On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

New method for critical failure prediction of complex systems

Rigorous analytical technique, called criticality determination methodology /or CD technique/ determines the probability that a given complex system will successfully achieve stated objectives. The CD technique identifies critical elements of the system by a failure mode and effects analysis

Lightweight, low compression aircraft diesel engine

The feasibility of converting a spark ignition aircraft engine to the diesel cycle was investigated. Procedures necessary for converting a single cylinder GTS10-520 are described as well as a single cylinder diesel engine test program. The modification of the engine for the hot port cooling concept is discussed. A digital computer graphics simulation of a twin engine aircraft incorporating the diesel engine and Hot Fort concept is presented showing some potential gains in aircraft performance. Sample results of the computer program used in the simulation are included

Body temperatures of modern and extinct vertebrates from ^(13)C-^(18)O bond abundances in bioapatite

The stable isotope compositions of biologically precipitated apatite in bone, teeth, and scales are widely used to obtain information on the diet, behavior, and physiology of extinct organisms and to reconstruct past climate. Here we report the application of a new type of geochemical measurement to bioapatite, a “clumped-isotope” paleothermometer, based on the thermodynamically driven preference for ^(13)C and ^(18)O to bond with each other within carbonate ions in the bioapatite crystal lattice. This effect is dependent on temperature but, unlike conventional stable isotope paleothermometers, is independent from the isotopic composition of water from which the mineral formed. We show that the abundance of ^(13)C-^(18)O bonds in the carbonate component of tooth bioapatite from modern specimens decreases with increasing body temperature of the animal, following a relationship between isotope “clumping” and temperature that is statistically indistinguishable from inorganic calcite. This result is in agreement with a theoretical model of isotopic ordering in carbonate ion groups in apatite and calcite. This thermometer constrains body temperatures of bioapatite-producing organisms with an accuracy of 1–2 °C. Analyses of fossilized tooth enamel of both Pleistocene and Miocene age yielded temperatures within error of those derived from similar modern taxa. Clumped-isotope analysis of bioapatite represents a new approach in the study of the thermophysiology of extinct species, allowing the first direct measurement of their body temperatures. It will also open new avenues in the study of paleoclimate, as the measurement of clumped isotopes in phosphorites and fossils has the potential to reconstruct environmental temperatures

Mating-type genes and sexual potential in the ascomycete genera Aspergillus and Penicillium

Mating-type and other ‘sex-related’ genes in the filamentous ascomcyete genera Aspergillus and Penicillium, were examined to investigate the potential sexual capacity of supposedly asexual species and also the possible evolutionary route and ancestry of mating strategy and mating-type genes. Two heterothallic and one homothallic sexual species were screened to determine the presence and genomic organisation of mating-type genes. An additional gene has previously been detected in Neosartorya fischeri, N. fumigata and Penicillium marneffei. This gene was also detected and sequenced in the heterothallic species, Emericella heterothallica and the homothallic species, Eurotium repens. The expression of this gene was investigated under conditions that cause expression of mating-type genes in these species. Mating-type and other ‘sex-related’ genes were investigated in asexual Aspergilli that have been genome sequenced. Expression of mating-type, α-factor pheromone precursor, pheromone receptor and two transcription factor encoding genes were also investigated. Gene expression varied between species, but no genes displayed mating type-dependent expression. Previous studies had developed a degenerate PCR diagnostic approach to identify putative MAT1-1-1 and MAT1-2-1 gene fragments. This degenerate PCR diagnostic was performed on Penicillium species in the subgenus Penicillium to determine the presence or absence of mating-type genes. Mating-type gene fragments or whole open reading frames were sequenced from four of these Penicillium species. RT-PCR analyses were also performed on these species, and MAT1-1-1 and MAT1-2-1 gene expression was confirmed in three of the four Penicillium species. The overall structure of the mating-type loci and idiomorphs of the Aspergillus and Penicillium species revealed certain common features. The ancestral mating strategy of the Eurotiomycetes has been suggested to be homothallism. Whilst this remains possible, alternative evolutionary scenarios are suggested from this investigation

Limits of Predictability in Commuting Flows in the Absence of Data for Calibration

