PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware

PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis

Modelo de fluctuación poblacional de moscas de la fruta Ceratitis capitata (Wiedemann 1824) y Anastrepha spp (Díptera: Tephritidae) en dos rutas en el municipio de Caranavi, Bolivia

The institutions linked to plant health in Bolivia, propose a trapping methodology, to establish the populationfluctuation of fruit fly and execute control activities. PROMOSCA, as a national program, monitored during 3years, the population fluctuation of this plague, in two routes in Caranavi municipality, La Paz.Present investigation, used the data obtained in field, trapping methodology, environmental and biological cyclevariables, to determine the population fluctuation models of Ceratitis capitata and the Anastrepha spp complex,based on a statistical tool Linear Models Generalized Mixed (MLGM), which will serve PROMOSCA and SENASAG, in the control of the fruit fly in the Caranavi area.The minimum adequate model for C. capitata has values of AIC and BIC of 200.13 and 228.15 respectively. Its D2value is 21.53 for the Anastrepha spp. Complex, it has AIC and BIC values of 256.07 and 288.30 respectively. ItsD2 value is 43.91, both models in an acceptable range.There is a correlation between the climate, fruit trees and population fluctuation of the pest. C. capitata reaches itsmaximum population in August, during the dry season and the ripening of citrus, while Anastrepha spp., in December, coinciding with high temperatures and maturation of mangoes, mangos, avocados and oranges. Evapotranspiration is the main environmental variable for C. capitata, and precipitation, for the genus Anastrepha spp. No covariate related to biological cycle intervenes in the population fluctuation.Validating the two models, it was obtained that the projected data and those obtained in field are directly correlated.An increase of 0.5% in evapotranspiration and precipitation, for C. capitata and the Anastrepha spp. complex,respectively, causes an increase of up to 300% in the population of the pest.Las instituciones vinculadas a la sanidad vegetal en Bolivia, plantean una metodología de trampeo en campo, paraestablecer la fluctuación poblacional de la mosca de la fruta y ejecutar actividades de control. El PROMOSCA,dependiente del SENASAG, monitoreó durante 3 años, la fluctuación poblacional de esta plaga, en dos rutas en elmunicipio de Caranavi del departamento de La Paz.El presente trabajo de investigación, utilizó los datos obtenidos en campo, metodología de trampeo, variablesambientales y relacionadas al ciclo biológico, para determinar los modelos de fluctuación poblacional de Ceratitiscapitata y del complejo Anastrepha spp., con base en la herramienta estadística Modelos Lineales GeneralizadosMixtos (MLGM), que servirá al PROMOSCA y SENASAG, en el control de la Mosca de la fruta en la zona deCaranavi.El modelo adecuado mínimo para C. capitata, tiene valores de AIC y BIC de 200.13 y 228.15 respectivamente. Suvalor D2 es de 21.53. Así mismo, para el complejo Anastrepha spp., tiene valores de AIC y BIC de 256.07 y 288.30respectivamente. Su valor D2 es de 43.91, ambos modelos en un rango aceptable.Existe correlación entre el clima, los frutales hospederos y la fluctuación poblacional de la plaga. La C. capitatallega a su máximo de población en agosto, durante la época seca y de maduración de cítricos, en tanto que Anastrepha spp., en diciembre, coincidiendo con temperaturas altas y maduración de mangos, mangas, paltas y naranjas.La evapotranspiración es la principal variable ambiental para C. capitata, y la precipitación, para el género Anastrepha spp. Ninguna covariable relacionada al ciclo biológico interviene en la fluctuación poblacional.Validando los dos modelos, se obtuvo que los datos proyectados y los obtenidos en campo, están correlacionadosdirectamente. Un incremento de 0.5% en la evapotranspiración y precipitación, para C. capitata y el complejoAnastrepha spp., respectivamente, provoca un incremento de hasta 300% en la población de la plaga

ETCS protokoloaren hedatzea simulazio hibridodun ingurune batean System-in-the-loop erreminta erabiliz.

