent with those of relaxed clusters. The observed offsets of the lensing mass peaks from the peaks of the dominant visible mass component (the X-ray gas) directly demonstrate the presence, and dominance, of dark matter in this cluster. This proof of the dark matter existence holds true even under the assumption of modified Newtonian gravity (MOND); from the observed gravitational shear to optical light ratios and mass peak - X-ray gas offsets, the dark matter component in a MOND regime has a total mass which is at least equal to the baryonic mass of the system.Comment: 8 pages, 4 figure, accepted by Ap

Mass Distributions of HST Galaxy Clusters from Gravitational Arcs

Although N-body simulations of cosmic structure formation suggest that dark matter halos have density profiles shallower than isothermal at small radii and steeper at large radii, whether observed galaxy clusters follow this profile is still ambiguous. We use one such density profile, the asymmetric NFW profile, to model the mass distributions of 11 galaxy clusters with gravitational arcs observed by HST. We characterize the galaxy lenses in each cluster as NFW ellipsoids, each defined by an unknown scale convergence, scale radius, ellipticity, and position angle. For a given set of values of these parameters, we compute the arcs that would be produced by such a lens system. To define the goodness of fit to the observed arc system, we define a chi^2 function encompassing the overlap between the observed and reproduced arcs as well as the agreement between the predicted arc sources and the observational constraints on the source system. We minimize this chi^2 to find the values of the lens parameters that best reproduce the observed arc system in a given cluster. Here we report our best-fit lens parameters and corresponding mass estimates for each of the 11 lensing clusters. We find that cluster mass models based on lensing galaxies defined as NFW ellipsoids can accurately reproduce the observed arcs, and that the best-fit parameters to such a model fall within the reasonable ranges defined by simulations. These results assert NFW profiles as an effective model for the mass distributions of observed clusters.Comment: Submitted to ApJ, 14 figures include

Probing the Universe with Weak Lensing

Gravitational lenses can provide crucial information on the geometry of the Universe, on the cosmological scenario of formation of its structures as well as on the history of its components with look-back time. In this review, I focus on the most recent results obtained during the last five years from the analysis of the weak lensing regime. The interest of weak lensing as a probe of dark matter and the for study of the coupling between light and mass on scales of clusters of galaxies, large scale structures and galaxies is discussed first. Then I present the impact of weak lensing for the study of distant galaxies and of the population of lensed sources as function of redshift. Finally, I discuss the potential interest of weak lensing to constrain the cosmological parameters, either from pure geometrical effects observed in peculiar lenses, or from the coupling of weak lensing with the CMB.Comment: To appear Annual Review of Astronomy and Astrophysiscs Vol. 37. Latex and psfig.sty. Version without figure, 54 pages, 73Kb. Complete version including 13 figures (60 pages) available on ftp.iap.fr anonymous account in /pub/from_users/mellier/AnnualReview ; file ARAAmellier.ps.gz 1.6 M

A Comparison of Simple Mass Estimators for Galaxy Clusters

High-resolution N-body simulations are used to investigate systematic trends in the mass profiles and total masses of clusters as derived from 3 simple estimators: (1) the weak gravitational lensing shear field under the assumption of an isothermal cluster potential, (2) the dynamical mass obtained from the measured velocity dispersion under the assumption of an isothermal cluster potential, and (3) the classical virial estimator. The clusters consist of order 2.5e+05 particles of mass m_p \simeq 10^{10} \Msun, have triaxial mass distributions, and significant substructure exists within their virial radii. Not surprisingly, the level of agreement between the mass profiles obtained from the various estimators and the actual mass profiles is found to be scale-dependent. The virial estimator yields a good measurement of the total cluster mass, though it is systematically underestimated by of order 10%. This result suggests that, at least in the limit of ideal data, the virial estimator is quite robust to deviations from pure spherical symmetry and the presence of substructure. The dynamical mass estimate based upon a measurement of the cluster velocity dispersion and an assumption of an isothermal potential yields a poor measurement of the total mass. The weak lensing estimate yields a very good measurement of the total mass, provided the mean shear used to determine the equivalent cluster velocity dispersion is computed from an average of the lensing signal over the entire cluster (i.e. the mean shear is computed interior to the virial radius). [abridged]Comment: Accepted for publication in The Astrophysical Journal. Complete paper, including 3 large colour figures can also be obtained from http://bu-ast.bu.edu/~brainerd/preprints

Galaxies at z=4 and the Formation of Population II

We report the discovery of four high-redshift objects (3.3 < z < 4) observed behind the rich cluster CL0939+4713 (Abell 851). One object (DG 433) has a redshift of z=3.3453; the other three objects have redshifts of z\approx 4: A0 at z=3.9819, DG 353 and P1/P2 at z=3.9822. It is possible that all four objects are being lensed in some way by the cluster, DG 433 being weakly sheared, A0 being strongly sheared, and DG 353 and P1/P2 being an image pair of a common source object; detailed modelling of the cluster potential will be necessary to confirm this hypothesis. The weakness of common stellar wind features like N V and especially C IV in the spectra of these objects argues for sub-solar metallicities, at least as low as the SMC. DG 353 and DG 433, which have ground-based colors, are moderately dusty [E_{int}(B-V) < 0.15], similar to other z>3 galaxies. Star formation rates range from 2.5 (7.8) h^{-2} to 22. (78.) h^{-2} M_{\odot}/yr, for q_0=0.5 (0.05), depending on assumptions about gravitational lensing and extinction, also typical of other z>3 galaxies. These objects are tenatively identified as the low-metallicity proto-spheroid clumps that will merge to form the Population II components of today's spheroids.Comment: 16 pages, including 2 PostScript figures. Needs aaspp4.sty (included). Accepted for publication in the Astrophysical Journa