The estimation of commuting flows at different spatial scales is a fundamental problem for different areas of study. Many current methods rely on parameters requiring calibration from empirical trip volumes. Their values are often not generalizable to cases without calibration data. To solve this problem we develop a statistical expression to calculate commuting trips with a quantitative functional form to estimate the model parameter when empirical trip data is not available. We calculate commuting trip volumes at scales from within a city to an entire country, introducing a scaling parameter α to the recently proposed parameter free radiation model. The model requires only widely available population and facility density distributions. The parameter can be interpreted as the influence of the region scale and the degree of heterogeneity in the facility distribution. We explore in detail the scaling limitations of this problem, namely under which conditions the proposed model can be applied without trip data for calibration. On the other hand, when empirical trip data is available, we show that the proposed model's estimation accuracy is as good as other existing models. We validated the model in different regions in the U.S., then successfully applied it in three different countries

Spatiotemporal correlations of handset-based service usages

We study spatiotemporal correlations and temporal diversities of handset-based service usages by analyzing a dataset that includes detailed information about locations and service usages of 124 users over 16 months. By constructing the spatiotemporal trajectories of the users we detect several meaningful places or contexts for each one of them and show how the context affects the service usage patterns. We find that temporal patterns of service usages are bound to the typical weekly cycles of humans, yet they show maximal activities at different times. We first discuss their temporal correlations and then investigate the time-ordering behavior of communication services like calls being followed by the non-communication services like applications. We also find that the behavioral overlap network based on the clustering of temporal patterns is comparable to the communication network of users. Our approach provides a useful framework for handset-based data analysis and helps us to understand the complexities of information and communications technology enabled human behavior.Comment: 11 pages, 15 figure

High resolution nighttime cloud-cover radiometer Quarterly report XVII, 1 Oct. 1965 - 1 Jan. 1966

Electronic, optical, mechanical, and electron packaging component and system design reviews for high resolution cloud cover infrared radiomete

Phosphorylation of pRb: mechanism for RB pathway inactivation in MYCN-amplified retinoblastoma.

A small, but unique subgroup of retinoblastoma has been identified with no detectable mutation in the retinoblastoma gene (RB1) and with high levels of MYCN gene amplification. This manuscript investigated alternate pathways of inactivating pRb, the encoded protein in these tumors. We analyzed the mutation status of the RB1 gene and MYCN copy number in a series of 245 unilateral retinoblastomas, and the phosphorylation status of pRb in a subset of five tumors using immunohistochemistry. There were 203 tumors with two mutations in RB1 (RB1(-/-) , 83%), 29 with one (RB1(+/-) , 12%) and 13 with no detectable mutations (RB1(+/+) , 5%). Eighteen tumors carried MYCN amplification between 29 and 110 copies: 12 had two (RB1(-/-) ) or one RB1 (RB1(+/-) ) mutations, while six had no mutations (RB1(+/+) ). Immunohistochemical staining of tumor sections with antibodies against pRb and phosphorylated Rb (ppRb) displayed high levels of pRb and ppRb in both RB1(+/+) and RB1(+/-) tumors with MYCN amplification compared to no expression of these proteins in a classic RB1(-/-) , MYCN-low tumor. These results establish that high MYCN amplification can be present in retinoblastoma with or without coding sequence mutations in the RB1 gene. The functional state of pRb is inferred to be inactive due to phosphorylation of pRb in the MYCN-amplified retinoblastoma without coding sequence mutations. This makes inactivation of RB1 by gene mutation or its protein product, pRb, by protein phosphorylation, a necessary condition for initiating retinoblastoma tumorigenesis, independent of MYCN amplification

Software Evolution Approach for the Development of Command and Control Systems

2000 Command and Control Research and Technology Symposium (CCRTS), June 11-13, 2000, Naval Postgraduate School, Monterey, CAThis paper addresses the problem of how to produce reliable software that is also flexible and cost effective for the DoD distributed software domain. DoD software systems fall into two categories: information systems and war fighter systems. Both types of systems can be distributed, heterogeneous and network-based, consisting of a set of components running on different platforms and working together via multiple communication links and protocols. We propose to tackle the problem using prototyping and a “wrapper and glue” technology for interoperability and integration. This paper describes a distributed development environment, CAPS (Computer- Aided Prototyping System), to support rapid prototyping and automatic generation of wrapper and glue software based on designer specifications. The CAPS system uses a fifth-generation prototyping language to model the communication structure, timing constraints, I/O control, and data buffering that comprise the requirements for an embedded software system. The language supports the specification of hard real-time systems with reusable components from domain specific component libraries. CAPS has been used successfully as a research tool in prototyping large war-fighter control systems (e.g. the command-and-control station, cruise missile flight control system, missile defense systems) and demonstrated its capability to support the development of large complex embedded software.This research was supported in part by the U. S. Army Research Office under contract/grant number 35037-MA and 40473-MA