[EU]Gaur egun, Europa mailan European Rail Traffic Management System (ERTMS) seinaleztapen-sistema bateratua hedatzen ari dira trenbide sare desberdinen arteko elkar eragintasuna bultzatzeko. Proiektu honen helburua da ERTMS sistemaren barneko ETCS protokoloa hedatzea simulazio hibridodun ingurune batean, ERTMS sistemaren hedatzea azkartuko duten erakusleak sortuz. Horretarako, OPNET simulagailuaren System-in-the-loop erreminta erabili da. Erreminta hau baliatuz ETCS protokoloaren pakete errealak ingurune simulatuan integratzeko funtzioen liburutegi bat idatzi da. Amaitzeko, liburutegi hori baliatuz ETCS protokoloak sareko arazoen aurrean duen errendimenduaren analisi bat burutu da eta liburutegi berri horrek pakete errealak simulatuetara itzultzean (eta kontrakoa) duen errendimendua zein den aztertu da.[ES]A día de hoy se está desplegando a nivel europeo el sistema unificado European Rail Traffic Management System (ERTMS) para fomentar la interoperabilidad entre las diferentes redes ferroviarias. El objetivo de este proyecto es desplegar el protocolo ETCS, del sistema ERTMS, en un entorno de simulación híbrida para poder crear demostradores que sirvan para acelerar el proceso de despliegue del sistema ERTMS. Para ello se ha usado la herramienta System-in-the-loop del simulador OPNET. Mediante esta herramienta se ha escrito una librería de funciones para integrar paquetes reales en el entorno simulado. Para acabar, se ha hecho uso de esta herramienta para analizar el rendimiento del tráfico de ETCS y el rendimiento de la nueva librería a la hora de traducir paquetes reales a simulados y viceversa.[EN]Nowadays they are implementing along Europe a standard called European Rail Traffic Management System (ERTMS) to enhance cross-border interoperability between different railway systems. The aim of this project is to deploy ERTMS’s ETCS protocol in a hybrid simulation environment to create demonstrators that will speed up ERTMS’s deployment. To do that it has been used OPNET simulator’s System-in-the-loop (SITL) tool. Using SITL tool it has been developed a function library that is able to integrate ETCS’s real packets into a simulated environment. To finish, there have been analysed ETCS protocol against network problems and new library’s performance translating real packets into simulated ones and vice versa

PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware

PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. Power-Drive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used Power-Drive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis

Modulation of Antigen Display on PapMV Nanoparticles Influences Its Immunogenicity

Background: The papaya mosaic virus (PapMV) vaccine platform is a rod-shaped nanoparticle made of the recombinant PapMV coat protein (CP) self-assembled around a noncoding single-stranded RNA (ssRNA) template. The PapMV nanoparticle induces innate immunity through stimulation of the Toll-like receptors (TLR) 7 and 8. The display of the vaccine antigen at the surface of the nanoparticle, associated with the co-stimulation signal via TLR7/8, ensures a strong stimulation of the immune response, which is ideal for the development of candidate vaccines. In this study, we assess the impact of where the peptide antigen is fused, whether at the surface or at the extremities of the nanoparticles, on the immune response directed to that antigen. Methods: Two different peptides from influenza A virus were used as model antigens. The conserved M2e peptide, derived from the matrix protein 2 was chosen as the B-cell epitope, and a peptide derived from the nucleocapsid was chosen as the cytotoxic T lymphocytes (CTL) epitope. These peptides were coupled at two different positions on the PapMV CP, the N- (PapMV-N) or the C-terminus (PapMV-C), using the transpeptidase activity of Sortase A (SrtA). The immune responses, both humoral and CD8+ T-cell-mediated, directed to the peptide antigens in the two different fusion contexts were analyzed and compared. The impact of coupling density at the surface of the nanoparticle was also investigated. Conclusions: The results demonstrate that coupling of the peptide antigens at the N-terminus (PapMV-N) of the PapMV CP led to an enhanced immune response to the coupled peptide antigens as compared to coupling to the C-terminus. The difference between the two vaccine platforms is linked to the enhanced capacity of the PapMV-N vaccine platform to stimulate TLR7/8. We also demonstrated that the strength of the immune response increases with the density of coupling at the surface of the nanoparticles

Modulation of Antigen Display on PapMV Nanoparticles Influences Its Immunogenicity

Background: The papaya mosaic virus (PapMV) vaccine platform is a rod-shaped nanoparticle made of the recombinant PapMV coat protein (CP) self-assembled around a noncoding single-stranded RNA (ssRNA) template. The PapMV nanoparticle induces innate immunity through stimulation of the Toll-like receptors (TLR) 7 and 8. The display of the vaccine antigen at the surface of the nanoparticle, associated with the co-stimulation signal via TLR7/8, ensures a strong stimulation of the immune response, which is ideal for the development of candidate vaccines. In this study, we assess the impact of where the peptide antigen is fused, whether at the surface or at the extremities of the nanoparticles, on the immune response directed to that antigen. Methods: Two different peptides from influenza A virus were used as model antigens. The conserved M2e peptide, derived from the matrix protein 2 was chosen as the B-cell epitope, and a peptide derived from the nucleocapsid was chosen as the cytotoxic T lymphocytes (CTL) epitope. These peptides were coupled at two different positions on the PapMV CP, the N- (PapMV-N) or the C-terminus (PapMV-C), using the transpeptidase activity of Sortase A (SrtA). The immune responses, both humoral and CD8+ T-cell-mediated, directed to the peptide antigens in the two different fusion contexts were analyzed and compared. The impact of coupling density at the surface of the nanoparticle was also investigated. Conclusions: The results demonstrate that coupling of the peptide antigens at the N-terminus (PapMV-N) of the PapMV CP led to an enhanced immune response to the coupled peptide antigens as compared to coupling to the C-terminus. The difference between the two vaccine platforms is linked to the enhanced capacity of the PapMV-N vaccine platform to stimulate TLR7/8. We also demonstrated that the strength of the immune response increases with the density of coupling at the surface of the nanoparticles

Découverte de différentes espèces bactériennes d'origine antillaise permettant de transformer la chlordécone

International audienc