A game of “Cut and Mouse”:bypassing antivirus by simulating user inputs

To protect their digital assets from malware attacks, most users and companies rely on anti-virus (AV) software. But AVs' protection is a full-time task and AVs are engaged in a cat-and-mouse game where malware, e.g., through obfuscation and polymorphism, denial of service attacks and malformed packets and parameters, try to circumvent AV defences or make them crash. On the other hand, AVs react by complementing signature-based with anomaly or behavioral detection, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-act, for instance by using adversarial inputs to avoid detection, et cetera. This paper investigates two novel moves for the malware side. The first one consists in simulating mouse events to control AVs, namely to send them mouse "clicks" to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling high-integrity white-listed applications, such as Notepad, by sending them keyboard events (such as "copy-and-paste") to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of some AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse

Golgi Membranes Are Absorbed into and Reemerge from the ER during Mitosis

AbstractQuantitative imaging and photobleaching were used to measure ER/Golgi recycling of GFP-tagged Golgi proteins in interphase cells and to monitor the dissolution and reformation of the Golgi during mitosis. In interphase, recycling occurred every 1.5 hr, and blocking ER egress trapped cycling Golgi enzymes in the ER with loss of Golgi structure. In mitosis, when ER export stops, Golgi proteins redistributed into the ER as shown by quantitative imaging in vivo and immuno-EM. Comparison of the mobilities of Golgi proteins and lipids ruled out the persistence of a separate mitotic Golgi vesicle population and supported the idea that all Golgi components are absorbed into the ER. Moreover, reassembly of the Golgi complex after mitosis failed to occur when ER export was blocked. These results demonstrate that in mitosis the Golgi disperses and reforms through the intermediary of the ER, exploiting constitutive recycling pathways. They thus define a novel paradigm for Golgi genesis and inheritance

Transport through the Golgi Apparatus by Rapid Partitioning within a Two-Phase Membrane System

SummaryThe prevailing view of intra-Golgi transport is cisternal progression, which has a key prediction—that newly arrived cargo exhibits a lag or transit time before exiting the Golgi. Instead, we find that cargo molecules exit at an exponential rate proportional to their total Golgi abundance with no lag. Incoming cargo molecules rapidly mix with those already in the system and exit from partitioned domains with no cargo privileged for export based on its time of entry into the system. Given these results, we constructed a new model of intra-Golgi transport that involves rapid partitioning of enzymes and transmembrane cargo between two lipid phases combined with relatively rapid exchange among cisternae. Simulation and experimental testing of this rapid partitioning model reproduced all the key characteristics of the Golgi apparatus, including polarized lipid and protein gradients, exponential cargo export kinetics, and cargo waves

On the undetectability of payloads generated through automatic tools: A human‐oriented approach

Nowadays, several tools have been proposed to support the operations performed during a security assessment process. In particular, it is a common practice to rely on automated tools to carry out some phases of this process in an automatic or semiautomatic way. In this article, we focus on tools for the automatic generation of custom executable payloads. Then, we will show how these tools can be transformed, through some human-oriented modifications on the generated payloads, into threats for a given asset's security. The danger of such threats lies in the fact that they may not be detected by common antivirus (AVs). More precisely, in this article, we show a general approach to make a payload generated through automated tools run undetected by most AVs. In detail, we first analyze and explain most of the methods used by AVs to recognize malicious payloads and, for each one of them, we outline the relative strengths and flaws, showing how these flaws could be exploited using a general approach to evade AVs controls, by performing simple human-oriented operations on the payloads. The testing activity we performed shows that our proposal is helpful in evading virtually all the most popular AVs on the market. Therefore, low-skilled malicious users could easily use our approach

Clustering and Lateral Concentration of Raft Lipids by the MAL Protein

MAL, a compact hydrophobic, four-transmembrane-domain apical protein that copurifies with detergent-resistant membranes is obligatory for the machinery that sorts glycophosphatidylinositol (GPI)-anchored proteins and others to the apical membrane in epithelia. The mechanism of MAL function in lipid-raft–mediated apical sorting is unknown. We report that MAL clusters formed by two independent procedures—spontaneous clustering of MAL tagged with the tandem dimer DiHcRED (DiHcRED-MAL) in the plasma membrane of COS7 cells and antibody-mediated cross-linking of FLAG-tagged MAL—laterally concentrate markers of sphingolipid rafts and exclude a fluorescent analogue of phosphatidylethanolamine. Site-directed mutagenesis and bimolecular fluorescence complementation analysis demonstrate that MAL forms oligomers via ϕxxϕ intramembrane protein–protein binding motifs. Furthermore, results from membrane modulation by using exogenously added cholesterol or ceramides support the hypothesis that MAL-mediated association with raft lipids is driven at least in part by positive hydrophobic mismatch between the lengths of the transmembrane helices of MAL and membrane lipids. These data place MAL as a key component in the organization of membrane domains that could potentially serve as membrane sorting platforms