On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

Microlensing events from the 11-year observations of the Wendelstein Calar Alto Pixellensing Project

We present the results of the decade-long M31 observation from the Wendelstein Calar Alto Pixellensing Project (WeCAPP). WeCAPP has monitored M31 from 1997 till 2008 in both R- and I-filters, thus provides the longest baseline of all M31 microlensing surveys. The data are analyzed with the difference imaging analysis, which is most suitable to study variability in crowded stellar fields. We extracted light curves based on each pixel, and devised selection criteria that are optimized to identify microlensing events. This leads to 10 new events, and sums up to a total of 12 microlensing events from WeCAPP, for which we derive their timescales, flux excesses, and colors from their light curves. The color of the lensed stars fall between (R-I) = 0.56 to 1.36, with a median of 1.0 mag, in agreement with our expectation that the sources are most likely bright, red stars at post main-sequence stage. The event FWHM timescales range from 0.5 to 14 days, with a median of 3 days, in good agreement with predictions based on the model of Riffeser et al. (2006).Comment: 44 pages, 16 figures, 5 tables. ApJ accepte

Bias-Free Shear Estimation using Artificial Neural Networks

Bias due to imperfect shear calibration is the biggest obstacle when constraints on cosmological parameters are to be extracted from large area weak lensing surveys such as Pan-STARRS-3pi, DES or future satellite missions like Euclid. We demonstrate that bias present in existing shear measurement pipelines (e.g. KSB) can be almost entirely removed by means of neural networks. In this way, bias correction can depend on the properties of the individual galaxy instead on being a single global value. We present a procedure to train neural networks for shear estimation and apply this to subsets of simulated GREAT08 RealNoise data. We also show that circularization of the PSF before measuring the shear reduces the scatter related to the PSF anisotropy correction and thus leads to improved measurements, particularly on low and medium signal-to-noise data. Our results are competitive with the best performers in the GREAT08 competition, especially for the medium and higher signal-to-noise sets. Expressed in terms of the quality parameter defined by GREAT08 we achieve a Q = 40, 140 and 1300 without and 50, 200 and 1300 with circularization for low, medium and high signal-to-noise data sets, respectively.Comment: 19 pages, 8 figures; accepted for publication in Ap

Weak Lensing Reconstruction and Power Spectrum Estimation: Minimum Variance Methods

Large-scale structure distorts the images of background galaxies, which allows one to measure directly the projected distribution of dark matter in the universe and determine its power spectrum. Here we address the question of how to extract this information from the observations. We derive minimum variance estimators for projected density reconstruction and its power spectrum and apply them to simulated data sets, showing that they give a good agreement with the theoretical minimum variance expectations. The same estimator can also be applied to the cluster reconstruction, where it remains a useful reconstruction technique, although it is no longer optimal for every application. The method can be generalized to include nonlinear cluster reconstruction and photometric information on redshifts of background galaxies in the analysis. We also address the question of how to obtain directly the 3-d power spectrum from the weak lensing data. We derive a minimum variance quadratic estimator, which maximizes the likelihood function for the 3-d power spectrum and can be computed either from the measurements directly or from the 2-d power spectrum. The estimator correctly propagates the errors and provides a full correlation matrix of the estimates. It can be generalized to the case where redshift distribution depends on the galaxy photometric properties, which allows one to measure both the 3-d power spectrum and its time evolution.Comment: revised version, 36 pages, AAS LateX, submitted to Ap

Weak lensing mass reconstruction of the interacting cluster 1E0657-558: Direct evidence for the existence of dark matter

We present a weak lensing mass reconstruction of the interacting cluster 1E0657-558 in which we detect both the main cluster and a sub-cluster. The sub-cluster is identified as a smaller cluster which has just undergone initial in-fall and pass-through of the primary cluster, and has been previously identified in both optical surveys and X-ray studies. The X-ray gas has been separated from the galaxies by ram-pressure stripping during the pass-through. The detected mass peak is located between the X-ray peak and galaxy concentration, although the position is consistent with the galaxy centroid within the errors of the mass reconstruction. We find that the mass peak for the main cluster is in good spatial agreement with the cluster galaxies and offset from the X-ray halo at 3.4 sigma significance, and determine that the mass-to-light ratios of the two components are consistent with those of relaxed clusters. The observed offsets of the lensing mass peaks from the peaks of the dominant visible mass component (the X-ray gas) directly demonstrate the presence, and dominance, of dark matter in this cluster. This proof of the dark matter existence holds true even under the assumption of modified Newtonian gravity (MOND); from the observed gravitational shear to optical light ratios and mass peak - X-ray gas offsets, the dark matter component in a MOND regime has a total mass which is at least equal to the baryonic mass of the system.Comment: 8 pages, 4 figure, accepted by Ap

The Effects of Massive Substructures on Image Multiplicities in Gravitati onal Lenses

Surveys for gravitational lens systems have typically found a significantly larger fraction of lenses with four (or more) images than are predicted by standard ellipsoidal lens models (50% versus 25-30%). We show that including the effects of smaller satellite galaxies, with an abundance normalized by the observations, significantly increases the expected number of systems with more than two images and largely explains the discrepancy. The effect is dominated by satellites with ~20% the luminosity of the primary lens, in rough agreement with the typical luminosities of the observed satellites. We find that the lens systems with satellites cannot, however, be dropped from estimates of the cosmological model based on gravitational lens statistics without significantly biasing the results.Comment: 23 pages, 7 figures, more discussion of sis vs sie and inclusion of uncorrelated contribution

Non-Simplified SUSY: Stau-Coannihilation at LHC and ILC

If new phenomena beyond the Standard Model will be discovered at the LHC, the properties of the new particles could be determined with data from the High-Luminosity LHC and from a future linear collider like the ILC. We discuss the possible interplay between measurements at the two accelerators in a concrete example, namely a full SUSY model which features a small stau_1-LSP mass difference. Various channels have been studied using the Snowmass 2013 combined LHC detector implementation in the Delphes simulation package, as well as simulations of the ILD detector concept from the Technical Design Report. We investigate both the LHC and ILC capabilities for discovery, separation and identification of various parts of the spectrum. While some parts would be discovered at the LHC, there is substantial room for further discoveries at the ILC. We finally highlight examples where the precise knowledge about the lower part of the mass spectrum which could be acquired at the ILC would enable a more in-depth analysis of the LHC data with respect to the heavier states.Comment: 42 pages, 18 figures, 12 table

Single Proton Knock-Out Reactions from 24,25,26F

The cross sections of the single proton knock-out reactions from 24F, 25F, and 26F on a 12C target were measured at energies of about 50 MeV/nucleon. Ground state populations of 6.6+-.9 mb, 3.8+-0.6 mb for the reactions 12C(24F,23O) and 12C(25F,24O) were extracted, respectively. The data were compared to calculations based on the many-body shell model and the eikonal theory. In the reaction 12C(26F,25O) the particle instability of 25O was confirmed

The Wendelstein Calar Alto Pixellensing Project (WeCAPP): the M31 Nova catalogue

We present light curves from the novae detected in the long-term, M31 monitoring WeCAPP project. The goal of WeCAPP is to constrain the compact dark matter fraction of the M31 halo with microlensing observations. As a by product we have detected 91 novae benefiting from the high cadence and highly sensitive difference imaging technique required for pixellensing. We thus can now present the largest CCD and optical filters based nova light curve sample up-to-date towards M31. We also obtained thorough coverage of the light curve before and after the eruption thanks to the long-term monitoring. We apply the nova taxonomy proposed by Strope et al. (2010) to our nova candidates and found 29 S-class novae, 10 C-class novae, 2 O-class novae and 1 J-class nova. We have investigated the universal decline law advocated by Hachichu and Kato (2006) on the S-class novae. In addition, we correlated our catalogue with the literature and found 4 potential recurrent novae. Part of our catalogue has been used to search for optical counter-parts of the super soft X-ray sources detected in M31 (Pietsch et al. 2005). Optical surveys like WeCAPP, and coordinated with multi-wavelength observation, will continue to shed light on the underlying physical mechanism of novae in the future.Comment: 15 pages, 15 figures, 7 tables, A&A accepted for publication. The appendix is stored in the Data Conservanc

HST/ACS weak lensing analysis of the galaxy cluster RDCS 1252.9-2927 at z=1.24

We present a weak lensing analysis of one of the most distant massive galaxy cluster known, RDCS 1252.9-2927 at z=1.24, using deep images from the Advanced Camera for Survey (ACS) on board the Hubble Space Telescope (HST). By taking advantage of the depth and of the angular resolution of the ACS images, we detect for the first time at z>1 a clear weak lensing signal in both the i (F775W) and z (F850LP) filters. We measure a 5-\sigma signal in the i band and a 3-\sigma signal in the shallower z band image. The two radial mass profiles are found to be in very good agreement with each other, and provide a measurement of the total mass of the cluster inside a 1Mpc radius of M(<1Mpc) = (8.0 +/- 1.3) x 10^14 M_\odot in the current cosmological concordance model h =0.70, \Omega_m=0.3, \Omega_\Lambda=0.7, assuming a redshift distribution of background galaxies as inferred from the Hubble Deep Fields surveys. A weak lensing signal is detected out to the boundary of our field (3' radius, corresponding to 1.5Mpc at the cluster redshift). We detect a small offset between the centroid of the weak lensing mass map and the brightest cluster galaxy, and we discuss the possible origin of this discrepancy. The cumulative weak lensing radial mass profile is found to be in good agreement with the X-ray mass estimate based on Chandr and XMM-Newton observations, at least out to R_500=0.5Mpc.Comment: 38 pages, ApJ in press. Full resolution images available at http://www.eso.org/~prosati/RDCS1252/Lombardi_etal_accepted.pd